November 12, 2021 | Reading time 10 minutes

Social Engineering: Definition, Types, Detection & Prevention

What is social engineering?

Social engineering is a manipulative technique used by criminals to elicit specific actions in their victims. These actions usually include revealing sensitive data or giving access to protected systems.

Social engineering is seldom a stand-alone operation. It is usually a step in various fraud schemes. This technique is especially efficient in cyberattacks.

Types of social engineering attacks

By location:

  • Online
  • Offline

By target action:

  • Data theft

Criminals pretend to be a trustable organizations like a bank. They use the gathered information to obtain immediate gain (e.g., money from a bank account) or use it for other social engineering types.

  • Malware infection

Victims are tricked into download malware or visit websites with drive-by-download technology, where the malware is automatically downloaded without the user’s consent. Another method involves persuading victims to connect removable hardware to their information system, which can lead to malware infiltration. The goals of malware infection might be to access acquisition and data theft.

  • Access gain

Criminals manipulate people into giving access to their cloud workspaces. That is how ransomcloud infects Google Drive.

By communication medium:

  1. Phishing technique is implemented via email.
  2. Vishing uses the telephone or, in some cases, video conferencing.
  3. Smishing also uses telephones, but instead of voice communication, it sends text messages (SMS).
  4. Water holing, also known as water holing social engineering, is a technique that utilizes websites frequently visited by users. These websites, such as social networking websites, forums, popular blogs, or trusted online media, are used to distribute malware links.

By the message customization:

  • General phishing has a general message that can be applicable to many people (e.g., a letter from a bank or Microsoft).
  • Spear phishing is much more customized. It requires the personal data of a victim like their title, company name, boss’ name, etc. A good example of spear phishing would be an email from Accounting or HR department or CEO fraud.

How social engineering works

Social engineers use some prominent psychological traits and peculiarities to attain their goals.

  1. Perception

Human perception doesn’t perform full force all the time, especially when we are emotionally imbalanced or busy doing some important tasks.

For example, our brain doesn’t read letter-by-letter but rather perceives a word on the whole. This fact makes it easy for criminals to forge senders in an email:

christopher@gmail.com vs. chirstopher@gmail.com vs. chrlstopher@gmail.com

  1. Emotion

When overwhelmed with feelings, humans find it hard to apply reasonable thinking. The messages of cybercriminals often aim at powerful emotions to bring down the guard:

  • A letter from “boss” demanding information ASAP:
    • Sense of urgency
    • Fear
  • An email promising a reward:
    • Greed
    • Despair
    • Sense of entitlement
  • A request from “HR” to fill out the form:
    • Social emotions
    • Fear of missing out
    • Interest
  1. Cognition

First, humans make cognitive mistakes all the time. Here are some basic examples that criminals exploit:

  • Trust to authorities like the government, international organizations, popular web platforms, or the company.
  • Trust to people on social media (“Joe is my colleague’s friend so I can trust him”)
  • The false sense of security (“It never happened to me or anyone I know; therefore it won’t happen”)
  • Reciprocity (“Peter treated me so nicely, I can trust him”)

Second, most people lack knowledge about social engineering and its means.

  1. Volition

Even though many people know about social engineering and cybercrime, they often lack the will to follow security requirements. For example, people don’t check the sender of the message or the link in the email.

Detecting social engineering attacks

  1. Check sender:
    • Look for spelling mistakes in the sender’s name (e.g., George vs. Goerge).
    • Check the domain name of the sender’s email address (e.g., microsoft.com vs. micirosoft.com).
    • Compare “from:” and “reply-to:” sections. Do they contain the same sender addresses?
  2. Check recipient. Too many recipients in CC signalize that it’s spam and probably a scam.
  3. Check content for the following red flags:
    • Multiple grammar mistakes.
    • Impersonal greetings (Dear Client, Madam, etc.).
    • A request for PII (personally identifiable information).
    • The presence of attachments you weren’t expecting.
    • The links with suspicious addresses.
    • The emotional tone of an email.

Learn more:

How to protect Office 365 from phishing?

Security Awareness Training

How to prevent social engineering attacks and handle the consequences

  1. Plan and conduct a regular training course for your employees. Alternatively, acquire one from a third-party provider
  2. Use spam filters to decrease the number of scam emails.
  3. Apply multi-factor authentication to prevent criminals from accessing your email.
  4. Create an action plan your employees can use in case of a successful phishing attack.
  5. Purchase antimalware software that protects your digital ecosystem from the most common types of malware.

Frequently Asked Questions

What are examples of social engineering?

Social engineering attacks had been proliferated during the COVID-19 pandemic. For instance, criminals distributed COVID-related lures among the concerned audience. There were common cases when “insurance operators” or “vaccination centers” reached out to their “victims” with “urgent” messages and then tricked them into disclosing sensitive personal data, clicking a malicious link, or opening a malicious attachment. Hackers know their victims are under strong social pressure and a sense of fear, so they wouldn’t likely scrutinize the message before sharing data, clicking links, or downloading attachments.

What are some of the types of social engineering?

The most common types of social engineering attacks include:

  1. Phishing (relying on spoofed or impersonated email addresses when the attackers trick users into thinking a message is from someone they either know or trust.)
  2. Vishing and smishing (using text messages and voice-modifying software to send messages promising “gifts” in exchange for payment.)
  3. SEO fraud (tracking the victim that email comes from their SEO or other manager to invoke a pressing need to carry out specific tasks.)
  4. Piggybacking (using popular figures such as stars, actors, and even popular shows and series in social engineering lures.)
  5. Biting and quid pro quo (using a false promise to invoke a sense of greed and curiosity.)

How does social engineering work?

Social engineering is built around psychological manipulation to deceive the victim. To this end, social engineering relies on several psychological techniques in their lures. First, criminals often exploit the weakness of human perception, when a potential victim is emotionally imbalanced or busy doing some important tasks. Second, social engineering exploits human feelings by sending emails that instill a sense of panic, fear, or urgency thereby making victims hard to apply reasonable thinking. Third, social engineering attackers exploit human cognitive mistakes, such as trust to government, influencers, the false sense of security, reciprocity, etc. Finally, criminals often rely on their victim’s volition when people don’t check the sender of the message or the link in the email, even though they know about social engineering and cybercrime. All these vulnerabilities help social engineering attackers to obtain sensitive data or gain access to protected systems.

Was this helpful?

Thanks for your feedback!
Avatar photo

Vice President of Product

About Author

Davit Asatryan is the Vice President of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.


Featured Work:
Webinar:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Expert Insights: SaaS Application Data Protection Fundamentals

SaaS applications appeal to organizations because they make running the application “somebody else’s problem.” However, this is only partially true; […]

Top 10 Salesforce Security Best Practices and Tips

In the ever-evolving threat landscape, safeguarding sensitive data is paramount. Salesforce, a leading customer relationship management (CRM) platform, has grown […]

Microsoft 365 Security Best Practices and Recommendations 2024

Microsoft 365 Security Best Practices and Recommendations 2024

Micorosft 365 is a business-critical cloud environment that contains terabytes of sensitive information. Protecting this environment from multiple threats is […]