What is social engineering? A definition + techniques to watch for
July 26, 2021
Most cybercriminals are master manipulators, but that doesn’t mean they’re all manipulators of technology — some cybercriminals favor the art of human manipulation.
In other words, they favor social engineering, meaning exploiting human errors and behaviors to conduct a cyberattack. For a simple social engineering example, this could occur in the event a cybercriminal impersonates an IT professional and requests your login information to patch up a security flaw on your device. If you provide the information, you’ve just handed a malicious individual the keys to your account and they didn’t even have to go to the trouble of hacking your email or computer to do it.
As with most cyber threats, social engineering can come in many forms and they’re ever-evolving. Here, we’re overviewing what social engineering looks like today, attack types to know, and red flags to watch for so you don’t become a victim.
Social engineering defined
For a social engineering definition, it’s the art of manipulating someone to divulge sensitive or confidential information, usually through digital communication, that can be used for fraudulent purposes.
Unlike traditional cyberattacks that rely on security vulnerabilities to gain access to unauthorized devices or networks, social engineering techniques target human vulnerabilities. For this reason, it’s also considered human hacking.
Cybercriminals who conduct social engineering attacks are called social engineers, and they’re usually operating with two goals in mind: to wreak havoc and/or obtain valuables like important information or money.
How social engineering works
Like most types of manipulation, social engineering is built on trust first— false trust, that is — and persuasion second. Generally, there are four steps to a successful social engineering attack:
- Preparation: The social engineer gathers information about their victims, including where they can access them, such as on social media, email, text message, etc.
- Infiltration: The social engineer approaches their victims, usually impersonating a
trustworthy source and using the information gathered about the victim to
- Exploitation: The social engineer uses persuasion to request information from their
victim, such as account logins, payment methods, contact information, etc.,
that they can use to commit their cyberattack.
- Disengagement: The social engineer stops communication with their victim, commits
their attack, and swiftly departs.
Depending on the social engineering attack type, these steps could span a matter of hours to a matter of months. No matter the time frame, knowing the signs of a social engineering attack can help you spot — and stop — one fast.
Signs of a social engineering attack
Social engineering can happen everywhere, online and offline. And unlike traditional cyberattacks, whereby cybercriminals are stealthy and want to go unnoticed, social engineers are often communicating with us in plain sight. Consider these common social engineering tactics that one might be right under your nose.
Your “friend” sends you a strange message
Social engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it.
Your emotions are heightened
The more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like fear, excitement, curiosity, anger, guilt, or sadness. In your online interactions, consider the cause of these emotional triggers before acting on them.
The request is urgent
Social engineers don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as a sweepstake you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer.
The offer feels too good to be true
Ever receive news that you didn’t ask for? Even good news like, say winning the lottery or a free cruise? Chances are that if the offer seems too good to be true, it’s just that — and potentially a social engineering attack.
You’re receiving help you didn’t ask for
Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts.
The sender can’t prove their identity
If you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted.
10 social engineering attack types + examples
Almost all cyberattacks have some form of social engineering involved. And most social engineering techniques also involve malware, meaning malicious software that unknowingly wreaks havoc on our devices and potentially monitors our activity.
Pore over these common forms of social engineering, some involving malware, as well as real-world examples and scenarios for further context.
As the name indicates, scareware is malware that’s meant to scare you to take action — and take action fast. It often comes in the form of pop-ups or emails indicating you need to “act now” to get rid of viruses or malware on your device. In fact, if you act you might be downloading a computer virus or malware.
Turns out it’s not only single-acting cybercriminals who leverage scareware. In 2019, an office supplier and tech support company teamed up to commit scareware acts. The office supplier required its employees to run a rigged PC test on customers’ devices that would encourage customers to purchase unneeded repair services. Ultimately, the Federal Trade Commission ordered the supplier and tech support company to pay a $35 million settlement.
2. Email hacking and contact spamming
It’s in our nature to pay attention to messages from people we know. And social engineers know this all too well, commandeering email accounts and spamming contact lists with phishing scams and messages.
Email hacking and contact spamming example
If your friend sent you an email with the subject, “Check out this site I found, it’s totally cool,” you might not think twice before opening it. By taking over someone’s email account, a social engineer can make those on the contact list believe they’re receiving emails from someone they know. The primary objectives include spreading malware and tricking people out of their personal data.
3. Access tailgating
Also known as piggybacking, access tailgating is when a social engineer physically trails or follows an authorized individual into an area they do not have access to. This can be as simple of an act as holding a door open for someone else. Once inside, they have full reign to access devices containing important information.
Access tailgating example
If someone is trailing behind you with their hands full of heavy boxes, you’d hold the door for them, right? In reality, you might have a social engineer on your hands. Your act of kindness is granting them access to an unrestricted area where they can potentially tap into private devices and networks.
Phishing is a well-known way to grab information from an unwitting victim. How it typically works: A cybercriminal, or phisher, sends a message to a target that’s an ask for some type of information or action that might help with a more significant crime. The ask can be as simple as encouraging you to download an attachment or verifying your mailing address.
Worth noting is there are many forms of phishing that social engineers choose from, all with different means of targeting. Spam phishing often takes the form of one big email sweep, not necessarily targeting a single user. Spear phishing targets individual users, perhaps by impersonating a trusted contact. Whaling targets celebrities or high-level executives.
Phishing also comes in a few different delivery forms:
- Vishing, meaning voice phishing, is when your phone call might be recorded, including information you input on PIN pads.
- Smishing, meaning SMS phishing, are texts containing malicious links.
- Email phishing is among the most traditional phishing method, meaning phishing by email oftentimes by delivering a malicious link or a download.
- Angler phishing is when a cybercriminal impersonates a customer service person to intercept your communications and private messages.
- URL phishing is a falsified link you receive that contains malware.
- In-session phishing occurs when you’re already on a platform or account and are asked, for instance, to log in again.
- Fax-based phishing often occurs as a fake email from a trusted institution requested you print off the message and fax back your sensitive information.
A social engineer might pose as a banking institution, for instance, asking email recipients to click on a link to log in to their accounts. Those who click on the link, though, are taken to a fake website that, like the email, appears to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the cybercriminal access to their bank accounts.
5. DNS spoofing
Also known as cache poisoning, DNS spoofing is when a browser is manipulated so that online users are redirected to malicious websites bent on stealing sensitive information. In other words, DNS spoofing is when your cache is poisoned with these malicious redirects.
DNS spoofing example
In 2018, a cloud computing company and its customers were victims of a DNS spoofing attack that resulted in around $17 million of cryptocurrency being stolen from victims. Cybercriminals rerouted people trying to log into their cryptocurrency accounts to a fake website that gathered their credentials to the cryptocurrency site and ultimately drained their accounts.
Baiting is built on the premise of someone taking the bait, meaning dangling something desirable in front of a victim, and hoping they’ll bite. This occurs most often on peer-to-peer sites like social media, whereby someone might encourage you to download a video or music, just to discover it’s infected with malware — and now, so is your device.
For a physical example of baiting, a social engineer might leave a USB stick, loaded with malware, in a public place where targets will see it such as in a cafe or bathroom. In addition, the criminal might label the device in a compelling way — “confidential” or “bonuses.” A target who takes the bait will pick up the device and plug it into a computer to see what’s on it. The malware will then automatically inject itself into the computer.
7. Physical breaches
As the name indicates, physical breaches are when a cybercriminal is in plain sight, physically posing as a legitimate source to steal confidential data or information from you. This might be as a colleague or an IT person — perhaps they’re a disgruntled former employee — acting like they’re helping you with a problem on your device. In fact, they could be stealing your account logins.
Physical breaches example
A social engineer posing as an IT person could be granted access into an office setting to update employees’ devices — and they might actually do this. At the same time, however, they could be putting a keylogger on the devices to track employees ’ every keystroke and patch together confidential information that can be used toward other cyberattacks.
What is pretexting? It’s the use of an interesting pretext, or ploy, to capture someone’s attention. Once the story hooks the person, the social engineer tries to trick the would-be victim into providing something of value. Oftentimes, the social engineer is impersonating a legitimate source.
Let’s say you received an email, naming you as the beneficiary of a will or a house deed. The email requests your personal information to prove you’re the actual beneficiary and to speed the transfer of your inheritance. Instead, you’re at risk of giving a con artist the ability not to add to your bank account, but to access and withdraw your funds.
9. Watering hole attacks
A watering hole attack is a one-sweep attack that infects a single webpage with malware. The webpage is almost always on a very popular site — or virtual watering hole, if you will — to ensure that the malware can reach as many victims as possible.
Watering hold attack example
In 2014, a media site was compromised with a watering hole attack attributed to Chinese cybercriminals. They exploited vulnerabilities on the media site to create a fake widget that, when loaded, infected visitors’ browsers with malware.
10. Quid pro quo
Quid pro quo means a favor for a favor, essentially “I give you this, and you give me that.” In the instance of social engineering, the victim coughs up sensitive information like account logins or payment methods and then the social engineer doesn’t return their end of the bargain.
Quid pro quo example
For a quid pro quo video gaming example, you might be on a gaming forum and on the lookout for a cheat code to surpass a difficult level. Perhaps you wire money to someone selling the code, just to never hear from them again and to never see your money again.
15 tips to avoid becoming a victim of a social engineering attack
Your best defense against social engineering attacks is to educate yourself of their risks, red flags, and remedies. To that end, look to the following tips to stay alert and avoid becoming a victim of a social engineering attack.
Communicate safely online
Your own wits are your first defense against social engineering attacks. Simply slowing down and approaching almost all online interactions with skepticism can go a long way in stopping social engineering attacks in their tracks.
1. Don’t click links you don’t request.
3. Be cautious of online-only friendships.
4. Remember the signs of social engineering.
5. Acknowledge what’s too good to be true.
Secure your accounts and networks
Beyond putting a guard up yourself, you’re best to guard your accounts and networks against cyberattacks, too. Consider these means and methods to lock down the places that host your sensitive information.
6. Use two-factor authentication.
7. Only use strong, unique passwords and change them often.
8. Consider a password manager to keep track of your strong passwords.
9. Set high spam filters.
10. Don’t allow strangers on your Wi-Fi network.
12. Monitor your account activity closely.
Safeguard your devices
Finally, ensuring your devices are up to cybersecurity snuff means that you aren’t the only one charged with warding off social engineers — your devices are doing the same.
13. Don’t leave devices unattended.
14. Use cybersecurity software.
15. Keep your software up to date
Manipulation is a nasty tactic for someone to get what they want. Thankfully, it’s not a sure-fire one when you know how to spot the signs of it. Now that you know what is social engineering — and the techniques associated with it — you’ll know when to put your guard up higher, online and offline.
The freedom to connect more securely to Wi-Fi anywhere
With Norton™ Secure VPN, check email, interact on social media and pay bills using public Wi-Fi without worrying about cybercriminals stealing your private information
Try Norton Secure VPN for peace of mind when you connect online
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.
No one can prevent all identity theft or cybercrime. Not all products, services and features are available on all devices or operating systems. System requirement information on norton.com.
*Important Subscription, Pricing and Offer Details:
- The price quoted today may include an introductory offer. After that, your membership will automatically renew and be billed at the applicable monthly or annual renewal price found here.
- You can cancel your subscription at my.norton.com or by contacting Member Services & Support. For more details, please visit the Refund Policy.
- Your subscription may include product, service and /or protection updates and features may be added, modified or removed subject to the acceptance of the Customer Agreement.
The number of supported devices allowed under your plan are primarily for personal or household use only. Not for commercial use. If you have issues adding a device, please contact Member Services & Support.
§ Dark Web Monitoring in Norton 360 plans defaults to monitor your email address only. Please login to the portal to review if you can add additional information for monitoring purposes.