What is social engineering? Types, examples, and safety tips

Social engineering in a cybersecurity context involves criminals manipulating people into revealing sensitive information or taking risky actions. Instead of relying primarily on technical exploits, these attacks target human emotions and behavior, using tactics like fear, urgency, curiosity, or trust to deceive victims.

And it turns out that humans are much easier to hack than machines, which is why social engineering has increasingly become the go-to tactic for cybercriminals. So much so that research recently conducted by Gen (the company behind Norton) shows that 90% of blocked attacks in 2025 involved some form of social engineering.

This guide explains what social engineering is, highlights common attack techniques with real-world examples, and outlines practical steps you can take to protect yourself from these increasingly sophisticated scams.

How does social engineering work?

Social engineering works by manipulating human psychology to gain access to sensitive information or systems. Instead of exploiting technical vulnerabilities, attackers exploit emotions like trust, fear, urgency, or curiosity to persuade victims to reveal confidential information, click malicious links, transfer money, or grant unauthorized access.

People and organizations that criminals impersonate

Social engineers often pose as trusted individuals or organizations to make internet scams and other fraudulent schemes appear legitimate. Common examples include:

• Brands: Attackers may impersonate well-known companies like DocuSign, Geek Squad, or Publishers Clearing House through fake support messages, invoices, or prize notifications.
• Individuals: Scammers frequently pose as recruiters, romantic interests, executives, royalty, or other seemingly trustworthy people to build rapport and gain sensitive information.
• Organizations: Government agencies like the IRS, banks, and financial institutions are common impersonation targets used to pressure victims into sharing private data or making payments.
• Charities: Fraudsters may also pose as local or global charities, especially during disasters or major events, to solicit fake donations.

How to spot a social engineering attack

The clearest sign of a social engineering attack is often the urgency, fear, or excitement it invokes to pressure you into making quick decisions before you have time to think. Unexpected requests for passwords, payments, verification codes, or device access are also major red flags that a communication is a potential scam.

Here are the main social engineering techniques to watch out for:

• Emotional manipulation: Social engineers are skilled at stirring up specific emotions, such as fear, curiosity, or pity, so consider the source of these triggers before acting on them. If a complete stranger sends you a text message with a sob story, it’s likely a social engineering technique appealing to your empathetic side.
• Urgent requests: Social engineers don’t want you to think twice. That’s why many social engineering attacks involve some type of urgency, such as sweepstakes winnings you need to claim immediately or cybersecurity software you need to download now to prevent your files getting corrupted by a falsely-detected virus.
• Unsolicited help: Social engineers might reach out pretending to be from a company providing help for a problem you don't have, like in a tech support scam (this is often referred to as “pretexting”). Don’t be fooled into granting unsolicited remote access to your computer.

Common social engineering attack types

Social engineering attacks come in many forms, ranging from online impersonation scams to in-person manipulation tactics. While the methods vary, the ultimate goal is usually the same: tricking victims into revealing sensitive information, granting access, or taking actions that benefit the attacker.

Here are some common forms of social engineering and examples:

Phishing

Phishing attacks typically involve cybercriminals sending emails, texts, or other messages designed to trick victims into revealing sensitive information or clicking malicious links. Phishing is often combined with other social engineering tactics to make attacks more convincing and targeted. According to CISA, over 90% of successful cyberattacks begin with some form of phishing.

Phishing scams come in various delivery forms, including:

• Vishing (voice phishing): A phisher calls or leaves a voicemail pretending to be from a trusted institution in hopes of gaining private information.
• Smishing (SMS phishing): A bad actor sends texts containing malicious links or probing for personal information.
• Clone phishing: A phisher copies a legitimate email, replacing any links or attachments with malicious ones; when the victim clicks, they’re asked to provide private details that can be harvested by the attacker.
• Spear phishing: A cybercriminal targets a specific organization or individual, using personalized messaging to appear trustworthy.

Phishing is far from a new or particularly sophisticated threat, but attacks continue to cause significant financial losses. In 2025, the Connecticut Port Authority reportedly lost more than $16,500 after attackers used a lookalike email domain to impersonate a legitimate invoice sender.

Scareware

Scareware is a type of social engineering attack that uses fake security warnings to trick people into downloading malicious software or paying for fraudulent services. These scams often appear as alarming pop-ups, fake antivirus alerts, or urgent messages claiming your device has been infected with a computer virus or compromised by hackers.

Modern scareware campaigns often imitate trusted companies such as Microsoft, Apple, or antivirus brands to appear more convincing. But in many cases, the supposed “security tool” being promoted is actually spyware or another form of malware disguised as a fix.

One such scareware scheme occurred from 2024 to 2025, when attackers reportedly targeted Windows users with false security alerts. According to SecurityWeek, hackers injected malicious code that froze webpages and displayed fake security alerts designed to make victims believe their computers were malfunctioning, in hopes that they’d call fake support numbers and download malicious software.

Always bear in mind that legitimate security alerts generally do not appear as flashing browser pop-ups demanding immediate action, payment, or remote access to your device.

Caller ID and email spoofing

Caller ID spoofing occurs when attackers falsify the phone number or caller information that appears on your device to make a call seem legitimate. Scammers often impersonate trusted organizations, government agencies, banks, or even people you know in order to pressure victims into sharing sensitive information or sending money.

Advances in AI-generated voice cloning have also made these scams more convincing. As highlighted in a recent PCMag report, Microsoft’s VALL-E voice synthesis model demonstrated the ability to mimic a person’s voice using just a few seconds of audio. Tools like these can be abused by scammers to impersonate family members, coworkers, or executives during fraud attempts and social engineering attacks.

Email spoofing works in a similar way. Attackers forge sender addresses, display names, or entire email layouts so messages appear to come from trusted individuals or organizations. In some cases, cybercriminals may also compromise real email accounts and send messages directly from them, making the deception even harder to detect.

Domain or DNS spoofing

DNS spoofing and domain spoofing are attacks that redirect users to fraudulent websites designed to steal sensitive information such as login credentials, payment details, or personal data. While the two terms are often used together, they work differently. DNS spoofing manipulates the system that translates website names into IP addresses, while domain spoofing involves creating lookalike or deceptive websites that imitate legitimate brands.

In some cases, attackers may use techniques such as packet sniffing, compromised DNS servers, or malicious network configurations to intercept or redirect traffic. However, many attacks rely on simpler methods like typosquatting — for example, replacing a letter in a familiar domain name to trick users into visiting a fake site.

Although DNS and domain spoofing are technical methods, they also enable social engineering by helping to foster a false sense of trust. If a website looks legitimate and uses familiar branding, users are more likely to enter passwords, payment information, or other sensitive data without realizing the site is fraudulent.

Watering hole attacks

Watering hole attacks also combine technical exploitation with social engineering by abusing the trust users place in familiar websites. But instead of targeting victims directly, attackers compromise legitimate sites that are frequently visited. When users visit the infected website, malicious code may steal data, redirect traffic, or install malware without the victim realizing it.

Watering hole attacks often target businesses, government agencies, or industry groups whose employees rely on the same online resources. In one representative example from 2025, The Hacker News described how the Russia-linked group APT29 allegedly compromised legitimate websites and redirected some visitors to malicious pages designed to steal Microsoft account credentials.

Baiting

Baiting attacks exploit human curiosity or greed by offering something enticing, such as free downloads, exclusive information, or financial rewards. The goal is to trick victims into installing malware, revealing sensitive information, or granting access to their devices.

These attacks can happen both online and in person. For example, attackers may leave infected USB drives labeled “Confidential” in public places, hoping someone plugs one into a computer out of curiosity. Online, baiting often takes the form of messages promoting fake giveaways, investment opportunities, or urgent links promising valuable information or rewards.

In one large-scale example uncovered by CTM360, scammers operated thousands of fake news websites designed to mimic trusted outlets like CNN or the BBC. These sites published fabricated stories that directed readers to fraudulent investment platforms, where victims were encouraged to register and later pressured to send money to fake advisors promising unrealistic returns.

Pretexting

Pretexting is the use of an interesting ploy, or a believable story or scenario, to gain a victim’s trust and extract sensitive information. The fabricated “pretext” is designed to create urgency, authority, or emotional engagement so the target is more likely to cooperate. For example, an attacker might impersonate a company IT employee and claim you need to verify credentials or fix an urgent security issue.

A recent example involved the Allianz Life data breach affecting roughly 1.1 million customers. According to reports, the cybercriminal group ShinyHunters allegedly used pretexting techniques to manipulate employees into revealing access credentials, helping facilitate the breach.

Quid pro quo

“Quid pro quo” means “something for something.” In a quid pro quo social engineering attack, scammers offer a supposed benefit or service in exchange for sensitive information, access, or money. The tactic exploits people’s natural tendency to trust and reciprocate favors. In reality, the attacker never delivers on the promised benefit.

A common example targets seniors enrolled in Medicare. Fraudsters may offer free medical equipment or healthcare services in exchange for Medicare information. Instead of providing the promised services, they use the stolen data for nefarious purposes, such as submitting fraudulent reimbursement claims for equipment that was never purchased.

Tailgating

Tailgating, or “piggybacking,” is a physical social engineering tactic in which an unauthorized person gains access to a restricted area by following someone with legitimate access. These attacks exploit common social behaviors like politeness, trust, or reluctance to question strangers.

For example, an attacker might wait outside an office building and ask someone to hold the door after they swipe their badge. Once inside, the intruder may gain access to sensitive areas such as offices, server rooms, or restricted systems. Because the interaction often appears harmless or courteous, victims may not realize they’ve enabled a security breach.

How to protect against social engineering attacks

In addition to staying informed of how to spot social engineering attacks and maintaining a healthy sense of skepticism when browsing online, follow these tips to protect against social engineering attacks:

• Set strict spam filters: Enable email and text spam filters to catch potential phishing messages before they reach you.
• Be cautious online: Protect your privacy online by being mindful of the information you share publicly, as it could be used to personalize scams and build trust. Be wary of online contacts requesting favors, money, or personal details without verifying their identity.
• Use cybersecurity software: Modern cybersecurity software can help detect malicious links, suspicious files, and phishing attempts before they compromise your device or accounts.
• Keep your software up to date: Regular updates patch security vulnerabilities that hackers often exploit during social engineering attacks.
• Don’t leave devices unattended: Avoid leaving phones, laptops, or other devices unattended, especially in public or shared environments where attackers could tamper with them.
• Don’t let strangers into restricted areas: If you don’t recognize someone trying to enter a secure area behind you, avoid granting access without proper verification.

Get comprehensive protection against social engineering attacks

Social engineering scams are designed to exploit trust, urgency, and human emotion. But Norton 360 helps you stay one step ahead with AI-powered scam detection to help identify suspicious links, fake websites, scam texts, and even manipulated deepfake content before attackers can trick you into handing over sensitive information.

FAQs

Does social engineering involve malware?

Social engineering primarily relies on manipulation and deception, so it doesn’t always involve malware. However, attackers often use social engineering to trick victims into downloading malware through malicious links, fake websites, or infected attachments.

What’s the difference between social engineering and phishing?

Social engineering is the broader practice of manipulating people into revealing information or taking risky actions. Phishing is a specific type of social engineering that uses deceptive emails, texts, or messages to steal information or deliver malware.

What’s the most common method of social engineering?

Phishing is the most common method of social engineering used online. Phishing messages are commonly used as the vector for other social engineering attacks, like quid pro quo attacks or baiting. Almost all types of phishing attacks aim to exploit human trust, often by impersonating trusted institutions or people.

Do social engineers rely on AI?

Increasingly, yes. Social engineers are using AI to generate convincing messages, imitate writing styles, clone voices, and create realistic fake audio or video. And as deepfake technology becomes cheaper and more accessible, AI-driven social engineering attacks are becoming more sophisticated and harder to detect.