Social engineering: Attacks, techniques, and defences

Research shows that 85% of organizations experience some form of social engineering attack. These incidents take advantage of the human risk factor, which means they try to exploit your company by manipulating employees instead of attacking purely technical vulnerabilities.

Hackers can use a variety of tactics, techniques, and procedures to capitalize on human risk. This is why it can be difficult for some employees to keep themselves safe.

We'll help you better understand social engineering attacks, how they work, and what you can do to keep your organization safe.

What is social engineering?

Social engineering attacks try to manipulate victims into voluntarily disclosing sensitive information or downloading malicious files.

For example, a hacker might try to get one of your employees to share their login credentials or open a file with malware. If successful, the attacker can use their newfound access to breach your company’s private networks, devices, or databases.

Unlike zero-day and denial-of-service attacks, social engineering attacks are relatively easy to deploy. Anyone with ill intent and the ability to write a convincing email can launch this type of attack. Plus, employees just need to click a link or download a file for it to be effective.

Types of cyberattacks that use social engineering

Cybercriminals use a variety of tactics to breach organizations via social engineering. But some are more frequently used than others. With that in mind, here are four of the most common types of cyberattacks that use social engineering.

1. Phishing, vishing, and smishing

Phishing attacks try to lure an unsuspecting user into clicking a malicious link or file in an email. Hackers reach out to their victims from accounts that often appear trustworthy. They send messages that read like an official communication from a trusted person, company, or organization.

Phishing emails may look something like this:

Once the victim clicks the link, they are directed to an illegitimate website or download malware that grants access to their device. The fake website prompts the user to input their username and password, and that info is sent directly to the hacker.

Basic phishing is largely a numbers game. Attackers often send the same generic email to hundreds or thousands of potential victims. They only need one recipient to click the link or input their credentials to be successful.

Although phishing attacks have traditionally happened via email, hackers now send them through other mediums. These include voice messages (vishing) and SMSs (smishing).

2. Spear phishing

Spear phishing is a more targeted kind of social engineering attack. Hackers who launch them use personalized research to create more believable phony emails.

For example, say a hacker wants to extract customer records from a company. They may start with LinkedIn to find an employee in the company’s customer success department. Then, the attacker could follow the person’s social trail to find a manager or colleague they probably receive emails from regularly.

At that point, the attacker sends an email to the victim that looks like it came from their manager or colleague. They often copy the person’s email address closely, hoping a busy employee accidentally overlooks the typos.

Here’s a simplified overview of how spear phishing attacks work:

Due to how personalized and seemingly authentic messages like these are, victims are far likelier to click on them.

3. Business email compromise

Business email compromise (BEC) is another scam that relies heavily on social engineering techniques. In a BEC attack, a scammer impersonates a trusted company executive or third-party vendor to initiate financial transfers to an account they own.

For example, they may pretend to be a security vendor updating payment instructions. The hacker would send a detailed email from an address that appears legitimate to the person within the organization who typically makes payments. But if this person follows the email’s instructions, the funds they send will go to the hacker.

BEC schemes can be incredibly damaging. According to the FBI’s latest Internet Crime Report, losses from BEC schemes exceeded $2.7 billion in 2022 alone.

4. Watering hole attacks

Wild lions often wait by watering holes to catch unsuspecting prey. Hackers use a similar tactic to breach companies. With watering hole attacks, the cybercriminal picks an industry they want to target. Then, they find websites that people in that industry frequently use, such as message boards and forums.

These sites are “watering holes” that people within the industry keep coming back to for the resources they offer. The hacker will find and exploit vulnerabilities on these watering hole websites to inject malware. Just visiting the compromised website can infect users with malicious code.

Common social engineering techniques

Now that we’ve covered the most common types of social engineering attacks, let’s look at tactics threat actors use to execute them. Becoming familiar with these tactics can help employees recognize social engineering attacks.

Impersonating authority figures and trusted people

Social engineering attackers often impersonate someone authoritative that the victim knows. This could be a CEO, manager, supervisor, or a trusted colleague.

Armed with this fake identity, the hacker may request a wire transfer, company credentials, or other confidential information.

Preying on a victim’s need for information

Threat actors can create sophisticated emails that play on the victim’s emotions.

For example, they might design a scam that promises fake leads, research results, or other information that the employee would find valuable to their work. The attackers hope the victim’s interest in the phony offer will override their caution.

Using fear and urgency to pressure action

Urgency is common in social engineering attacks. Hackers may offer special limited-time deals or share tasks that require urgent action.

The idea behind this tactic? Get victims to share in the urgency so they click on a link or download a file without thinking critically first.

Hiding attacks within current events

Attackers know that governments and organizations send regular communications about current events.

These often follow a simple template and feature consistent email branding and messaging. That makes it easy for attackers to copy and use maliciously.

Why social engineering is effective

Social engineering attacks are effective because they twist our human psychology against us. People naturally trust coworkers, bosses, and organizations they know. Many also assume that all malicious emails are blocked from their inbox, and only legitimate ones pass the filtering test.

Social engineering attacks are often more difficult to detect and prevent than other cybercrimes. They bypass an organization’s technical defense by getting a trusted employee to hand over information voluntarily.

That’s one reason Field Effect recommends following the principle of least privilege: Give employees access to only the systems and tools they need to do their daily jobs instead of all of the technology your company uses.

That way, if an employee makes a mistake and falls for a social engineering attack, only a segment of your sensitive data will be compromised instead of all of it.

Examples of social engineering attacks

Some people think they’d never fall for a social engineering attack. But attackers can be very sophisticated. To illustrate just how powerful these attacks can be, consider the following examples.

Google and Facebook

A Lithuanian national recently used a social engineering attack to steal approximately $100 million from Google and Facebook. He created a fake company that looked like a real computer manufacturer Google and Facebook did business with.

The two companies received the services they requested from the actual computer manufacturer but paid their invoices to a fake account controlled by the scammers. The man successfully phished employees, from both companies, who were expecting invoices from the real vendor.

Robinhood

Robinhood was also the target of a recent social engineering attack. The threat actor managed to gain confidential credentials from a customer service representative by phone. This gave them access to the company’s customer databases, where they stole sensitive information on about 7 million Robinhood users.

Twitter

Years ago, hackers targeted Twitter employees in a sophisticated spear phishing campaign. The scam worked, and hackers accessed the social media accounts of high-profile figures and corporations, including Barack Obama, Elon Musk, and Apple.

The hacker used this access to post Bitcoin scam links from trusted accounts. They’re said to have stolen over $100,000 in the attack.

An update from Twitter said that the hackers social-engineered a small number of Twitter employees over the phone. The company notes that the attack exploited human vulnerabilities to access Twitter’s internal systems.

How to defend against social engineering attacks

Social engineering is a serious threat to businesses of all sizes. But with a little effort, education, and investment, you can harden your organization’s cybersecurity and keep your sensitive information safe. Here are some tips to get you started.

Teach your team what to look for

Social engineering attacks are carefully designed to exploit human psychology and naiveté. You can make these schemes much more difficult for attackers by teaching your team about the common characteristics the attacks share.

Arm your employees with the cybersecurity knowledge they need. Get the 2024 Employee Cybersecurity Handbook today.

Download now

For example, technical indicators of a malicious email can include:

• Suspicious links
• Typos in domain names
• Exceedingly long URLs
• Attachments with suspicious names (such as "important_file.doc.exe")

There are also a variety of behavioral indicators you can teach your team to look for. These include:

• Urgent requests
• Sudden changes to financial details or transactions
• Unusual or unexpected senders (such as an executive an employee never talks to)
• Changes in behavior, like a strange new writing style from a colleague you know well

It's important to stay on top of developments in social engineering attacks. Paying attention to the news can help you learn how attackers are changing their strategies so you can get your team ready before it’s too late.

Encourage a culture of verification

It’s also smart to encourage employees to verify information if they’re unsure about something.

For example, if a vendor suddenly emails to ask an employee to pay an invoice to a new account, the employee should confirm it’s real before paying. That could mean contacting the person making the request by phone or verifying the invoice's validity by email with another trusted member of the organization.

In fact, it may be helpful to set up a mandatory verification process for events like this. Anytime suppliers, vendors, or providers ask for changes or payment, you could ask employees to always verify the request through another medium before proceeding—even if they feel confident in the request’s legitimacy.

Adopt the principle of least privilege in your workplace

When new employees start at your company, do their accounts give them access to all your tools and databases? If so, a social engineering attack could be particularly damaging to your business. 

A single breach could give an attacker access to every part of your company. This can lead to more expensive disruptions, higher ransom demands, and more significant data leaks, among other problems.

Companies that follow the principle of least privilege give employees access to only the tools and databases they need to do their jobs. If a breach occurs, the damage will be easier to contain.

Update software routinely

Social engineering attacks exploit humans rather than technology. But continue stressing the importance of updating software regularly.

Ad blockers, antivirus, and firewalls can alert employees to malicious files and websites before they access them. But if these aren’t up-to-date, they may not catch suspicious files and websites that use the latest cybercrime tactics.

For example, an employee receives an email that looks like it came from your customer relationship management software. The message says they must log into their account urgently because it may be compromised.

If the employee falls into the trap and clicks the link, they’ll go to a spoofed login page and share their credentials with the hacker. If the employee had an up-to-date firewall installed, they may have been blocked from accessing the site in the first place.

Prepare employees with phishing simulations

Another great way to prepare your team to defend against phishing attacks is to give them firsthand experience. Companies like Field Effect offer phishing simulation services, where we customize every organization’s phishing simulation training based on its specific needs. Each campaign incorporates modern social engineering techniques your employees may encounter.

After the campaign, you’ll get a comprehensive report, written by our experts, detailing exercise results, key findings, and areas of improvement. This hands-on training may be the best way to prepare your team for social engineering attacks.

Set up technical protections

Finally, consider setting up more sophisticated technical protections if you’re worried about social engineering attacks impacting your organization. Many companies offer 24/7 threat monitoring services that identify and address anomalies in behavior before attackers can cause serious damage or disruption.

Without any technical protection, a hacker who launches a successful social engineering attack could access your network for a long time without your knowledge. But with the right monitoring tools, you could identify the hacked account almost immediately and take action to quarantine it before the threat actor has the chance to wreak havoc.

Take the next step with Field Effect

Social engineering attacks can seem difficult to identify and prevent because of the human factor. But you can manage this risk just like you manage other security concerns.

That process starts by training your employees. Our 2024 Employee Cybersecurity Handbook is perfect for this. It features everything your team needs to know about cybersecurity and social engineering.

You can share the report with your employees or get in touch with us to learn more about Field Effect MDR, our holistic cybersecurity solution that helps companies of all sizes deal with the widest range of cyber threats, including social engineering attacks.