card image

What is Social Engineering?

Social engineering relies on the basic human instinct of trust to steal personal and corporate information that can be used to commit further cybercrimes.

For example, a cybercriminal might use social engineering to convince an employee to divulge company passwords. The cybercriminal then uses these passwords to access corporate networks to steal data and to install malware on the company network.

All it takes is an email, phone call or text message disguised as coming from a colleague, friend, or known company and the cybercriminal has won. The cybercriminal may use a familiar yet urgent tone to convince the victim to update their banking information or tell the victim that to claim their prize they have to provide their credit card information.

Social engineering is hard to defend against because human beings are unpredictable. There is no way of knowing who will fall for a social engineering attack. Cybercriminals hope to catch the victim off-guard when they forget to remain alert to cyber attacks.

Why Is Social Engineering So Dangerous?

Social engineering is so dangerous because people make mistakes. Although victims know they need to be suspicious of emails that promise refunds or phone calls that tell them they’ll be arrested immediately if they don’t provide their tax information – people do get caught off-guard.

Social engineering success relies on human nature – being busy, not paying attention, being too trustworthy, complacency and simply forgetting the basics of cyber security awareness. It is not unheard of for people to be repeat victims of social engineering attacks.

It is much easier for cybercriminals to hack a human than it is to hack a company network. This is exactly why it’s so important that you focus on people-centric cyber security awareness training. By putting your people first, you can give them the education, resources and tools to stay aware of social engineering.

How Does Social Engineering Happen?

Social engineering attacks happen with 9 common techniques:

Asset 1

1. Phishing

Phishing uses tactics including deceptive emails, websites and text messages to steal confidential personal and corporate information. Criminals who use phishing tactics are successful because they carefully hide behind emails and  websites that are familiar to the intended victim.

Asset 2

2. Spear Phishing

Spear phishing is a cybercrime that uses emails to carry out targeted attacks against individuals and businesses. Criminals use savvy tactics to collect personal data about their targets and then send email emails that are familiar and trustworthy.

Asset 3

3. Baiting

Baiting relies on the human desire for reward. Baiting is both an online and physical social engineering attack that promises the victim something in exchange for their action. For example, plugging in a USB key or downloading an attachment in order to receive free movie downloads for life. The computer and potentially the network are then infected by software that can capture login credentials or send fake emails.

Asset 4

4. Water-Holing

Water-holing targets a group of users and the websites they commonly visit. The cybercriminal looks for a security vulnerability in one of these websites and then infects the website with malware. Eventually, a member of the targeted group is infected by the malware. This is a very specific social engineering technique that is hard to detect.

Asset 5

5. Vishing

Vishing uses voice mails to convince victims that they need to act quickly, or they could be in trouble with the law or at risk. For example, a criminal may leave a voice mail that urges the victim to reset their banking information because their account has been hacked.

Asset 6

6. Pretexting

Pretexting is a social engineering technique that uses false identity to trick victims into giving up information. For example, the cybercriminal may know that the victim recently bought an item from Apple, so the cybercriminal sends an email pretending to be an Apple customer service representative who needs to confirm the victim’s credit card information.

Asset 7

7. Quid Pro Quo

Quid pro quo scams rely on an exchange of information to convince the victim to act. This social engineering technique offers to provide a service to the victim in exchange for a benefit. A common technique is for the criminal to impersonate an IT support employee who calls victims who have open support tickets. The cybercriminal promises a quick fix if the person disables their antivirus software or confirms their login credentials.

Asset 8

8. Malware

Malware is used to trick victims into paying to remove malware, viruses, or other infected software from their computers. Victims are tricked into believing that there is a virus or malware on their computer and if they pay, they can have it removed. Depending on the scam, the criminal might only steal the victim’s credit card information or also install actual malware or ransomware on the computer.

Asset 9

9. Tailgating

Tailgating is a physical social engineering technique which relies on trust to gain access to a building or secure area in a building. The criminal may simply walk closely behind someone and slip through an open door or ask to be “badged in” because they forgot their employee swipe card. This scam underscores the need for employees to pay attention to who is loitering near doors and to never hesitate to ask for identification.

How To Prevent Social Engineering Attacks

  1. Invest in your people. Put an emphasis on cyber security awareness to reduce human risk. Take advantage of free tools such as phishing simulations, ransomware simulations, and cyber security assessment to strengthen your organization.
  2. Educate your team on the multiple types of social engineering scams. Use real-world examples to show how easy it is for anyone to be caught off guard by social engineering.
  3. Create internal cyber security heroes who are committed to keeping your organization cyber secure. This encourages your employees to change their behavior.
  4. Create and foster environmental support for behavior change. Create a work environment that inspires learning and encourages security awareness.
  5. Benefit from a flexible social engineering awareness training model that uses animated videos, interactive online training, managed security services, microlearning modules and phishing simulations to provide continual support.
  6. Provide ongoing communication and campaigns about social engineering, cyber security, phishing, ransomware and the risks that can come with emails, URLs, attachments, phone calls and human beings.
  7. Use proven security awareness training and simulation training platforms to provide stimulating and effective security awareness education.


To be successful, social engineering attacks only need one thing: trust. It’s critical that your employees are aware of social engineering techniques.

Related Case Studies

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam.

What is Ransomware

What is Ransomware Ransomware is a type of malware and cybercrime that holds data for ransom. Access to data on computer networks, mobile devices, and servers is locked until the victim pays a ransom. APP WordPress CATEGORY Development LINK What Are the Main Types of Ransomware? Crypto Ransomware Crypto ransomware prevents access to personal

View Case Studie Details

What is Phishing

Phishing is a type of social engineering that criminals use to steal data, infect computers, and infiltrate company networks.

View Case Studie Details

Our Valuable Clients