Here’s Why Hackers Don’t Need Your Passwords
No matter how strong your password or security setup is, hackers and scammers know there’s one vulnerability they can always exploit: You.
Social engineering attacks use the “human loophole” to get around cybersecurity roadblocks. Instead of hacking your accounts to steal your identity, they hack you by using phishing attacks, imposter frauds, and other scams.
Cybercriminals used social engineering techniques in 20% of all data breaches in 2022 [*]. In 2021, the FBI received over 550,000 complaints of these crimes from Americans, with reported losses exceeding $6.9 billion [*].
So how do you protect yourself, your family, and your business from these ever-evolving types of social engineering attacks? Your best defense is to stay informed.
In this guide, we’ll teach you what social engineering is, how to identify red flags of social engineering attacks, and what to do to keep yourself safe.
What Are Social Engineering Attacks?
Social engineering is the act of “human hacking” to commit fraud and identity theft.
Hackers use deceptive psychological manipulation to instill fear, excitement, or urgency. Once you're in a heightened emotional state, they'll use that against you to cloud your better judgment.
It only takes one human error to become a victim of a socially engineered attack. And this vulnerability is the reason why criminals are using social engineering techniques more often.
How Do Social Engineering Attacks Work?
Social engineering attacks are relatively straight-forward. All a hacker needs to do is convince one under-informed, stressed, or trusting person to do what they say.
And the results are worth it.
In one of the highest-profile social engineering attacks of all time, hackers tricked Twitter employees into giving them access to internal tools [*]. The hackers then hijacked the accounts of people like Joe Biden, Elon Musk, and Kanye West to try and get their many followers to send Bitcoin to the hackers.
These attacks are incredibly easy to pull off, and they all follow a similar pattern.
The four phases of a social engineering attack are:
- Discovery and investigation
- Deception and hook
1. Discovery and investigation
Scammers start by identifying targets who have what they’re seeking. This usually includes credentials, data, unauthorized access, money, confidential information, etc.
Then they scope out potential victims online. For example, they will look at your online footprint, see where you work, take note of what you share on social media, and so on.
Once they know who you are, the hackers use this information to craft the perfect personalized attack. And because the attacker knows so much about you, you’ll be more likely to lower your guard.
2. Deception and hook
As scammers learn more about their victims, they’ll look for potential entry points. These could include your email address, phone number, and social media account — any avenue by which they can get in touch and open the door for an attack.
Then, they reach out with a “hook” to get you interested.
For example, let’s say you just earned a new job title and posted it on LinkedIn. A scammer could easily spoof an email from a well-known industry website and ask you for an interview. It seems harmless and normal, so why wouldn’t you respond?
When the hook lures you in, the scammer executes one of several types of social engineering attacks.
For instance, after you click the link to set up an online interview, the scammer secretly installs malware on your device. The next thing you know, your entire corporate network is infected, and the scammer has stolen gigabytes of sensitive data.
Tiny cybersecurity mistakes like this can cost companies huge sums of money. The average cost of a company data breach is a staggering $4.24 million [*].
As soon as criminals complete their mission, they’ll vanish with as little evidence as possible. The average time to detect a cyber attack or data breach is close to 200 days, so you won’t even know what’s happened until they’re long gone.
Related: 20+ Common Examples of Fraud & Scams To Steer Clear Of →
The 12 Most Common Types of Social Engineering Attacks
- Phishing attacks
- Spear phishing
- Smishing and vishing
- Business Email Compromise (BEC)
- Quid Pro Quo (i.e., tech support scams)
- Honeytraps (romance scams)
- Watering hole attacks
1. Phishing attacks
Phishing is the most common type of social engineering tactic and has increased more than tenfold in the past three years, according to the FBI [*].
Phishing attacks occur when scammers use any form of communication (usually emails) to “fish” for information. These messages look identical to ones from trusted sources like organizations and people you know.
For example, a scammer might send you an email claiming to be from your bank, stating that your account’s password has been compromised. Because the email looks legitimate and the message feels urgent, you’ll quickly click on the included link or scan the QR code and enter your account information (which then goes straight to the scammer).
There are three main goals of any phishing scam:
- Get you to click a link. Phishing emails often include links that install malware on your devices.
- Get you to download an attachment. Scammers will also disguise malware and viruses as legitimate attachments. For example, hackers will send an email claiming to be from a law firm with a “court notice to appear” attachment. But when you download it, your device becomes infected.
- Get you to enter your credentials on a website. Many times, hackers will try to get you to go to a legitimate-looking website and enter credentials. For example, they’ll send you an email saying an online account was compromised and to change your password. But anything you enter — username, password, etc. — goes straight to them.
Stolen credentials and malware can lead to everything from identity theft to financial fraud, account takeovers, corporate espionage, and more.
Pro tip: Install antivirus software that will warn you about phishing sites and malware.
In the past, you could check to see if a site was secure by looking to see if it used HTTPS (and not HTTP) in its URL. But today, 50% of phishing sites use HTTPS — making malicious links more challenging to spot [*].
2. Spear phishing
Normal phishing attacks have no specific target. But spear phishing attacks occur when hackers target a specific individual or organization.
Nearly 60% of IT decision-makers believe targeted phishing attacks are their top security threat [*].
During 2015, hackers completed a $1 billion heist spanning 40 countries with spear phishing. The scammers sent bank employees phishing emails with an attachment to deploy Carbanak malware. Once clicked, the hackers could control the employees’ workstations and were able to infect ATM servers remotely.
A new take on spear phishing is called angler phishing. This occurs when scammers impersonate customer service accounts on social media with the goal of getting you to send them your login information.
Related: How to Stop Spam Emails (2022 Guide) →
Whaling is a term used to describe phishing attacks that target a specific, high-profile person. Usually, an executive, government official, or celebrity.
The victims of whaling attacks are considered “big fish” to cybercriminals. These targets offer great potential to scammers with either large financial payouts or access to valuable data.
In the case of hacked celebrities, scammers hope to find compromising photos that they can use to extort exorbitant ransoms.
In another example, hackers send spoof emails to C-level employees that appear to come from within the victim’s organization. The sender claims to know confidential information about a coworker — but is afraid to report the situation in person.
Instead, they’ll share their evidence as a spreadsheet, PDF, or slide deck.
But when victims click the link, they’re taken to a malicious website. And if they try to open the attachment, malware infects their system and spreads to their network.
4. Smishing (SMS phishing) and vishing (voice phishing)
Phishing isn’t always limited to emails and fraudulent websites.
Smishing is the term used to describe phishing via the use of SMS text messages. Scammers purchase spoofed phone numbers and blast out messages containing malicious links.
There’s also vishing, which is the same as phishing but done over the phone.
Vishing is especially widespread in businesses. Scammers will contact a company’s front desk, customer service, HR, or IT and claim to need personal information about an employee. Lies range from mortgage lenders trying to “verify” email addresses to executive assistants requesting password changes on their boss’s behalf.
All these forms of phishing can lead to identity theft, malware, and financial devastation.
Related: What is Vishing? How to Identify Phone Scams (15 Real Examples) →
Baiting is a type of social engineering attack in which scammers lure victims into providing sensitive information by promising them something valuable in return.
For example, scammers will create pop-up ads that offer free games, music, or movie downloads. If you click on the link, your device will be infected with malware.
Baiting scams also exist in the physical world.
One common example is a strategically placed USB stick with an enticing label like “Payroll Q3” or “Master client database.”
A curious employee will pick up the drive and insert it into their workstation, which then infects their entire network.
6. Piggybacking / Tailgating
Piggybacking and tailgating both refer to a type of attack in which an authorized person allows an unauthorized person access to a restricted area.
This form of social engineering may happen at your place of work if you let someone follow you into the building. Or, it could happen at your apartment building as you’re leaving for the day.
Scammers may be dressed as delivery drivers, say they forgot their IDs, or pretend that they’re “new.” Once inside, they can spy on people, access workstations, check the names on mailboxes, and more.
Tailgating also includes giving unauthorized users (like a coworker or child) access to your company devices. They may put your device at risk and spread malicious code throughout the rest of your company.
Pretexting occurs when someone creates a fake persona or misuses their actual role. It’s what most often happens with data breaches from the inside.
Edward Snowden infamously told his coworkers that he needed their passwords as their system administrator. Victims, respecting his title, willingly complied without giving it a second thought [*].
These scammers establish trust using their title, then convince victims to give them sensitive data. They know people will be hesitant to question them or be too scared to push back on these impersonators, even if something seems off.
8. Business Email Compromise (BEC)
The FBI received close to 20,000 complaints of business email compromise (BEC) in 2021, with companies losing over $2.4 billion [*].
There are three main types of BEC social engineering attacks:
- Impersonation. This occurs when scammers use spoof emails to pose as employees or trusted vendors and clients. They’ll ask their target to send fraudulent payments, change payroll and direct deposit information, or share sensitive information.
- Account compromise. This occurs when hackers gain access to a legitimate employee email address. Scammers can reply to and send emails company-wide (to clients, vendors, etc.), containing malicious code.
- Thread hijacking. This is an advanced take on an account compromise attack. Thread hijacking occurs when hackers scan compromised inboxes for subject lines containing “Re:”. They then automatically reply with malware-laced messages. Recipients open the hacked email, not thinking twice because they “know” the sender.
BEC attacks usually go unnoticed by cybersecurity teams, so they require specific awareness training to be prevented.
9. Quid Pro Quo attacks (i.e., tech support scams)
Quid pro quo translates to “a favor for a favor.”
The most common version of a quid pro quo attack occurs when scammers pretend to be from an IT department or other technical service provider.
They’ll call or message you with an offer to speed up your internet, extend a free trial, or even give you free gift cards in return for trying out software.
The only thing that victims need to do is create a free account or give out/verify their login credentials. When scammers receive this sensitive information, they’ll use it against the victim or sell it on the Dark Web.
10. Honeytraps (romance scams)
Honeytraps are a type of romance scam in which scammers create fake online dating and social media profiles using attractive stolen photos. For example, in a military romance scam, the fraudster will pose as an active service member stationed far away and unable to meet in person.
Once they identify a target, they’ll start sending flirty and provocative messages, and quickly tell their victims they’re in love with them. But, they need the victims to prove they feel the same way by sending gifts, cash, or cryptocurrency.
Honeytraps are especially rampant on social media sites like Snapchat. Make sure you're always staying safe and are aware of the dangers of online dating.
Scareware — also known as fraudware, deception software, and rogue scanner software — frightens victims into believing they’re under imminent threat. For example, you could receive a message saying that your device has been infected with a virus.
Scareware often appears as pop-ups in your browser. It can also appear in spam emails.
Victims are supposed to click on a button to either remove the virus or download software that will uninstall the malicious code. But doing so is what causes the actual malicious software to get in.
Related: The 15 Types of Hackers to Be Aware Of →
12. Watering hole attacks
A watering hole attack occurs when hackers infect a site that they know you regularly visit.
When you visit the site, you automatically download malware (known as a drive-by-download). Or, you'll be taken to a fake version of the site that is designed to steal your credentials.
For example, scammers could divert you away from a normal login page to one designed to steal your account name and password. It will look exactly the same. But anything you enter will go straight to the scammer.
This is where having a password manager becomes so important. Even if a phishing site looks exactly like the real one, a password manager won’t automatically enter your credentials.
How to Identify Most Types of Social Engineering Attacks
The one predictable thing about social engineering attacks is that they all follow a similar pattern. This means that once you start to recognize the warning signs, you can quickly tell if someone is trying to scam you online.
So what should you look for if you think you’ve been targeted by an attack?
Carefully check emails including names, addresses, and copy
If you receive a suspicious email, check for spelling and grammar mistakes.
Does the email address look similar to one in your contact list, but just slightly off? For instance, “email@example.com” isn’t the same as, “vVVong@example.com.”
Related: The 10 Worst Walmart Scams & Fraudulent Schemes of 2022 →
Recognize common phishing email subject lines
Every phishing email uses an enticing and emotionally charged subject line to hook its victims.
Some of the most effective subject lines to watch out for include:
- Notice: Your online account was accessed
- IRS Tax Transcript
- Celebrate Mom this Sunday with an exquisite $29.96 bouquet
- Service cancellation [date]
- SHIPPING DOCUMENT / TRACKING CONFIRMATION
- Confirmation for your delivery
- FBI letter of notification [code 210]
- Incoming fax
- Notice of payment
- Treat as urgent and get back to me
- Re: Your installation
- Your phone number
Never open emails from senders you don’t know. And don’t ever open emails in your spam folder either.
Slow down, and assess any emotions that the message generates
Social engineering attacks prey on human instincts such as trust, excitement, fear, greed, and curiosity.
If you have a strong reaction to an email or online offer, take a minute to check in with your better judgment before proceeding.
Credible representatives will never make you feel threatened or demeaned, nor will they pressure you to act quickly. And if an offer is too good to be true, look for the catch.
Verify the identity of anyone who you don’t know personally
If you’re contacted by an impersonator over the phone or suspect your colleague’s email account has been hacked, it’s best to act on your suspicions.
Reputable agents will never ask for your sensitive information over the phone or via email. They’ll verify your identity using a security question that you preselected. You can directly contact the bank or institution they are impersonating to confirm whether the contact was legitimate.
Never pay a ransom, and report ransomware to the FBI
If you pay hackers to recover your files or stolen data, they’ll continue to use these attacks as a viable source of revenue.
If you believe you’re a victim of ransomware, you should:
- Contact your local FBI field office to request assistance, or submit a tip online.
- File a report with the FBI’s Internet Crime Complaint Center (IC3).
If your identity has been stolen, you may need to file a police report for identity theft and contact the FTC at IdentityTheft.gov too.
Were you the victim of fraud? Follow our fraud victim's checklist for step-by-step instructions on how to recover from fraud.
Who Are the Main Targets of Social Engineering Attacks?
The goal of every social engineering attack is to gain access to sensitive information such as bank accounts, company data, or Social Security numbers. The more access someone has to what criminals want, the more attractive that target becomes.
Victims of social engineering attacks are most often:
- High-worth individuals, high-profile employees, and high-level leaders. Criminals target people with high levels of access. That’s why CEO fraud is now a $12 billion scam [*]. It’s always a good idea to set up fraud monitoring to alert you if anyone has gained access to your personal financial accounts.
- Popular online personalities. People who share more personal information online are more likely to be targets. If your spouse has 50k Instagram followers, or your child is a top video game streamer, they could be targets.
- Younger generations and employees who are uninformed about cybersecurity threats. One study revealed that 45% of millennial employees don’t know what phishing is, even though it’s the #1 type of social engineering attack. To make matters worse, only 27% of companies provide social engineering awareness training [*].
These groups aren’t the only people who are targeted by scammers. The truth is that anyone can become the victim of a social engineering attack.
Related: The 10 Biggest Instagram Scams Happening Right Now →
How to Protect Yourself From Social Engineering Attacks
Most social engineering attacks rely on simple human error. So make sure you’re always following the latest fraud prevention tips and are aware of emerging cyber threats.
Then, follow these tips to secure yourself and your family from social engineering attacks:
- Shrink your online footprint. The less you share online and on social media, the harder it is for hackers to target you. Avoid posting personal information. Even things like real-time vacation pictures or your child’s school name can be used against you.
- Install antivirus software. Ransomware, malware, and spyware exist at unprecedented levels today. Don’t let these harmful applications wreak havoc on your privacy. Try an antivirus solution like Aura to keep your devices protected.
- Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
- Use a VPN when browsing and shopping online. Aura's VPN scrambles the data you send and makes your location untraceable.
- Always use two- or multi-factor authentication (2FA/MFA). This is a second-layer of security on all your accounts. So if a hacker tricks you into sending your password, they still need a special code — that only you have — to gain access to your accounts. For the best security, use an authenticator app instead of 2FA over SMS.
- Monitor the Dark Web for your exposed data. Hackers will often sell your personal data on the Dark Web.
- Consider signing up for identity theft protection. Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.
How to Protect Your Business From Social Engineering Attacks
Social engineering attacks don’t just come for your personal information. Most of the time, they target your business or employer in order to steal sensitive information and data.
Here are a few final tips to keep your team and company safe from social engineering attacks:
- Create a positive security culture. Only 3% of victims report malicious emails to management. By the time they do, serious damage has often already rocked the system [*]. Encourage victims to report potential cybersecurity incidents without fear of repercussions. You want matters handled as soon as possible, before they get worse.
- Commit to ongoing security awareness training. Over 60% of IT professionals say new hires are the most susceptible to socially engineered attacks [*]. So make security awareness training mandatory during onboarding.
- Regularly test your team. Research outside services that create simulated social engineering attacks. Organize a few penetration tests to see which employees take the bait. These tests aren’t aimed to embarrass team members but to show them how easy it is to become a victim.
- Keep your site, app, and hardware updated. When hackers notice a vulnerability or weakness in a webpage, they can infect it with malware. This will then rapidly infect all users in what’s known as a watering hole attack. Make sure you keep your anti-malware tools, email spam filters, and firewalls current.
- Set up data monitoring. Your company’s data analytics should include sensitive file monitoring. Check records of when they’re accessed, downloaded, and shared. See if you notice unusual behavior, like employees downloading sensitive information after hours.
The Bottom Line: Human Hacking Can Be Avoided
Most Americans are aware of large-scale social engineering attacks. Yet they have trouble picturing how those same attacks could ruin their own reputations, families, and businesses.
Anyone can become a victim of cleverly-designed social engineering techniques. And simple human error has the potential to pack a devastating punch.
Learning how to spot all types of social engineering attacks is the first step. For added protection, consider an identity theft and device protection tool like Aura.
With Aura, you get military-grade encryption, Wi-Fi and network security, malware and phishing alerts, and a full suite of fraud detection and identity theft protection.