In this article:
In this article:
Hackers use social engineering attacks to manipulate you into giving them what they want — passwords, data, and money. Here’s how to protect yourself.
In this article:
In this article:
No matter how strong your password or security setup is, hackers and scammers know there’s one vulnerability they can always exploit: You.
Social engineering attacks use the “human loophole” to get around cybersecurity roadblocks. Instead of hacking your accounts to steal your identity, they hack you by using phishing attacks, imposter frauds, and other scams.
Cybercriminals used social engineering techniques in 20% of all data breaches last year [*].
So how do you protect yourself, your family, and your business from these ever-evolving types of social engineering attacks? Your best defense is to stay informed.
In this guide, we’ll teach you what social engineering is, how to identify red flags of social engineering attacks, and what to do to keep yourself safe.
{[show-toc}}
Social engineering is the act of “human hacking” to commit fraud and identity theft.
Hackers use deceptive psychological manipulation to instill fear, excitement, or urgency. Once you're in a heightened emotional state, they'll use that against you to cloud your better judgment.
It only takes one human error to become a victim of a socially engineered attack. And this vulnerability is the reason why criminals are using social engineering techniques more often.
Social engineering attacks are relatively straight-forward. All a hacker needs to do is convince one under-informed, stressed, or trusting person to do what they say.
And the results are worth it.
In one of the highest-profile social engineering attacks of all time, hackers tricked Twitter employees into giving them access to internal tools [*]. The hackers then hijacked the accounts of people like Joe Biden, Elon Musk, and Kanye West to try and get their many followers to send Bitcoin to the hackers.
These attacks are incredibly easy to pull off, and they all follow a similar pattern.
The four phases of a social engineering attack are:
Scammers start by identifying targets who have what they’re seeking. This usually includes credentials, data, unauthorized access, money, confidential information, etc.
Then they scope out potential victims online. For example, they will look at your online footprint, see where you work, take note of what you share on social media, and so on.
Once they know who you are, the hackers use this information to craft the perfect personalized attack. And because the attacker knows so much about you, you’ll be more likely to lower your guard.
As scammers learn more about their victims, they’ll look for potential entry points. These could include your email address, phone number, and social media account — any avenue by which they can get in touch and open the door for an attack.
Then, they reach out with a “hook” to get you interested.
For example, let’s say you just earned a new job title and posted it on LinkedIn. A scammer could easily spoof an email from a well-known industry website and ask you for an interview. It seems harmless and normal, so why wouldn’t you respond?
When the hook lures you in, the scammer executes one of several types of social engineering attacks.
For instance, after you click the link to set up an online interview, the scammer secretly installs malware on your device. The next thing you know, your entire corporate network is infected, and the scammer has stolen gigabytes of sensitive data.
Tiny cybersecurity mistakes like this can cost companies huge sums of money. The average cost of a company data breach is a staggering $4.24 million [*].
As soon as criminals complete their mission, they’ll vanish with as little evidence as possible. The average time to detect a cyber attack or data breach is close to 200 days, so you won’t even know what’s happened until they’re long gone.
💡 Related: 20+ Common Examples of Fraud & Scams To Steer Clear Of →
Here are the most common types of social engineering attacks in 2024 and what to watch out for:
Phishing is the most common type of social engineering tactic and has increased more than tenfold in the past three years, according to the FBI [*].
Phishing attacks occur when scammers use any form of communication (usually emails) to “fish” for information. These messages look identical to ones from trusted sources like organizations and people you know.
For example, a scammer might send you an email claiming to be from your bank, stating that your account’s password has been compromised. Because the email looks legitimate and the message feels urgent, you’ll quickly click on the included link or scan the QR code and enter your account information (which then goes straight to the scammer).
There are three main goals of any phishing scam:
Stolen credentials and malware can lead to everything from identity theft to financial fraud, account takeovers, corporate espionage, and more.
Pro tip: Install antivirus software that will warn you about phishing sites and malware.
In the past, you could check to see if a site was secure by looking to see if it used HTTPS (and not HTTP) in its URL. But today, 50% of phishing sites use HTTPS — making malicious links more challenging to spot [*].
Normal phishing attacks have no specific target. But spear phishing attacks occur when hackers target a specific individual or organization.
Nearly 60% of IT decision-makers believe targeted phishing attacks are their top security threat [*].
During 2015, hackers completed a $1 billion heist spanning 40 countries with spear phishing. The scammers sent bank employees phishing emails with an attachment to deploy Carbanak malware. Once clicked, the hackers could control the employees’ workstations and were able to infect ATM servers remotely.
A new take on spear phishing is called angler phishing. This occurs when scammers impersonate customer service accounts on social media with the goal of getting you to send them your login information.
💡 Related: How to Stop Spam Emails (2024 Guide) →
Whaling is a term used to describe phishing attacks that target a specific, high-profile person. Usually, an executive, government official, or celebrity.
The victims of whaling attacks are considered “big fish” to cybercriminals. These targets offer great potential to scammers with either large financial payouts or access to valuable data.
In the case of hacked celebrities, scammers hope to find compromising photos that they can use to extort exorbitant ransoms.
In another example, hackers send spoof emails to C-level employees that appear to come from within the victim’s organization. The sender claims to know confidential information about a coworker — but is afraid to report the situation in person.
Instead, they’ll share their evidence as a spreadsheet, PDF, or slide deck.
But when victims click the link, they’re taken to a malicious website. And if they try to open the attachment, malware infects their system and spreads to their network.
Phishing isn’t always limited to emails and fraudulent websites.
Smishing is the term used to describe phishing via the use of SMS text messages. Scammers purchase spoofed phone numbers and blast out messages containing malicious links.
There’s also vishing, which is the same as phishing but done over the phone.
Vishing is especially widespread in businesses. Scammers will contact a company’s front desk, customer service, HR, or IT and claim to need personal information about an employee. Lies range from mortgage lenders trying to “verify” email addresses to executive assistants requesting password changes on their boss’s behalf.
All these forms of phishing can lead to identity theft, malware, and financial devastation.
💡 Related: What is Vishing? How to Identify Phone Scams (15 Real Examples) →
Baiting is a type of social engineering attack in which scammers lure victims into providing sensitive information by promising them something valuable in return.
For example, scammers will create pop-up ads that offer free games, music, or movie downloads. If you click on the link, your device will be infected with malware.
Baiting scams also exist in the physical world.
One common example is a strategically placed USB stick with an enticing label like “Payroll Q3” or “Master client database.”
A curious employee will pick up the drive and insert it into their workstation, which then infects their entire network.
Piggybacking and tailgating both refer to a type of attack in which an authorized person allows an unauthorized person access to a restricted area.
This form of social engineering may happen at your place of work if you let someone follow you into the building. Or, it could happen at your apartment building as you’re leaving for the day.
Scammers may be dressed as delivery drivers, say they forgot their IDs, or pretend that they’re “new.” Once inside, they can spy on people, access workstations, check the names on mailboxes, and more.
Tailgating also includes giving unauthorized users (like a coworker or child) access to your company devices. They may put your device at risk and spread malicious code throughout the rest of your company.
Pretexting occurs when someone creates a fake persona or misuses their actual role. It’s what most often happens with data breaches from the inside.
Edward Snowden infamously told his coworkers that he needed their passwords as their system administrator. Victims, respecting his title, willingly complied without giving it a second thought [*].
These scammers establish trust using their title, then convince victims to give them sensitive data. They know people will be hesitant to question them or be too scared to push back on these impersonators, even if something seems off.
The FBI received close to 20,000 complaints of business email compromise (BEC) in 2021, with companies losing over $2.4 billion [*].
There are three main types of BEC social engineering attacks:
BEC attacks usually go unnoticed by cybersecurity teams, so they require specific awareness training to be prevented.
Quid pro quo translates to “a favor for a favor.”
The most common version of a quid pro quo attack occurs when scammers pretend to be from an IT department or other technical service provider.
They’ll call or message you with an offer to speed up your internet, extend a free trial, or even give you free gift cards in return for trying out software.
The only thing that victims need to do is create a free account or give out/verify their login credentials. When scammers receive this sensitive information, they’ll use it against the victim or sell it on the Dark Web.
Honeytraps are a type of romance scam in which scammers create fake online dating and social media profiles using attractive stolen photos. For example, in a military romance scam, the fraudster will pose as an active service member stationed far away and unable to meet in person.
Once they identify a target, they’ll start sending flirty and provocative messages, and quickly tell their victims they’re in love with them. But, they need the victims to prove they feel the same way by sending gifts, cash, or cryptocurrency.
Honeytraps are especially rampant on social media sites like Snapchat. Make sure you're always staying safe and are aware of the dangers of online dating.
Scareware — also known as fraudware, deception software, and rogue scanner software — frightens victims into believing they’re under imminent threat. For example, you could receive a message saying that your device has been infected with a virus.
Scareware often appears as pop-ups in your browser. It can also appear in spam emails.
Victims are supposed to click on a button to either remove the virus or download software that will uninstall the malicious code. But doing so is what causes the actual malicious software to get in.
💡 Related: The 15 Types of Hackers to Be Aware Of →
A watering hole attack occurs when hackers infect a site that they know you regularly visit.
When you visit the site, you automatically download malware (known as a drive-by-download). Or, you'll be taken to a fake version of the site that is designed to steal your credentials.
For example, scammers could divert you away from a normal login page to one designed to steal your account name and password. It will look exactly the same. But anything you enter will go straight to the scammer.
This is where having a password manager becomes so important. Even if a phishing site looks exactly like the real one, a password manager won’t automatically enter your credentials.
The one predictable thing about social engineering attacks is that they all follow a similar pattern. This means that once you start to recognize the warning signs, you can quickly tell if someone is trying to scam you online.
So what should you look for if you think you’ve been targeted by an attack?
If you receive a suspicious email, check for spelling and grammar mistakes.
Does the email address look similar to one in your contact list, but just slightly off? For instance, “vwong@example.com” isn’t the same as, “vVVong@example.com.”
💡 Related: The 10 Worst Walmart Scams & Fraudulent Schemes of 2024 →
Every phishing email uses an enticing and emotionally charged subject line to hook its victims.
Some of the most effective subject lines to watch out for include:
Never open emails from senders you don’t know. And don’t ever open emails in your spam folder either.
Social engineering attacks prey on human instincts such as trust, excitement, fear, greed, and curiosity.
If you have a strong reaction to an email or online offer, take a minute to check in with your better judgment before proceeding.
Credible representatives will never make you feel threatened or demeaned, nor will they pressure you to act quickly. And if an offer is too good to be true, look for the catch.
If you’re contacted by an impersonator over the phone or suspect your colleague’s email account has been hacked, it’s best to act on your suspicions.
Reputable agents will never ask for your sensitive information over the phone or via email. They’ll verify your identity using a security question that you preselected. You can directly contact the bank or institution they are impersonating to confirm whether the contact was legitimate.
If you pay hackers to recover your files or stolen data, they’ll continue to use these attacks as a viable source of revenue.
If you believe you’re a victim of ransomware, you should:
If your identity has been stolen, you may need to file a police report for identity theft and contact the FTC at IdentityTheft.gov too.
Were you the victim of fraud? Follow our fraud victim's checklist for step-by-step instructions on how to recover from fraud.
💡 Related: How To Protect Against Ransomware (10 Prevention Tips) →
The goal of every social engineering attack is to gain access to sensitive information such as bank accounts, company data, or Social Security numbers. The more access someone has to what criminals want, the more attractive that target becomes.
Victims of social engineering attacks are most often:
These groups aren’t the only people who are targeted by scammers. The truth is that anyone can become the victim of a social engineering attack.
💡 Related: The 10 Biggest Instagram Scams Happening Right Now →
Most social engineering attacks rely on simple human error. So make sure you’re always following the latest fraud prevention tips and are aware of emerging cyber threats.
Then, follow these tips to secure yourself and your family from social engineering attacks:
💡 Related: How To Spot a Bank Impersonation Scam (Texts, Emails, and Phone Calls) →
Social engineering attacks don’t just come for your personal information. Most of the time, they target your business or employer in order to steal sensitive information and data.
Here are a few final tips to keep your team and company safe from social engineering attacks:
Most Americans are aware of large-scale social engineering attacks. Yet they have trouble picturing how those same attacks could ruin their own reputations, families, and businesses.
Anyone can become a victim of cleverly-designed social engineering techniques. And simple human error has the potential to pack a devastating punch.
Learning how to spot all types of social engineering attacks is the first step. For added protection, consider an identity theft and device protection tool like Aura.
With Aura, you get military-grade encryption, Wi-Fi and network security, malware and phishing alerts, and a full suite of fraud detection and identity theft protection.
Editorial note: Our articles provide educational information for you to increase awareness about digital safety. Aura’s services may not provide the exact features we write about, nor may cover or protect against every type of crime, fraud, or threat discussed in our articles. Please review our Terms during enrollment or setup for more information. Remember that no one can prevent all identity theft or cybercrime.