The 13 Most Common Types of Social Engineering Attacks + How to Defend Against Them
The average organization is targeted by 700+ social engineering attacks each year. That’s nearly three attacks every single day. And with 98% of all successful cyberattacks involving some form of social engineering, it’s essential for organizations to understand the most pervasive attack methods.
What is social engineering exactly, and why does it pose such a significant threat to organizations today? In this article, we’ll discuss 13 common types of social engineering attacks, explain how they work, provide real-life examples, and share best practices for preventing them.
Phishing is one of the most common social engineering techniques. With phishing scams, attackers send emails that appear to be from reputable sources to trick individuals into revealing sensitive information like passwords and credit card numbers.
These emails often inspire a sense of urgency, prompting the victim to click on a malicious link. This link leads them to a fake website where they are asked to enter personal data such as login credentials, account information, social security numbers, or other confidential information.
In 2013, Target Corporation fell victim to a phishing attack where attackers initially gained access to their network through a phishing email sent to an HVAC company that had connections with Target. This led to a data breach that compromised the credit card information of over 40 million customers.
Target isn’t the only organization to suffer a cyberattack in this way: a 2022 study conducted by Ponemon Institute revealed 54% of organizations experienced a data breach caused by one of their third-party vendors in the previous 12 months.
How to Implement a Vendor Risk Management Program that Prevents Third-Party Breaches
2. Clone phishing
Clone phishing is a special type of phishing attack where a legitimate email is used to create an almost identical or "cloned" email but with some critical changes.
Here is how clone phishing campaigns typically work:
- Email selection: The attacker selects a legitimate email that was sent to the intended victim. This email could be anything from a routine company announcement to an invoice or an account notification.
- Creating the clone: The attacker makes a copy or "clone" of the email, reproducing it as closely as possible to the original.
- Altering the content: The attacker alters some elements of the cloned email. This usually involves changing the links or attachments within the email to malicious ones. For example, where the original email might have contained a link to an online invoice, the clone could contain a link to a malicious website designed to harvest login credentials.
- Resending the email: The attacker sends the cloned email to the original recipients but makes it appear as if it's coming from the same sender as the original email. This might be accompanied by a pretext such as an updated link, a corrected version of the attachment, or any excuse that seems plausible.
- Victim's response: If recipients of the cloned email believe it's a legitimate follow-up to the previous email, they might click on the link or download the attachment without suspicion. This can lead to the compromise of sensitive data or malware infection.
Clone phishing is particularly effective because it uses the trust established by the original, legitimate email to bypass the victim's defenses. It's always important to verify the authenticity of email communications, especially those containing links or attachments, even if they appear to come from a known source. It’s advisable to contact the person or company directly to confirm the legitimacy of the email, especially if the email seems unexpected or slightly different from the usual communication style.
If you successfully spot a phishing email, it can be tempting to respond to the scam attempt and tell them off — but this isn’t a good idea. For one, replying to a phishing email verifies that your email address is active, which can make you a high priority for follow-up attacks, or for your email address to be sold to other attackers. Your reply can also give cybercriminals access to additional information such as location data or your company’s email signature, which can include phone numbers, addresses, and other information they can use to create more convincing phishing campaigns — or potentially snare your co-workers or LinkedIn contacts.
Pretexting involves an attacker creating a fabricated scenario to obtain information from a target. They often impersonate someone in a position of authority or someone with a legitimate reason for needing the information.
The attacker builds a story that convinces the victim to divulge sensitive information or perform an action that compromises security.
Pretexting as a tactic is used in a variety of social engineering attacks, particularly phishing, whaling, and business email compromise. But cybercriminals can also use pretexting on its own to steal valuable information from their victims.
In 2016, a hacker gained access to data for thousands of employees at the Justice Department and Department of Homeland Security, including email addresses and phone numbers, by impersonating a government employee. They later published the information online.
In 2017, MacEwan University sent nearly $9 million to someone posing as a contractor with a construction company working on a new building project. A supporting letter attached to the email appeared to have been signed by the actual construction company’s chief financial officer, and the university wired the money to the bank account specified in the email. The scam wasn’t discovered until the real construction company reached out to inquire about the outstanding balance.
The school eventually recovered more than 90% of the lost funds, but only after lengthy legal proceedings and a lot of media attention. They’ve since instituted new processes and security awareness training for all employees.
Last year, the FBI warned healthcare organizations against schemes to extort money or steal personally identifiable information (PII) using pretexting. Scammers spoof authentic phone numbers or use fake credentials to masquerade as agency officials. They then notify targets that they were subpoenaed to provide expert witness testimony in a criminal or civil case, failed to appear, and have been held in contempt of court and issued a fine. Failure to pay the fine would result in an arrest warrant, with scammers using aggressive tactics to pressure targets into paying immediately via wire transfer, cash by mail, or cryptocurrency.
Baiting is similar to phishing but involves the promise of a specific item that the attacker uses as bait. This could be free software, gift cards, movie or music downloads, or anything else that seems appealing to the target. The attacker uses this bait to entice the victim into downloading malicious software or revealing login credentials.
USB drops are a classic example of baiting. The US Department of Homeland Security once ran a test on government employees to see how easy it would be for hackers to install malware or gain access to computer systems. USB drives were dropped in parking lots of government agencies and private contractors — and 60% of the people who picked them up plugged them into their devices. If the drive had an official logo on it, 90% were plugged in.
5. Quid pro quo
With quid pro quo attacks, threat actors prey on the law of psychological reciprocity — when someone helps us out, we want to return the favor.
Often, quid pro quo attacks happen when cybercriminals pose as IT or tech support. They may offer to install anti-virus software or resolve an issue with a computer system in exchange for sensitive information like login credentials. Once they gain access, they install malware or steal other sensitive data.
In one case, a threat actor impersonated Apple tech support to trick celebrities, musicians, and professional athletes into revealing sensitive information. Posing as Apple tech support, the cybercriminal asked victims for usernames and passwords or the answers to security questions. With this information, they could access the victim’s full Apple profile, including payment card and billing details. They could then change passwords, contact emails, and security questions. The scammer spent thousands of dollars on personal expenses charged to his victims’ accounts.
6. Business email compromise & CEO fraud
Business Email Compromise (BEC) is when an attacker gains access to a corporate email account and impersonates the owner to defraud the company or its employees, customers, or partners. They usually focus on employees who have access to company finances and trick them into conducting money transfers to bank accounts thought to be trusted.
CEO fraud is a specific type of BEC scam where attackers impersonate a CEO or another high-ranking managerial official. The attacker leverages the authority of the CEO to pressure an employee into conducting unauthorized transactions or sending sensitive data.
Snapchat fell victim to a BEC scheme in 2016 when scammers impersonated CEO Evan Spiegel. The company’s payroll department responded to an email appearing to come from Spiegel with sensitive payroll data — while the company didn’t publicly disclose exactly what information was shared, it could have included salary details, social security numbers, bank accounts, addresses, emails, and other personally identifiable information on its current and former employees.
Deepfaking involves using AI technologies to create realistic images, videos, or audio to manipulate or deceive. Attackers can create audio and video that looks authentic, showing individuals saying or doing things they did not actually say or do.
In early 2020, the AI-created voice of a bank director was used to trick a bank manager into transferring millions of dollars to threat actors. The manager received a phone call from someone who sounded exactly like the director of his parent business, informing him that the company was about to make an acquisition. The manager was instructed to authorize a $35 million transfer — there were even emails in the manager’s inbox from the director and a lawyer confirming where the money needed to be transferred. Believing the instructions to be legitimate, the manager initiated the transfer.
Investigators in the UAE believe the elaborate scheme involved at least 17 individuals, with the stolen money sent to multiple bank accounts all over the globe.
As the cost to produce convincing deepfakes decreases, the FBI and Department of Homeland Security predict deepfake threats will become increasingly difficult to identify and protect against. As legislation is beginning to address the threats of deepfake videos, cybersecurity measures, such as detection algorithms, are being created to combat the threat.
Tailgating, also known as piggybacking, involves an unauthorized person physically following an authorized person into a restricted area.
The attacker may strike up a conversation or carry something to manipulate the authorized person into holding the door open for them.
While tailgating and piggybacking attacks typically refer to unauthorized physical access, in one interesting case a tech worker admitted to piggybacking off a hacker’s extortion attempt.
A UK company was hit by a ransomware attack in February 2018, during which the attacker demanded a $370,000 bitcoin payment. A member of the company’s incident response team saw an opportunity to launch a secondary attack — by altering the original ransomware email to swap out the cryptocurrency wallet address provided by the original attacker with his own. The employee also spoofed the attacker’s email address and began emailing the organization to pressure them into paying the ransom. He was later caught when authorities successfully tracked his IP address.
9. Spear phishing & whaling
Spear Phishing is a more targeted form of phishing. The attacker customizes their deceptive messages to a specific individual or organization.
The emails appear more legitimate and are often meticulously crafted to appeal to the victim.
In 2014, programmers backed by North Korea launched a spear-phishing attack against Sony Pictures to halt the release of the film The Interview. The attack resulted in the leak of sensitive data, including unreleased films.
In 2016, the US Democratic Party famously fell victim to a spear phishing attack that exposed sensitive information about the Clinton presidential campaign. Hackers created a fake email that prompted recipients to change their passwords due to unusual activity, then used new credentials to access sensitive information.
Whaling targets high-profile individuals, such as executives, celebrities, or politicians. The tactics are similar to spear-phishing but on a grander scale.
In 2008, a widespread whaling scheme snared as many as 2,000 corporate executives with a series of emails masquerading as official subpoenas. The email correctly addressed CEOs and other top executives by their full names and included details such as phone numbers, company names, and titles. Recipients were instructed to click on a link to a detailed copy of the subpoena and were then directed to install a browser add-on to read the document. Accepting the add-on actually installed a backdoor and keylogging software, allowing the scammers to steal credentials and other sensitive information.
10. Smishing & vishing
Smishing (SMS phishing) uses text messages, while Vishing (voice phishing) uses phone calls to scam the victim. These attacks are designed to steal sensitive data or money by posing as a legitimate entity.
In July 2020, Twitter famously suffered a hack of 130 blue-check verified accounts of some of the world’s most famous people — from politicians like Barack Obama and Joe Biden, celebrities and entrepreneurs like Bill Gates and Elon Musk, and global brands like Apple.
Hackers downloaded users’ Twitter data, accessed DMs, and published tweets promising to double donations to a bitcoin wallet. Within minutes, the scammers had received over $100,000 in bitcoin from hundreds of transactions.
Twitter explained the incident was the result of a vishing attack where Twitter employees were tricked into sharing account credentials that allowed the scammers access to the verified accounts. Twitter’s share price plunged 7% in pre-market trading the following day.
11. Watering hole attacks
In a watering hole attack, the attacker identifies a website or resource their target group frequently uses and infects it with malware to compromise members of the group. For example, if the target group is in the financial sector, the attacker might infect a popular financial news website.
In February 2021, hackers used a watering hole attack to gain access to a water treatment facility in Florida. They remotely changed a setting that drastically raised the amount of sodium hydroxide (lye) in the water to toxic levels. Luckily, an astute operator was able to catch the manipulation as it was happening and restored the levels to their normal range with no damage done.
An investigation into the attack revealed hackers had placed malicious code on an infrastructure contractor’s website. That code functioned as a fingerprinting script, collecting details about the website’s visitors, including operating system, CPU, browser plugins, input methods, camera presence, accelerometer, microphone, time zone, location, and more. When a computer on the water treatment plant’s network visited the contractor’s website, the malicious code allowed the hackers to install Remote Desktop software on one of the plant’s computers that was connected to the control system.
Scareware tricks individuals into thinking their computer is infected with malware, urging them to install software that is actually malware itself. This is often encountered as pop-up advertisements or warnings while browsing the web.
In one famous example, the "Antivirus XP" scareware tricked users into paying for fake antivirus software by aggressively advertising security alerts on users' computers.
In 2019, Office Depot and Support.com agreed to pay a $35 million settlement after they were accused of using scareware tactics to deceive customers into purchasing unnecessary support and repair services. From 2008-2016, Office Depot and OfficeMax offered customers a free “PC Health Check” to scan devices for malware and performance problems. According to the FTC, the real purpose of the health check was to sell diagnostic and repair services that customers didn’t actually need.
The PC checkup program was programmed to report that repairs were necessary if the customer answered “yes” to any one of four questions asked, including whether customers were seeing frequent pop-up ads on their device. Suggested repair services could cost upwards of $300. While Office Depot never admitted any wrongdoing, they agreed to the settlement, which the FTC says was used to refund customers.
Ransomware is a type of malicious software, or malware, that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are typically shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals typically in bitcoin.
In April 2021, employees of Merseyrail, a UK rail operator, received an email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from national newspapers and tech news outlets were also copied on the emails.
The email explained that the company had been hacked and offered an image of an employee’s personal data as proof. The Lockbit scammers demanded a ransom to release the compromised data. Not only did the scammers steal sensitive data, they also put public pressure on the company to pay the ransom quickly. This tactic is often used to force organizations to rush into a payment, bypassing security protocols like informing relevant authorities and following established procedures.
How to Do an Internal Audit + Security Audit Checklist
Arm your team against social engineering attacks with Secureframe Training
Cybersecurity is not simply a technical issue; it's first and foremost a human issue. Even the most advanced security system can be compromised by a simple human error.
It’s crucial for employees to stay updated on the latest scams, threats, and attack techniques. Regular training equips teams with the knowledge they need to recognize and respond appropriately to a variety of cyber threats. Employees who understand the potential consequences of poor cyber hygiene are far less likely to fall victim to attacks and are more likely to take preventative measures seriously.
What’s more, security regulations and standards such as SOC 2,® ISO 27001, HIPAA, GDPR, and PCI DSS require regular security awareness training. These standards recognize that protecting sensitive data requires an informed and vigilant workforce. When employees are equipped with the right knowledge and a security-conscious mindset, they can not only prevent incidents but also effectively respond in case of a security breach.
The Secureframe platform includes proprietary security awareness training, making it easy to assign, track, and report on required employee training. Our engaging training programs are kept up-to-date, so the latest best practices are learned and applied throughout your organization. You can also segment your workforce and assign just the training required for each group or role.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.