What is a social engineering attack?

In social engineering attacks, victims are manipulated into handing over sensitive information which can be used for malicious purposes.

What is social engineering?

Broadly speaking, social engineering is the practice of manipulating people into giving up sensitive information. Social engineering attacks can happen in person, such as a burglar who dresses up as a delivery truck driver to get buzzed into a building. This article will instead focus on social engineering cyber attacks. In most cases these attacks aim to get the victim to divulge either login credentials or sensitive financial information.

Social engineering attacks can look like:

- An attacker sending an email to a victim which appears to come from someone in the victim’s contact list. This email can contain a suspicious link that will execute a malicious [cross-site scripting](/learning/security/threats/cross-site-scripting/) attack, or direct the victim to a malicious site.

- An attacker baits users online with links that claim to be downloads of popular movies or software, but these downloads actually contain a malicious payload.

- An attacker contacts a victim claiming to be a wealthy foreigner who needs US bank account information to transfer their fortune, offering to reward the victim handsomely in exchange for their bank account information. In reality, the attacker is out to drain the victim’s accounts.
  • An attacker sends a phishing email that directs the victim to a fake login page that steals their password.
Social Engineering Example
Social Engineering Example

In addition to these types of small and personal social engineering scams, there are also more sophisticated social engineering attacks that are leveraged against entire organizations. One example is thumb-drive drops. These attacks can target the networks of well-protected companies, even those that are not connected to the Internet. Attackers do this by scattering several USB drives around the parking lot of the target company. They put an enticing label such as ‘confidential’ on these drives in hopes that some curious employee will find one and stick it into their computer. These drives can contain very destructive viruses or worms that will be hard to detect, since they are entering the network from a local computer.

How do social engineering attacks work?

Social engineering attacks can take place over the phone, over email, via social media posts, and even in person. They use a wide range of tactics, some of which are described below, to get the victim's trust and manipulate them into taking the desired action. The goal is always to get the victim to do something they did not intend to do at first.

Social engineering tactics

  • Impersonating a trusted party: This could be a brand, a coworker, a boss, or even a friend or family member.

  • Baiting: The attacker offers the victim something desirable as bait. The bait could be a free software download (containing malware), the promise of a future monetary payment, or a professional favor.

  • Pretexting: Most social engineering attacks include some form of pretexting, which is when the attacker creates or describes a fake situation and presents the intended victim with a solution. For instance, the attacker might say that the victim is locked out of an important account and needs to hand over their login credentials for the problem to be corrected.

  • Emotional appeal: Scammers try to incite a feeling in their victims to induce them to take action. They may use fear (by describing a negative situation that must be fixed), greed (by offering the victim something), helpfulness (by pretending to be in need of assistance), or other strong feelings in order to manipulate their targets.

  • Scareware: Software designed for social engineering purposes is called scareware. This software typically works by displaying pop-up messages that frighten the victim, such as a message that tells the victim their computer has multiple viruses. The messages also direct the victim to download malware or give up personal information to correct the (fake) problem.

How social engineering attacks fit into larger cyber attack campaigns

Some social engineering attackers simply aim to get what they can from their direct victims. Others, however, use social engineering to reach larger goals, such as compromising an entire business or network and the data contained within. Many ransomware attacks and data breaches start with social engineering. Once the attackers compromise one person, they have an easier time accessing the rest of that person's organization.

What are some famous examples of social engineering attacks?

The 2011 data breach of RSA created a big stir, primarily because RSA is a trusted security company. This breach disrupted RSA’s popular two-factor authentication service, SecurID. While all the details of the attack have not been publicly disclosed, it is known that it began with a social engineering attack. The attack was initiated with a basic phishing attack, where the attackers sent low-level RSA employees emails that appeared to be company emails regarding recruiting. One of these employees opened an attachment in this email which triggered the attack.

The Associated Press fell victim to a social engineering attack in 2013 that led to a $136 billion stock market plummet. Once again this was carried out by a phishing attack sent out to employees. By simply opening a link in the email, one of the employees triggered the attack which resulted in the AP’s Twitter account being compromised, and the attackers tweeted out a fake news story about an explosion in the White House. This fake news story circulated quickly and led to a 150 point nosedive of the Dow. A Syrian hacker group known as the Syrian Electronic Army claimed responsibility for the attack, but never provided any proof.

The data breach attack leveraged against Target in 2013 has become one of the most infamous cyber-attacks in history thanks to its level of sophistication. Like the others mentioned here, this attack began with social engineering, but the attackers didn’t go after anyone working for Target. Instead they sent emails to employees of a heating-and-air-conditioning vendor that had high-tech air conditioners installed in Target stores. These air conditioners were linked to Target’s in-store computer systems, and once the attackers were able to compromise the third-party vendor, they were then able to hack into Target’s networks and collect credit card information from credit card scanners in thousands of stores, exposing the financial data of around 40 million Target customers.

How to protect against social engineering attacks

While automated security features like email screening can help prevent attackers from contacting victims, the best defense against social engineering attacks is common sense combined with an up-to-date knowledge of popular social engineering attacks. The United States Computer Emergency Readiness Team (US-CERT) advises citizens to be wary of any suspicious communications, and to only submit sensitive information over the web on secure web pages (HTTPS and TLS are good indications of website security). They also recommend avoiding clicking on links sent in emails, and instead typing the URLs of trusted companies directly into the browser. Website owners can do their part by using a service like Cloudflare which will alert them when attackers are using their domain in phishing attacks.

For businesses, the damage from a social engineering attack can be contained when an organization uses a Zero Trust security model. This model makes it much harder for attackers to move further into a network or a system once they gain a foothold. Learn more about how businesses protect themselves from social engineering using Zero Trust security.

FAQs

What is the definition of a social engineering attack?

A social engineering attack is the practice of manipulating people to give up confidential information, like login credentials or financial details. These attacks can occur in person, over the phone, via email, through social media, or online.

How do social engineering attacks work?

Social engineering attacks use a variety of tactics to get a victim's trust and manipulate them into taking an unintended action. Common tactics include impersonating a trusted party, baiting victims with something desirable, or creating a fake situation to get information (pretexting). Attackers also use emotional appeals to greed, fear, or curiosity to incite their victims into action.

What are some examples of social engineering attacks?

Examples of social engineering attacks include sending a victim an email from someone in their contact list that contains a malicious link, using a fake login page to steal a user's password, or using a thumb-drive drop attack to target a well-protected company network.

How can social engineering attacks be prevented?

The best defense is common sense and an up-to-date knowledge of these attacks. People should be cautious of suspicious communications, avoid clicking links in emails (instead typing trusted URLs directly into their browser), and contact institutions and service providers directly if they receive an unexpected message. For businesses, using a Zero Trust security model can help contain damage if an attacker uses social engineering to gain a foothold in the network.

How can social engineering attacks impact a business?

Social engineering attacks can be used as a starting point for larger cyber attacks by advanced persistent threats (APTs). By compromising a single person, attackers can more easily access the rest of their organization. Successful social engineering attacks can lead to data exfiltration and ransomware infections, among other attacks.