What is Social Engineering?

What is the Definition of Social Engineering?

Social engineering is any manipulation technique that exploits human behavior and error in order to gain access to sensitive or confidential information. Where some scammers would steal someone’s personal information, social engineers convince their victims to willingly hand over the requested information like usernames and passwords.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

Social engineering attacks are generally not quick. Instead of a smash-and-grab robbery, social engineers tend to take a prolonged approach that starts with research. The cycle of this type of manipulation might go like this:

• Investigation. In this stage the engineer identifies a target and gathers background information. This could include potential points of entry or security protocols that the target has in place.
• Infiltrate. The engineer works to establish trust with the target. They spin a story, hook the target, and take control of the interaction to steer it in a way that benefits the engineer.
• Exploit. Social engineers obtain the target’s information over a period. Typically, the target hands over this information willingly, and engineers may use this to their advantage to gain access to even more confidential information.
• Disengage. A social engineer will bring the interaction to a natural end. A skilled engineer will do this without making the target feel suspicious at all.

This tactic can be especially dangerous because it relies on human error, rather than a vulnerability in software. Humans are much more unpredictable, and their mistakes can be hard to identify or anticipate. Malware may exploit a specific weakness in a piece of code, making it a relatively straightforward fix once it’s identified. Human manipulation is harder to untangle.

Different Social Engineering Attacks

Unfortunately, humans have developed several ways to deceive each other. Social engineering techniques tend to hinge on the attacker’s use of confidence and persuasion to convince their targets to take actions that would otherwise be out of character. Targets may find themselves being misled into a few specific behaviors that are hallmark traits of social engineering:

• Urgency. No one wants to miss out on a time-sensitive opportunity, and attackers will capitalize on this. Targets may be incorrectly motivated by attackers to act under the guise of a serious issue that requires immediate attention. Another option is the possibility of claiming a fake reward in a set amount of time. The sense of urgency might trick otherwise rational targets into handing over personal information.
• Trust. Social engineers need their targets to trust them, especially since their interactions are based on lies. If a target can see through the lies, the social engineering attack will fail.
• Heightened Emotion. An attacker may prey on a target’s emotions to get them to act out of turn. Emotional manipulation can give them an upper hand, since humans are more likely to take risky actions in a heightened emotional state, especially if fear, guilt, or anger are involved.

Understanding that social engineering attacks are rooted in deception may help you sniff them out before you become a victim. Here are a few different types of social engineering attacks, so you’ll know how to spot a scam.

Pretexting Attacks

Pretexting uses a deceptive identity as the reason to establish trust with a target. This may involve an impersonation of a vendor or facility employee, and once a target is convinced that the identity is legitimate, the exploitation continues in earnest. An attacker may pretend to be a coworker, a police officer, or someone else who may inspire trust in the target.

Tailgating Attacks

This kind of social engineering, also called piggybacking, and occurs when an attacker follows someone into an area that they don’t have authorized access to. Attackers may count on social courtesy like door holding, to access private areas and the private information within them. Pretexting can play a role in tailgating, too, especially if the attacker is dressed like an employee of a private location.

Phishing Attacks

This is a well-known way to obtain personal information from an unwitting target. This kind of attack works when an attacker pretends to be a trusted institution (like your bank) or individual (like a family member) to persuade you to share private personal data. There are a few different types of phishing, but the basic premise of deceiving a target with the goal of obtaining private information is the same.

• Smishing. The name is derived from SMS phishing, which are texts containing malicious links. They might claim to be from a cellular service provider offering you a gift for paying your bill on time. But when you click the link, your device may be infected with malware.
• Spear phishing. This type of phishing is aimed at a specific individual by impersonating someone that the target knows and trusts.
• Angler phishing. This attack typically takes place on social media and occurs when a social engineer poses as a member of a trusted company’s customer service team. They will notice your interactions with that company’s posts and will attempt to intercept them.
• In-session phishing. This may appear an interruption to your normal internet browsing. You may be logged into your bank account and see a popup asking you to log in again. This pop up is likely a form of social engineering trying to steal your login information and your money.

Baiting Attacks

This type of social engineering technique is built on the premise of a target taking the bait. An attacker will put something desirable in front of a victim and hope that it entices them. Online, this might look like a downloadable attachment in an email or on a social media post that has malware embedded.

A physical example might be a seemingly abandoned USB stick in a public place. A curious target might plug it into their computer to see what’s on it, and the malware loaded on the device will infect the target’s computer.

Social Engineering Prevention

While social engineering attacks can be sophisticated, they can be prevented. If you’re smart about your privacy and security, you can beat attackers at their own game.

• Use two-factor authentication. Social engineers are typically seeking information like login credentials. By enabling 2FA, even if an attacker gets your username and password, they still won’t be able to gain access to your accounts and personal information.
• Don’t open emails or attachments from suspicious sources. If a friend sends you a link that you need to click urgently, ask your friend if that message was from really from them. Pause and ask yourself if the sender is who they say they are before clicking anything.
• Be wary of offers that are too good to be true. You can’t win a sweepstakes you didn’t enter, and no foreign royalty is going to leave you a large amount of money. If it seems too tempting, do a quick search to determine if the offer is legitimate or a trap.
• Don’t overshare online. Social engineers need their targets to trust them for their scams to work. If they can find your personal details from your social media profiles, it will make their scams seem more legitimate. Talk to your kids about online safety and what they post online.
• Secure your computers and devices. Use antivirus software, firewalls, and email filters. In case a threat does make its way to your personal device, you’ll have protection in place to keep your information safe.