How social engineering attacks work (with examples)

Social engineering cyberattacks play on the mind, manipulating emotions and engaging in deception to get victims to give up passwords, financial data, and other valuable information.

According to Verizon's 2022 Data Breach Investigations Report (DBIR), eight in 10 data breaches (82%) involve a human element. Alongside breaches caused by human error and malicious actions, this statistic also includes social engineering attacks.

Social engineering is frequently used in phishing emails. The risk has only increased as people and companies work remotely in greater numbers and rely on email to get work done. As the Egress Data Loss Prevention Report reveals, 85% of employees rely on email more now, in the era of remote and hybrid work, than ever before. In fact, the DBIR shows a 10% uptick in phishing emails since 2017, with much of the increase occurring after many businesses began operating remotely in 2020.

Fortunately, the very nature of social engineering attacks, reliant on the unwitting participation of victims, reveals how to defeat them through behavior-based security. The first step in an effective defense is understanding how social engineering attacks work.

How does social engineering happen?

In cybersecurity, social engineering involves manipulating a victim into taking an action or divulging information through a series of techniques. For example, sending an email impersonating a high-level executive instructs an employee to transfer money from a company account. Alternatively, an email might direct a new employee to visit what appears to be a company intranet site to input sensitive information. Or, the cybercriminal might pretend to have compromising information about an individual to extort payment.

And although email is the most common attack vector, it's not the only one. Malicious links may arrive via text, instant message applications, or even voicemail.

Here, then, is a field guide to some of the most common social engineering attacks.

Examples of social engineering attack techniques and types

Baiting

A social engineering attack that uses baiting involves trying to make the target believe the attack has something that they need. This technique was used in a recent Shein impersonation phishing attacks detected by Egress Defend, one of which purported to offer a discount. Other examples include offering fake software updates to trick people into clicking links or downloading malware from phishing websites, offering access to systems through log-in false pages, or even offering delivery of items being held by a mail carrier.

Quid pro quo

This type of social engineering technique involves offering the victim ‘something for something’. An attacker might pose as someone from a bank or financial institution, stating the victims’ accounts are being emptied by a criminal but they can move them if the victim confirms certain personal or financial details. Alternatively, an attacker might pose an IT support employee, stating they need the victims log-in credentials to perform a task or solve a problem.

Phishing and spear phishing

Phishing is the most prevalent vector for social engineering attacks, accounting for more than half of all such incidents, according to the DBIR. While general phishing attacks often cast a wide net, with attackers emailing a large number of employees at a given company in hopes of enticing at least one to click a malicious link, they can include general social engineering techniques designed to work effectively across multiple people. For example, stating that a hyperlink might expire with a short timeframe unless the task is completed. (See this article on ‘What is phishing’ for an introduction to the topic of phishing.)

More targeted spear phishing attacks go after specific individuals in an attempt to appear more convincing. The social engineering within these can often be a lot more tailored, for example targeting new employees with tasks to complete on joining a company or impersonating either known customers or colleagues within the organization’s hierarchy.

Vishing and smishing

Vishing attacks occur via phone or voicemail, while smashing attacks come through SMS or messaging apps. For more information, check out our article on phishing and smishing attacks. While smishing can employee both broader and more targeted social engineering techniques (similar to phishing emails), in a vishing attack, the cybercriminal has more scope to pressure people using both language and intonation. Vishing can often form part of scams that impersonate banks and other financial institutions. Phishing, vishing, and smishing can be combined within single attacks to increase pressure on the victims.

Water-holing

Water-holing attacks depend on compromising a legitimate website. When targets visit the site, they may become infected with malware or tricked into inputting sensitive information, such as login credentials, which is then stolen. As the attack is hosted on a legitimate site, it’s likely it won’t be blocked by organizational firewalls and suspicions won’t be aroused by the root URL.

Pretexting

Pretexting attacks attempt to hook a victim by impersonating someone they know. A particularly insidious form may use a compromised email account of a victim’s colleague or trusted supplier, making it appear even more legitimate.

Tailgating

Unlike the cyber-based or remote attacks described above, tailgating is a social engineering technique used in physical locations. In a tailgating attack, a criminal will attempt to follow someone who has legitimate access into a restricted area to access the systems or physical items held there. This can be as simple as slipping through barriers in a crowded lobby, sharing the elevator with legitimate employees, and having someone hold the door to a restricted office space or other area.

Newsworthy social engineering attack examples

In a 2019 pretexting attack, criminals impersonating an executive of Japanese media company NIKKEI made an urgent request to a carefully selected employee in New York. The scammers talked the employee into transferring $29m from the company and into their bank account.

Less than two years later, vishing and smishing attacks on communications company Twilio convinced employees to give them their company passwords, allowing attackers to access customer information. The company said attackers compromised only a limited number of customer accounts.

More recently, in September 2022, employees at GitHub were targeted with phishing emails impersonating CircleCI (a legitimate DevOps platform used by GitHub employees) that took them to a phishing website where their credentials and authentication codes were stolen.

In a similar attack in February 2023, a phishing campaign targeting social media company Reddit employees induced an employee to deliver login credentials to a website designed to look like the company's intranet site. The employee realized their mistake soon afterward and reported it to the company, which then locked out the intruder.

How to protect your information from social engineering attacks

Social engineering attacks are designed to be highly convincing and use advanced techniques to manipulate people, so it can be very difficult for individuals to detect them. 

Behavior-based email security can detect attacks that originate from compromised legitimate accounts, while advanced detection capabilities like natural language processing (NLP) and natural language understanding (NLU) can be used to detect the linguistic markers of social engineering.

Egress integrated cloud email security helps organizations to defend against advanced phishing attacks, including those leveraging social engineering.