How social engineering attacks work (with examples)

Social engineering cyberattacks play on the mind, manipulating emotions and engaging in deception to get victims to give up passwords, financial data, and other valuable information.

According to Verizon's 2022 Data Breach Investigations Report (DBIR), 8 in 10 data breaches (82%) involve a human element. Alongside breaches caused by human error and malicious actions, this statistic also includes social engineering attacks.

Social engineering is frequently used in phishing emails. The risk has only increased as people and companies work remotely in greater numbers and rely on email to get work done. As the Egress Data Loss Prevention Report reveals, 85% of employees rely on email more now, in the era of remote and hybrid work, than ever before. In fact, the DBIR shows a 10% uptick in phishing emails since 2017, with much of the increase occurring after many businesses began operating remotely after 2020.

Fortunately, the very nature of social engineering attacks are reliant on the unwitting participation of victims, revealing how to defeat them through behavior-based security. The first step in an effective defense is understanding how social engineering attacks work.

How does social engineering happen?

In cybersecurity, social engineering involves manipulating a victim into completing an action or divulging information through a series of techniques. For example, sending an email that impersonates a high-level executive to instruct an employee to transfer money from a company account. Alternatively, an email might direct a new employee to visit what appears to be a company intranet site to input sensitive information or, the cybercriminal might pretend to have compromising information about an individual to extort payment.

And although email is the most common attack vector, it's not the only one. Malicious links may arrive via text, instant message applications, or even voicemail.

Here is a field guide to some of the most common social engineering attacks.

Examples of social engineering attack techniques and types

Baiting

A social engineering attack that uses baiting involves trying to make the target believe the attacker has something that they need. This technique was used in a recent Shein impersonation phishing email detected by Egress Defend, which purported to offer a discount. Other examples include offering fake software updates to trick people into clicking links or downloading malware from phishing websites, offering access to systems through false log-in pages, or even offering redelivery of items being held by a mail carrier.

Quid pro quo

This type of social engineering technique involves offering the victim ‘something for something’. An attacker might pose as someone from a bank or financial institution, stating the victims’ accounts are being emptied by a criminal but they can move them if the victim confirms certain personal or financial details. Alternatively, an attacker might pose as an IT support employee, stating they need the victim's log-in credentials to perform a task or solve a problem.

Phishing and spear phishing

Phishing is the most prevalent vector for social engineering attacks, accounting for more than half of all such incidents, according to the DBIR. While general phishing attacks often cast a wide net, with attackers emailing a large number of employees at a given company in the hope that at least one falls victim, they can include general social engineering techniques designed to work effectively across multiple people. For example, stating that a hyperlink might expire within a short timeframe unless the task is completed. 

More targeted spear phishing attacks are directed at specific individuals in an attempt to appear more convincing. The social engineering within these can often be a lot more tailored, for example targeting new employees with tasks to complete on joining a company or impersonating either known customers or colleagues within the organization’s hierarchy.

(For more information, read our article ‘What is phishing’ for an introduction to the topic of phishing.)

Vishing and smishing

Vishing attacks occur via phone or voicemail while smishing attacks come through SMS or messaging apps. For more information, check out our article on phishing and smishing attacks. While smishing can employ both broader and more targeted social engineering techniques (similar to phishing emails), in a vishing attack, the cybercriminal has more scope to pressure people using both language and intonation. Vishing can often form part of schemes that impersonate banks and other financial institutions. Phishing, vishing, and smishing can be combined within single attacks to increase pressure on the victims.

Water-holing

Water-holing attacks require compromising a legitimate website. When targets visit the site, they may become infected with malware or tricked into inputting sensitive information, such as log-in credentials, which is then stolen. As the attack is hosted on a legitimate site, it’s likely it won’t be blocked by organizational firewalls and suspicions won’t be aroused by the root URL.

Pretexting

Pretexting attacks attempt to hook a victim by impersonating someone they know. A particularly insidious form may use a compromised email account of a victim’s colleague or trusted supplier, making it appear even more legitimate.

Tailgating

Unlike the cyber-based or remote attacks described above, tailgating is a social engineering technique used in physical locations. In a tailgating attack, a criminal will attempt to follow someone who has legitimate access into a restricted area to gain access to the systems or physical items held there. This can be as simple as slipping through barriers in a crowded lobby, sharing the elevator with legitimate employees, and having someone hold the door to a restricted office space or another area.

Newsworthy social engineering attack examples

In a 2019 pretexting attack, criminals impersonating an executive of Japanese media company NIKKEI made an urgent request to a carefully selected employee in New York. The attackers talked the employee into transferring $29m from the company into their bank account.

Less than two years later, vishing and smishing attacks on communications company Twilio convinced employees to share their company passwords, allowing attackers to access customer information. The company said attackers compromised only a limited number of customer accounts.

More recently, in September 2022, employees at GitHub were targeted with phishing emails impersonating CircleCI (a legitimate DevOps platform used by GitHub employees) that took them to a phishing website where their credentials and authentication codes were stolen.

In a similar attack in February 2023, a phishing campaign targeting employees at the social media company Reddit induced someone to enter their log-in credentials into a website designed to look like the company's intranet site. The employee realized their mistake soon afterward and reported it to the company, which then locked out the intruder.

How to protect your information from social engineering attacks

Social engineering attacks are designed to be highly convincing and use advanced techniques to manipulate people, so it can be very difficult for individuals to detect them. 

Behavior-based email security can detect attacks that originate from compromised legitimate accounts, while advanced detection capabilities like natural language processing (NLP) and natural language understanding (NLU) can be used to detect the linguistic markers of social engineering.

Egress' integrated cloud email security helps organizations to defend against advanced phishing attacks, including those leveraging social engineering.