What is social engineering? How criminals take advantage of human behavior

4 min readJun 26, 2019

That firewall won’t mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Here’s what you need to know to protect your organization and your users.

Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Types of Social Engineering Attacks:

There are many social engineering tactics depending on the medium used to implement it. The medium can be email, web, phone, USB drives, or some other thing. So, let’s tell you about different types of social engineering attacks:

1. Phishing

Phishing is the most common type of social engineering attack. The attacker recreates the website or support portal of a renowned company and sends the link to targets via emails or social media platforms. The other person, completely unknown of the real attacker, ends up compromising personal information and even credit card details.

You can prevent phishing emails by using spam filters in your email accounts. Most email providers do this by default nowadays. Also, don’t open any emails coming from an untrusted source or you find it suspicious.

2. Spear Phishing

A social engineering technique known as Spear Phishing can be assumed as a subset of Phishing. Although a similar attack, it requires an extra effort from the side of the attackers. They need to pay attention to the degree of uniqueness for the limited number of users they target. And the hard work pays off, the chances of users falling for the false emails are considerably higher in the case of spear phishing.

3. Vishing

Impostors or social engineers can be anywhere on the internet. But many prefer the old fashioned way; they use the phone. This type of social engineering attack is known as Vishing. They recreate the IVR (Interactive Voice Response) system of a company. They attach it to a toll-free number and trick people into calling the phone number and entering their details. Would you agree on this? Most people don’t think twice before entering confidential info on a supposedly trusted IVR system, do they?

4. Pretexting

Pretexting is another example of social engineering you might’ve come across. It’s based on a scripted scenario presented in front of the targets, used to extract PII or some other information. An attacker might impersonate another person or a known figure.

You might’ve seen various TV shows and movies where detectives use this technique to get into places where they’re personally not authorized, or extract information by tricking people. Another example of pretexting can be fake emails you receive from your distant friends in need of money. Probably, someone hacked their account or created a fake one.

5. Baiting

If you have seen the movie Troy, you might be able to recall the Trojan horse scene. A digital variant of this technique is known as Baiting and it is one of the social engineering techniques used by people. Attackers leave infected USB drives or optical disks at public places with a hope of someone picking it up out of curiosity and using it on their devices. A more modern example of baiting can be found on the web. Various download links, mostly containing malicious software, are thrown in front of random people hoping someone would click on them.

6. Tailgating

Similarly, there are other social engineering techniques, like Tailgating, where a person takes help of an authorized person to get access to restricted areas where RFID authentication or some other electronic barrier is present.

7. Quid pro quo

Another social engineering method Quid pro quo involves people posing as technical support. They make random calls to a company’s employees claiming that they’re contacting them regarding an issue. Sometimes, such people get the chance to make the victim do things they want. It can be used for everyday people also.

Quid pro quo involves an exchange of something with the target, for instance, the attacker trying to solve a victim’s genuine problem. The exchange can include materialistic things such as some gift in return for the information.