Social Engineering (in cybersecurity)

Social engineering describes a range of non-technical attack techniques that are used by cybercriminals to manipulate users into overriding security or other business process protocols, performing harmful actions or giving up sensitive information.

5 min read

5 min read

How does social engineering work?

Most social engineering techniques do not require any technical skills on the part of the attacker, meaning that anyone from small-time thieves to the most sophisticated attackers can operate in this space.

There are many techniques that fall under the umbrella term of social engineering in cybersecurity. Among the most well-known are spam and phishing:

Spam is any form of unsolicited communication sent in bulk. Most often, spam is an email sent to as many users as possible, but can also be delivered via instant messages, SMS and social media. Spam is not social engineering per se, but some of its campaigns utilize social engineering techniques such as phishing, spearphishing, vishing, smishing or spreading malicious attachments or links. 

Phishing is a form of cyberattack in which the criminal impersonates a trustworthy entity to request sensitive information from the victim. These types of fraud usually try to create a sense of urgency, or employ scare tactics to coerce the victim into complying with the attacker’s requests. Phishing campaigns can target large numbers of anonymous users, or a specific victim or specific victims.

But they’re not the only techniques. Beware of these too:

Spearphishing is a targeted form of phishing in which the attacker sends highly-customized messages to a limited group of people, or even just an individual, with the aim of harvesting their data or manipulating them to perform harmful actions. 

Vishing and Smishing are social engineering techniques similar to phishing but conducted by means other than email. Vishing (voice phishing) uses fraudulent phone calls, while smishing (SMS phishing) uses SMS text messages containing malicious links or contents.

Impersonation in cybersecurity has a similar meaning to its equivalent in the physical world. Cybercriminals act in the name of a trustworthy persona and deceive victims into taking actions that harm themselves or their organization. A typical example is an attacker impersonating a company’s CEO – when the CEO is out of office – ordering and approving fraudulent transactions.

Technical Support Scams are usually bogus phone calls or web ads in which attackers offer victims unsolicited technical support services. In reality, cybercriminals try to make money by selling fake services and removing non-existent problems.

Scareware is software that utilizes various anxiety-inducing techniques to manipulate victims into installing further malicious code on their devices, while also usually extracting payments for non-functional or outright malicious software. A typical example is a fake antivirus product designed to trick users into thinking that their devices have been compromised and that they need to install specific (usually harmful) software to remove the problem.

(Cyber)Scams are fraudulent schemes that often employ one or even several of the social engineering techniques described in this section.

Why should SMBs care about social engineering?

SMBs are increasingly aware that they are targets for cybercriminals, according to a 2019 survey conducted by Zogby Analytics on behalf of the US National Cyber Security Alliance. Almost half (44%) of companies with 251-500 employees said they had experienced an official data breach within the past 12 months. The survey found that 88 percent of small businesses believe that they are at least a "somewhat likely" target for cybercriminals, including almost half (46%) who believe they are a "very likely" target.

The damage is real and extensive, a point well-illustrated by the FBI's Internet Crime Center (IC3) annual report. The FBI estimates that, in 2018 alone, US companies lost more than $2.7 billion to cyberattacks, including $1.2 billion attributed to business email compromise (BEC)/email account compromise (EAC) that allowed unauthorized transfers of funds.

How to recognize a social engineering attack?

There are several red flags that can signal a social engineering attack. Poor grammar and spelling is one giveaway. So is a heightened sense of urgency that seeks to prompt the recipient to act unquestioningly. Any request for sensitive data should immediately ring alarm bells: reputable companies do not normally ask for passwords or personal data via emails or text messages.

Some of the red flags that point to social engineering:

1. Poor and generic language

Typically, attackers don’t pay too much attention to detail, sending messages full of typos, missing words and poor grammar. Another linguistic element that can signal an attempted attack is generic greetings and formulations. So if an email starts “Dear recipient” or “Dear user”, be wary.

2. Strange sender address

Most spammers don’t take the time to spoof the sender’s name or domain in order to make these look trustworthy. So if an email comes from an address that is a mix of random numbers and characters or is unknown to the recipient, it should go directly into the spam folder and be reported to the IT department.

3. Sense of urgency

The criminals behind social engineering campaigns often try to scare victims into action by using anxiety-inducing phrases such as “send us your details right away, or your parcel will be discarded” or “if you do not update your profile now, we will close your account”. Banks, parcel companies, public institutions and even internal departments usually communicate in a neutral and factual way. Therefore, if the message is trying to push the recipient to act quickly, it is probably malicious and potentially a dangerous scam.

4. Request for sensitive information

Institutions and even other departments in your own company will not normally request sensitive information via email or phone – unless the contact was initiated by the employee.

5. If something sounds too good to be true, it probably is

This is as true for unsolicited giveaways on social media as it is for that “excellent yet time-limited business opportunity” that just landed in your inbox.

5 ways to protect your organization from social engineering attacks

1. Regular cybersecurity training of ALL employees, including top management and IT personnel. Remember that such training should show or simulate real-life scenarios. Learning points must be actionable and, most of all, actively tested outside the training room: social engineering techniques rely on the low cybersecurity awareness of their targets.

2. Scan for weak passwords that could potentially become an open door in your organization’s network for attackers. Additionally, protect passwords with another layer of security by implementing multi-factor authentication.

3. Implement technical solutions to tackle scam communications so that spam and phishing messages are detected, quarantined, neutralized and deleted. Security solutions, including many that ESET provides, have some or all of these capabilities.

4. Create understandable security policies that employees can use and that help them to identify what steps they need to take when they encounter social engineering.

5. Use a security solution and administrative tools, such as ESET Cloud Administrator, to protect your organization’s endpoints and networks by giving administrators full visibility and the ability to detect and mitigate potential threats in the network.

Combat social engineering now


Protect your organization against social engineering by using ESET multi-layered endpoint security solutions, including LiveGrid® protection via the cloud and network attack protection, and the cloud-based ESET PROTECT console, to give your admins full, detailed network visibility, 24/7.