Social Engineering

June 6, 2022

What is Social Engineering?

Social engineering is the act of manipulating people to take a desired action, like giving up confidential information. Social engineering attacks work because humans can be compelled to act by powerful motivations, such as money, love, and fear. Adversaries play on these characteristics by offering false opportunities to fulfill those desires. The least sophisticated social engineering attacks are a numbers game: offer enough people the chance to acquire a few million dollars and a few will always respond. However, these attacks can often be quite sophisticated, and even a highly suspicious person can be fooled.

Social engineering attacks are of great concern to cybersecurity professionals because, no matter how strong the security stack is and how well-honed the policies are, a user can still be fooled into giving up their credentials to a malicious actor. Once inside, the malicious actor can use those stolen credentials to masquerade as the legitimate user, thereby gaining the ability to move laterally, learn which defenses are in place, install backdoors, conduct identity theft and — of course — steal data.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

How Does a Social Engineering Attack Work?

Social engineering attacks typically follow these simple steps:

  1. Research: The attacker identifies victims and chooses a method of attack
  2. Engage: The attacker makes contact and begins the process of establishing trust
  3. Attack: The attack commences and the attacker collects the payload
  4. The Getaway: The attacker covers their tracks and concludes the attack

A social engineering attack may be conducted by email, social media, phone, or in person. However, no matter the channel through which the attack is conducted, the methods are consistent. The attacker will pose as an individual with a legitimate need for information such as an IT worker who needs a person to “verify their login credentials,” or a new employee who urgently needs an access token but doesn’t know the proper procedure to acquire one.

What are Some Common Types of Social Engineering Attacks?

Some of the most common social engineering techniques include:

  1. Phishing
  2. Baiting
  3. Quid Pro Quo


A Phishing attack is the most well-known social engineering tactic. A phishing attack uses an email, website, web ad, web chat, SMS or video to inspire its victims to act. Phishing attacks may appear to be from a bank, delivery service or government agency, or they may be more specific and appear to be from a department within the victim’s company, such as HR, IT or finance.

Phishing attack emails include a call to action. They may ask the victim to click a URL to a spoofed website or malicious link that contains malware.

example phishing email impersonating a doctor

Example of a phishing email

Awareness of phishing attacks is high, with even unsophisticated users knowing they exist. Yet they continue to work because people are distracted and busy or because they can be crafted so well that no one would be likely to question their authenticity.

A Spear phishing attack is a variation of phishing scam in which the attacker targets a demographic, such as employees of a certain company or finance directors in a certain industry.

Similar to spear-phishing, a whaling attack is a targeted phishing tactic. However, the difference is that a whaling attack targets executives or senior employees.

Baiting Attack

Baiting attacks may lure the target with a desirable offer, such as free music, games or ringtones, hoping that the password the target uses to log in and get the free digital goods is one they’ve reused from more important sites. Even if the password is a one-off, the attacker can sell it on the dark web as part of a package with thousands of others.

In the corporate environment, a baiting attack is more likely to consist of a flash drive left in an obvious location, such as a breakroom or lobby. When the person who finds the drive plugs it into the corporate network to see who it belongs to, the drive downloads malware into the environment.

Quid Pro Quo

A quid pro quo attack is a social engineering scam similar to a baiting attack, but instead of taking a scattershot approach, it targets an individual with an offer to pay for a service. For example, the threat actor may pretend to be an academic researcher who will pay for access to the corporate environment.

Learn More

Explore the most common types of social engineering attacks and learn how to prevent them. Read: 10 Types of Social Engineering Attacks

Social Engineering Attack Prevention

The best way to prevent social engineering threats is to take both a human and technological approach to your defense strategy.

What can Humans do?

Security awareness training is the best way to prevent being victimized. It’s important to be cognizant of common social engineering tactics in order to spot the signs of targeting. Make sure your company has a process in place to allow employees to engage IT security personnel if they have any reason to believe they might be the victims of a social engineering attack.

As a part of security awareness programs, organizations should continue to remind their employees of the following these common practices:

  • DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
  • Avoid opening attachments within emails from senders you do not recognize.
  • Be wary of emails or phone calls requesting account information or requesting that you verify your account.
  • Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
  • Always independently verify any requested information originating from a legitimate source.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
  • Before transferring money or information, verify by voice or video call.
  • Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.

What can technology do?

Beyond the human element, every organization should employ a cybersecurity solution that leverages the following capabilities:

  • Sensor Coverage. You can’t stop what you don’t see. Organizations should deploy capabilities that provide their defenders with full visibility across their environment, to avoid blind spots that can become a safe haven for adversaries.
  • Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected. Implementing high-fidelity IOCs across multiple security technologies increases much-needed situational awareness.
  • Threat Intelligence. Consuming narrative threat intelligence reports is a sure-fire method for painting a vivid picture of threat actor behavior, the tools they leverage and the tradecraft they employ. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
  • Threat Hunting. Understanding technology will only get organizations so far is more important now than ever before. Security technologies cannot guarantee 100% protection on their own, and understanding technology is not infallible is the first step in coming to grips with the need for 24/7, managed, human-based threat hunting.

Another best practice to prevent social engineering is to implement zero trust architecture, which grants limits a user’s access to all but specific systems to perform specific tasks, and only for a limited amount of time. When that time is up, access is rescinded. This approach limits the damage a malicious actor can do even if they are using stolen credentials to penetrate the system.