Social engineering attacks come in many forms.


In recent years, and particularly with the rise in use of social media, cyber criminals have taken to using psychological as well as technical methods of attack. Human beings, after all, are notoriously trusting, especially when distracted or under pressure.

Hackers are increasingly exploiting this natural tendency in order to persuade their victims to reveal personal data or business secrets through psychological manipulation, in what’s known as social engineering. Indeed, most cyber attacks these days are initiated in this way.

Here are some of the more common types of social engineering attacks, and how they can best be avoided.

Social engineering is a form of cyber attack in which criminals manipulate victims into handing over sensitive information. It is one of the biggest headaches for cybersecurity professionals these days.

Typically, an attacker will first try to fool their victim into believing that they’re trustworthy, often using information garnered from social media, before persuading them to hand over data or carry out actions to compromise security. Sometimes, these criminals are trying to fool individuals into parting with cash or personal data; sometimes they’re attempting to steal corporate data in financially-motivated attacks. Sometimes, they’re sponsored by antagonistic nation states and are trying to bring down critical infrastructure or persuade political figures to reveal secrets. Either way, it can lead to significant losses, with IBM’s 2023 Cost of a Data Breach report finding that the average cost of a social engineering attack is $4.76 million.


While the term social engineering covers any type of psychological trickery designed to elicit money or personal data, attacks tend to fall into one of several patterns.

The most common types of attack include phishing, tailgating, pretexting, baiting and scareware (see below). With the exception of tailgating, they all depend on electronic means of communication, from phone calls and SMS to email and video. New technologies are making all these methods more convincing, with AI increasingly being used to craft more convincing communications; social media, meanwhile, can give attackers all the personal data they need to make their approach seem legitimate.


Phishing is by far the commonest type of social engineering — and it’s a growing trend, with Vade researchers finding that the number of attacks rose by 173% during the third quarter of 2023.

Avoid the bait.


Phishing involves contacting a victim via email, text (known as smishing) or a phone call (vishing) and using psychological techniques to trick them into revealing personal information or corporate data, or downloading malware. This usually means impersonating a business contact, a trusted institution such as a bank or even a family member, with attackers exploiting information they already have to make their lies more convincing. In one example, a Russian group known as Star Blizzard was found to be targeting defense and industrial organizations in the U.S. and U.K., impersonating known contacts of the target to persuade them to download a fraudulent link. While all phishing attacks are a form of social engineering, the two terms aren’t quite synonymous, as social engineering can also happen in person rather than electronically.


Not all social engineering attacks take place online: sometimes, they’re carried out in the real world. Tailgating is the art of gaining entrance to a physical location to steal information or otherwise do harm.

This is a particular risk at busy workplaces — for example those that have large numbers of employees checking in and out, or those that have frequent deliveries or visits from subcontractors. Criminals will attempt to slip through a door behind a legitimate visitor, perhaps with their hands full so that the person in front holds the door open for them. Other methods include posing as a courier or delivery driver, or claiming to have lost their ID or forgotten an access code.


Pretexting is the process of softening a victim up by the creation of a plausible story, and forms the central plank of any social engineering attack.

A cyber criminal may pose as a trustworthy person or organization — a boss, coworker or bank, for example — before setting up a particular scenario. Common examples include situations in which the victim is asked for urgent help, such as wiring money to a relative or boss. Other pretexting scams include emails offering lottery wins, cryptocurrency investments — or, in the case of romance scams, the love of the victim’s life. In many cases, the scammer spends significant time and effort setting up the fake scenario.


Baiting is just what it sounds like: the creation of an incentive to encourage the victim to take the hook. This could be a freebie, such as a prize or free movie, promised via a link to a malicious website.

Sometimes, the bait is physical, such as a USB stick left lying around, perhaps labeled with something intriguing such as ‘Confidential information’ or ‘Layoffs’. This was the attack method used by a China-linked hacker group called UNC53, discovered by security firm Mandiant in 2023: USB sticks left lying around in locations such as airport cafes and printing service shops were used to target more than 180 organizations in the U.S, Europe and Asia and deliver malware.


While baiting techniques tempt a victim in, scareware does the same thing by putting the pressure on. One common tactic is the pop-up ad claiming that the victim has malware on their computer, and urging them to install new security software.

Scareware is aptly named.


Scareware always has an element of urgency about it, with the victim encouraged to believe that disaster will soon strike if they don’t take immediate action. The fake ads are often extremely convincing, appearing to come from genuine antivirus suppliers, for example. In one recent example, Unit 42 researchers discovered a large-scale campaign dubbed ApateWeb that used a network of over 130,000 domains to deliver scareware, potentially unwanted programs and other scam pages.

In February 2024, personal finance journalist Charlotte Cowles revealed how she’d been persuaded to hand over $50,000 in cash after a complex social engineering scam — showing that anyone can fall victim. The elaborate scheme that fooled her involved a fake FTC investigator, a fake CIA agent and a highly detailed backstory. She lost $50,000 as a result.

And in another example, the accounts of 27 cloud customers of software development company Retool had their accounts compromised after an attacker posed as a member of the IT team, and told recipients to click on a link to address a payroll-related issue. The social engineering began with an SMS message, but went on to involve a deepfake of the IT worker’s voice. The crypto industry, meanwhile, is a frequent target for social engineering attacks, with a recent report from blockchain analysis firm Chainalysis recently finding that phishing scams have been used to steal $1 billion worth of cryptocurrencies since May 2021. In one example, a crypto trader reportedly lost $5.1 million in Beam tokens after suffering a phishing attack.

Avoiding social engineering attacks essentially means being very, very suspicious. Individuals, whether at work or off-duty, should avoid opening unexpected emails without checking the source, or popping random USB sticks into their PC.

They should beware of any approach pitched as being very urgent, use a good spam filter and keep anti-malware and anti-virus software up to date. Unique passwords should be used for each account, along with two-factor authentication. Organizations, meanwhile, should train people to this effect, and also introduce simple reporting mechanisms for employees who believe something may be amiss. And if the worst happens, passwords should be immediately changed, and a report filed with law enforcement or other relevant national bodies.

Bottom Line

Human beings are gullible, and can often be the weakest link in a company’s cybersecurity strategy. A bit of healthy scepticism, staff training and basic security protections can help individuals and organizations minimize the risk.