What Is a Social Engineering Attack? How They Happen, Why They Work, and How To Prevent Them

Social engineering cyberattacks use psychological manipulation to trick victims into sharing sensitive data, interacting with malware, or paying a fraudulent invoice. Criminals use false pretexts and manufactured urgency or implicit trust to dupe a target. This is often done by posing as an authority figure or a trusted colleague, either by compromising their account or simply impersonating them.

Social engineering attacks are unique from other cyberattacks in that they don’t rely on technical skills. An unsophisticated attacker can successfully steal confidential information and money through social engineering manipulation. Unlike social engineering, many cyberattacks rely on advanced methods to compromise a computer, network, or system.

Since social engineering relies on the human element, it’s difficult to defend against. Even organizations with robust top-to-bottom security architecture can fall victim. The FBI cybercrime report found that business email compromise (BEC), a popular form of social engineering, cost organizations $2.4 billion in 2022.

Consider this six-step example of a typical social engineering attack:

1. An attacker identifies an organization to target.

2. They gather information like employee names, departments, job titles, and vendors.

3. The attacker creates a fake email address that impersonates an executive.

4. Using the executive's name, the attacker sends a fake invoice to an employee in the accounting department.

5. The email contains urgent language, stating that the invoice must be paid immediately.

6. The employee is tricked by the fake email address and the manufactured urgency, and they approve the invoice.

This is a simplified example of a scenario that plays out frequently. An attacker can identify targets and gather information from publicly available sources like company websites and LinkedIn.

It’s not just executives that criminals impersonate or compromise to launch attacks. Employees in HR, helpdesk, and accounting departments are common targets for impersonation. And beyond internal employees, criminals frequently impersonate vendors in a company’s supply chain.

While the target, execution, and payout may differ, the result of social engineering attacks are the same: manipulate and trick unsuspecting victims.

Social engineering is a common tactic for criminals, and it’s growing in frequency and severity. Here’s why:

• It has a low barrier of entry: Hacking a network to steal login credentials takes technical expertise and effort. Tricking a person into clicking a dangerous link, downloading an attachment, or paying an invoice is an easier route.

• It pays: According to the FBI, a successful business email compromise attack cost organizations $120,000 on average in 2021. This substantial payout makes social engineering an attractive choice for attackers.

• It evades traditional security: Legacy security products focus on identifying and stopping known red flags like malicious attachments and suspicious URLs. Threat actors can successfully commit a social engineering attack without alerting traditional defenses.

• It works: Verizon’s 2022 Data Breach Investigations Report found that 82% of data breaches involved the human element. Attackers notice successful intrusions and incorporate methods that work.

Here’s a common example of a social engineering Facebook phishing attack that Abnormal Security caught.

While the spoofed email appears to come from “Facebook Mail,” it’s an altered display name that’s actually from a random Gmail account. And the link looks like a legitimate Facebook URL, but in reality, it redirects to a different URL of an imitation site for credential phishing. Finally, the email manufacturers urgency by threatening to shut down an account within 48 hours.

Abnormal caught a similar attempt where attackers used social engineering to pose as a university’s IT team to phish credentials:

The attacker sent spoofed emails with password expiration warnings to students at the university. Like other social engineering attacks, this message is urgent, notifying recipients that their passwords expire today. The email includes a link to a malicious login page with the university’s logo, further confusing students. Once they enter their login credentials, the attacker can compromise their account.

Lastly, a famous example: a Lithuanian man used social engineering tactics to steal $120 million from Google and Facebook. He used fake email accounts and domains to impersonate Quanta, a Taiwanese manufacturer, to send fraudulent invoices to employees. Since Facebook and Google worked with Quanta, the employees believed the invoices were authentic.

Social engineering is a tactic used in a wide range of cyberattacks and scams. These are some of the most common attacks that harness social engineering:

• Phishing: Perhaps the most common social engineering attack, phishing threats aim to trick recipients into revealing confidential information, sending money, or installing malware. While email is the most common type of phishing, attackers also use texts and phone calls.

• Spear phishing: Regular phishing attacks often send mass emails to a large group of recipients. Spear phishing, on the other hand, targets specific victims with personalized emails impersonating someone trustworthy. It’s a more advanced and effective form of social engineering since it requires in-depth research to execute.

• Pretexting: These are the made-up scenarios that attackers use to trick victims into revealing information. While phishing uses urgency, pretexting relies on building trust. A criminal may use pretexting to impersonate IT staff and request login credentials, for example.

• Executive impersonation: Also known as CEO fraud, this tactic combines spear phishing and pretexting. Attackers impersonate a CEO and ask employees to pay an invoice, send confidential information, or click a suspicious link. Recipients are more likely to overlook suspicious signs when they believe a message is from an important executive.

• Romance scams: Scammers use online dating sites and apps to build romantic relationships with unsuspecting victims. Eventually, they’ll come up with a pretext to convince the victim to send them money.

Regardless of the attack specifics, social engineering scams usually share these tactics and principles:

• Authority: Social engineering attacks leverage authority to trick targets. People are more likely to follow instructions when they’re coming from a supposed authority figure, especially if they think they’ll get in trouble. That’s exactly what’s happening when criminals pretend to be the IRS or a CEO and pressure a victim to share sensitive data or money.

• Intimidation: Similar to authority, attackers threaten targets with potential punishment if they don’t comply with requests. It’s a similar tactic to authority, but it relies more on fear: “if you don’t do this, you’ll be arrested, fired, or fined.”

• Urgency: Most social engineering attacks rely on a sense of urgency to make victims act quickly without noticing suspicious signs. Messages prompt targets to pay an invoice or reset their password within 24 hours, for example.

• Familiarity and trust: Victims are more likely to share sensitive information or download malware if it comes from someone they know and trust. That’s why attackers impersonate a victim’s friend, colleague, or manager when conducting social engineering scams.

Criminals frequently combine these tactics. In a CEO fraud example, attackers impersonate a trusted authority figure like an executive, using intimidation and urgency to trick victims into complying.

Since social engineering attacks target humans instead of networks and computers, prevention and mitigation is a tricky task. It requires strong security programs combined with user training. That includes software that identifies social engineering attacks and

1. Multifactor authentication: Requiring more than one proof of authentication to access an account is a cornerstone of zero-trust security It helps ensure that a single leaked password doesn’t lead to account takeover.

2. Email security: Email is the primary threat vector for social engineering attacks. Traditional email security software looks for known indicators of compromise like URLs, attachments, and domain reputation, so they miss dangerous socially engineered emails. Organizations need modern email security with the following features:

   • Context-based email analysis: Many social engineering emails are text-only, meaning they bypass secure email gateways. A solution that monitors anomalous behavior and email context can spot suspicious requests and potential account takeovers.

   • Email filtering: Prevent malicious emails from landing in user inboxes with effective email filters that can catch spam and graymail.

   • An eye on internal emails: After an account takeover, attackers use the compromised account to target other internal accounts. Since many email security solutions don’t monitor East-West traffic, there’s a blindspot.

3. Penetration testing: Identify existing security gaps and weaknesses with a pen-test. Exploiting your organization’s vulnerabilities gives you insight into potential avenues for social engineering attacks. Make sure the pen-test is tailored to your org’s industry, including unique risks.

4. Security awareness training: Since social engineering scams target end-users, give them the tools to identify these attacks. Security awareness training helps users spot a potential social engineering attack. Like pen-testing, training should focus specifically on your organization’s industry.

Want to see how Abnormal Security identifies and prevents pervasive social engineering cyberattacks? Get a demo.