14 Types of Social Engineering Attacks

Social engineering is not new to organizations and cyber security professionals. But what is a social engineering attack? Social engineering is the act of manipulating people into compromising security and giving up confidential information. 

Cybercriminals use different social engineering tactics to carry out their evil plans. The first step to countering such attacks is identifying the various techniques. 

But what are the different types of social engineering attacks and why do cyber attackers commonly use social engineering attacks?

We introduce you to 14 types of social engineering attacks common in the cyber world.

Pharming

Pharming is one of the types of social engineering attacks where an attacker uses the credulous nature of the victims to redirect them from a legitimate website to a fake site. The goal is to steal their usernames, passwords, and other sensitive information. This cyberattack hijacks a user’s browser settings or runs malicious code in the background. The ultimate goal is identity theft.

Tabnabbing/Reverse Tabnabbing

Reverse tabnabbing or tabnabbing is an attack that exploits static websites. Here, a newly opened tab can hijack the original tab from where it’s been opened. The new tabs can replace or modify the original tab and redirect users to scam sites so attackers can steal login details and other critical information. 

Scareware

Now that you know what social engineering attack is and how they essentially scare the users into giving up crucial information, it’s no wonder that scareware is one. It tricks people into believing their computer has been infected with malware. The attacker then asks users to purchase malware disguised as real cyber security software. This attack leverages pop-ups and other social engineering tactics.  

Email Hacking

Email hacking involves attackers gaining unauthorized access to victims’ email accounts. Cybercriminals can hack your account using different techniques. We’ll go over some of them in this section. 

BEC (Business Email Compromise)

Business Email Compromise (BEC) is a dangerous email cybercrime that hacks a business email account and impersonates high-level employees to scam partners, other employees, and customers. BEC targets companies that conduct wire transfers and have clients overseas. Hackers use it to make social engineering attacks more effective. 

Spam

A spam attack consists of cybercriminals sending numerous emails to their victims. Spam messages can be sent by real humans or botnets (a network of malware-infected computers controlled by an attacker). The attacker aims to trick users into downloading malware or sharing sensitive data. 

Phishing

Phishing is one of the main types of social engineering methods executed via email. The attacker sends fake email containing malicious links. The goal is to steal your identity or money by getting you to reveal confidential data. 

Other Phishing Types

As time goes by, malicious actors perfect their tactics. Various phishing types are the best social engineering attacks examples.

Spear-phishing

Spear-phishing is a targeted attack where criminals disguise themselves as legitimate sources to convince specific victims to reveal personal, financial, and other sensitive data. Unlike traditional phishing, spear phishing requires in-depth reconnaissance. 

Angler Phishing

Angler phishing, named after the anglerfish, is the latest online scam on social media. Cyberattackers create fake social media accounts to masquerade as a company’s customer service agent, hoping to lure and victimize dissatisfied customers.

Whaling/CEO Fraud

Whaling or CEO fraud is a phishing attack targeting high-level individuals such as Chief Executive Officers, Chief Financial Officers, or board members. The attacker aims to steal sensitive information or trick employees into authorizing huge transfers or divulging asset information.

Access Tailgating

Access tailgating is a common physical security breach where a cybercriminal follows an authorized person into a restricted area. This type of social engineering attack leverages human courtesy to help others. The most common example is holding the door for an unknown individual behind them.

Baiting

Baiting is one of the common and simplest social engineering attacks examples. While similar to phishing, baiting uses false promises of a reward to ignite a victim’s curiosity and greed. These attackers typically leverage the offer of free movie or software downloads, tricking users into inputting their login details. 

DNS Spoofing

DNS spoofing, also known as DNS cache poisoning, is an attack type where cybercriminals use altered domain names to redirect users to a malicious website disguised as the intended site. Now that we’ve identified what a social engineering attack is, you might already know what happens after that. Users are prompted to input their login credentials, allowing attackers to steal sensitive data.  

Pretexting

Pretexting is one of the simplest social engineering attacks where cybercriminals create scenarios to convince victims to divulge private information or access network resources. In most cases, the perpetrator usually comes up with a convincing story, or pretext, posing as a legitimate authority to fool the victim. 

Physical Breaches

Physical breaches aren’t the first social engineering attacks examples you think of. However, some security issues involve the physical theft of confidential documents and other valuables like computers and storage drives. These breaches can be caused by tailgating and unauthorized access to the company building.

Watering Hole Attacks

A watering hole attack is targeted security exploit where cyber actors seek to compromise a specific group of users by infecting the website that members of the group visit often. Attackers aim to infect their victims’ computers and gain access to their network resources.  

Quid Pro Quo

Quid pro quo is another one of the common social engineering attacks. Here, hackers promise a benefit to lure victims into revealing personal information. For example, you can get a call from a random number claiming to be a technical support specialist from one of the services you use. They would request critical data in exchange for a service. 

Diversion Theft

Diversion theft, also known as a “corner game,” started as an offline attack where perpetrators intercept deliveries by diverting them to the wrong locations. Due to technological advancements, cyber actors can now intercept and divert deliveries online. They can also trick victims into sending information to the wrong source.  

Honey Trap

A honey trap is one of the social engineering attacks that use sexual relationships to compromise networks and lure people into divulging critical information. In most cases, a honey trapper creates a female profile, identifies their victims, and then befriends them to gain their trust. 

Advance Fee Scams

Advance fee scams are what a social engineering attack is. It’s a classic technique that involves attackers asking targets to pay in advance before receiving promised services, goods, or products, which they’ll never receive. The notorious “Nigerian Prince” scams are a good example.

Conclusion

Social engineering attacks are successful due to human error and the failure to identify patterns used by cyber attackers. That said, organizations must educate their employees on the impact of these attacks. 

Our blog features articles on each attack type mentioned above. Check them out to understand different types of social engineering attacks and how to prevent them.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More