What is Social Engineering in Cybersecurity? A Comprehensive Guide

Social engineering may sound like a type of PolySci degree or social media management specialization. However, the reality of social engineering is much more sinister.

Social engineering is a cyberattack that uses psychological manipulation to convince individuals to divulge sensitive information or grant unauthorized access.

As organizational attack surfaces have expanded — due to increased remote work and expansion in cloud services and digital communication channels — the opportunities for social engineering attacks have grown as well. Once inside, an attacker masquerades as a legitimate user and moves freely through your network, probing your security, installing backdoors, spying on your communications, and stealing your sensitive data.

These attacks also cost victims more and more every year. For example, business email compromise (BEC) complaints (a common form of social engineering) were first included in the 2014 FBI Internet Crime Complaint Center (IC3) report, but, as the report states, this type of scam may have started appearing as early as 2010. Since the IC3 started calculating the losses caused by BEC scams in 2014 ($226 million), the cost has risen almost 13x.

In this comprehensive guide, we’ll define social engineering, explore techniques commonly used by threat actors, discuss real-world examples of successful social engineering attacks, and offer strategies for protecting your organization.

• Simplified definition of social engineering
• Why is social engineering a significant threat to cybersecurity?
• What is the cost of a social engineering attack?
• Common types of social engineering attacks
• Real-world examples of social engineering attacks
• How can you protect against social engineering attacks?
• How to combat the growing threat of social engineering

Simplified definition of social engineering

Unlike other cybersecurity threats that exploit technical vulnerabilities, social engineering targets humans, making it particularly insidious and effective because human reactions are unpredictable.

In social engineering attacks, cybercriminals play with their victims’ fears and emotions. Some common red flags of this attack type include:

• The sender domain mimics an official brand, also called spoofing, hoping victims will overlook minor oddities in the sender’s email address
• Attackers may use compromised email accounts to send spam and unusual requests to the victim’s contacts, meaning social engineering attacks can often appear legitimate
• Scammers may promise rewards that seem too good to be true or ask for personal data

Why is social engineering a significant threat to cybersecurity?

Even with the most robust security measures, a single employee who falls for a social engineering attack can compromise your entire organization. Once inside, the attacker can move laterally, silently poking around your infrastructure to find security vulnerabilities and pinpoint critical assets and data that can be stolen or exploited. They can install backdoors and other malicious software that allow them to come and go as they please, taking data (resulting in fines, legal action, and loss of trust) and destroying files (and your reputation).

As a final assault, they will slip back in through the backdoors they installed and use your infrastructure to distribute malware, send phishing emails, or conduct denial-of-service attacks — all while making it seem like your organization is to blame.

What is the cost of a social engineering attack?

The financial cost of social engineering attacks can be staggering. In 2023, the Verizon Data Breach Investigations Report (DBIR) found that 17% of U.S. data breaches and 10% of cyber incidents were caused by social engineering.

But that isn’t the full price; there will be long-lasting, intangible damages that are difficult to quantify, including:

• Customers, partners, and investors will lose trust, leading to decreased business and brand value
• Fines, penalties, breach notifications, and potential lawsuits can result in substantial financial and legal burdens
• Shutdowns for investigations and remediation can significantly impact productivity and business continuity
• Lost trade secrets and proprietary information can erode market advantage

However, investment in prevention, detection, and effective response to these threats can minimize the long-term consequences of a successful attack.

Common types of social engineering attacks

Social engineering attackers employ various tactics to exploit human vulnerabilities. They can be used independently or strategically combined to maximize their effectiveness. Malware and ransomware are often leveraged with social engineering techniques to launch cyberattacks and deploy malicious software, which can cause significant business disruption, financial losses, and reputational damage.

[Read also: The ultimate guide to ransomware defense]

Here are ten of the most common social engineering techniques:

1. Baiting
   Baiting exploits human curiosity and our desire for freebies, tricking victims into revealing confidential information (e.g., social security numbers, date of birth, etc.) or installing malware through malware-infected USB drives, fake free content, or phishing sites.
2. Business email compromise
   BEC scams often impersonate executives to create a sense of urgency and establish authority. They can also trick the victim into transferring funds to the attacker’s account or revealing sensitive information.
3. Phishing attacks
   Phishing campaigns, websites, or instant messages impersonating legitimate organizations, such as banks or government agencies, trick victims into divulging information such as credit card or bank account numbers.
4. Pretexting
   Attackers may impersonate authority figures, such as law enforcement, tax officials, or IT support, to convince victims to divulge sensitive information.
5. Quid pro quo
   Quid pro quo attacks exploit our human tendency to reciprocate favors and trust authority figures. Attackers may offer services or gifts in exchange for login credentials or personal data.
6. Smishing
   Smishing (SMS phishing) uses text messages. It is effective because people trust SMS more than email, and mobile devices often have fewer security features than computers.
7. Spear phishing
   Spear phishing is highly targeted phishing that focuses on specific individuals or organizations. Attackers research their targets to craft convincing messages, which are difficult to detect because the obvious red flags of generic phishing scams are missing.
8. Tailgating / piggybacking
   Tailgating and piggybacking attacks involve physically following an authorized person into a restricted area. This in-person attack type exploits our tendency to be helpful and relies on our assumption that a person in an authorized area is supposed to be there.
9. Vishing
   Vishing (voice phishing) attackers establish credibility and trust by impersonating legitimate organizations’ representatives. They use phone calls or voice messages and rely heavily on urgency and fear to motivate victims to quickly reveal sensitive information or compromise security.
10. Watering hole attacks
    In watering hole attacks, the attacker compromises a website frequently visited by a specific group (i.e., company employees, industry members, etc.), infecting it with malware or malicious scripts that exploit victims’ trust in the site.

Real-world examples of social engineering attacks

BEC: Nigeria — North Carolina — Texas

Two Nigerian scammers used a BEC scheme to attempt a $5 million fraud from North Carolina and Texas universities and businesses. After learning that university construction projects were managed by a single large company, they registered a similar domain. Using a spoofed email address, they convinced university employees in North Carolina to wire more than $1.9 million to a fraudulent bank account. They used the same methods to try to steal more than $3 million in Texas.

The co-conspirators now face lengthy prison sentences and must pay restitution and a monetary judgment. However, restitution will be slow — if ever — and can never cover the entire cost of the damages.

Phishing — Minnesota

Cottage Grove, Minnesota, city administrators fell victim to a phishing scam costing taxpayers more than $1.2 million. The city had a $3.5 million contract with Geislinger & Sons for a sewage treatment project.

Using a fake email domain, scammers convinced administrators to send funds to a fraudulent bank account. The scam came to light after the real company requested outstanding payments. Federal agents traced some of the funds to the U.K. and are working to recover them.

Ransomware — Las Vegas

According to their mandatory regulatory filing with the Securities and Exchange Commission (SEC), Caesars Entertainment Inc. paid tens of millions in ransom to Scattered Spider, a hacker group using Bring Your Own Vulnerable Driver (BYOVD) to evade endpoint detection and response solutions to breach their network. The hackers first used a social engineering scheme to breach an outside IT vendor and then accessed Caesars’ network to copy its loyalty program database, including personally identifiable information (PII).

Within days, Scattered Spider, working in concert with AlphV, launched an elaborate pretexting scheme against MGM International. Impersonating an MGM Resorts employee they’d researched on LinkedIn, they convinced MGM’s IT Help Desk to divulge enough information to allow them to access administrator privileges to MGM’s Okta and Azure tenant environments. MGM security discovered unusual traffic the next day, so AlphV admitted to sniffing passwords on the Okta servers and immediately deployed ransomware. MGM’s SEC filing reported $100 million in losses.

How can you protect against social engineering attacks?

To protect against social engineering attacks and strengthen the “human firewall,” organizations must adopt a multi-faceted approach that combines employee education, seamless security measures, and effective identity and access management.

4 ways to deploy a human firewall against social engineering attacks

1. Conduct frequent employee security awareness training

• Include social engineering tactic identification, safe browsing, and sensitive data handling
• Use gamification and interactive methods for memorable training
• Tailor training to roles to address unique security challenges

2. Follow security cyber hygiene best practices

• Implement single sign-on (SSO) and password management to ensure strong passwords
• Enforce Zero Trust with multi-factor authentication (MFA) for critical systems and applications
• Use risk-based authentication to reduce friction

3. Improve access controls

• Only give access to the resources and data employees need for their jobs — regularly review and update permissions
• Monitor user activity and access patterns to spot anomalous behavior
• Minimize human error and reduce your IT team’s burden by automating access management

[Read also: What is Active Directory security? Risks and best practices]

4. Establish incident response and reporting processes

• Define clear procedures for handling and reporting suspected attacks
• Encourage fearless reporting of suspicious activities, such as phishing emails
• Monitor endpoints for risk and more easily detect, investigate, and hunt incidents to contain discovered threats in real time and mitigate damage

How to combat the growing threat of social engineering

Unfortunately, no single solution or strategy can completely protect against these increasingly sophisticated and manipulative attacks. To best combat threats, organizations must adopt comprehensive, multi-layered security policies starting with Zero Trust, which means no user, device, or network is trusted without first being verified. With Zero Trust in place, organizations can more easily maintain an agile security model that reduces their attack surface and security risks by ensuring sensitive data is only accessed by the users who need it.

Learn more about Tanium for Zero Trust

The next layer should be the fortification of your “human firewall.” Education is part of that shield, but successful user adoption must also include a great digital employee experience (DEX). It’s becoming increasingly frustrating for employees to find the information and tools needed to do their jobs. Without an effective employee experience strategy, organizations may see productivity drop, retention plummet, and adherence to cyber hygiene best practices thrown out the window.

Finally, your organization needs effective access control policies and comprehensive visibility into its environment to detect, investigate, and remediate potential threats promptly. By ensuring that only the right people have the right access at the right times and by maintaining clear oversight of system activities, organizations can significantly reduce their risk profile and enhance their ability to respond to and recover from social engineering incidents.

---

Tanium’s Converged Endpoint Management (XEM) platform empowers you to manage and secure your endpoints from a single console, with a number of available solutions built to solve modern-day IT challenges. For example, our DEX solution offers a real-time window into your employees’ digital interactions, such as tracking endpoint and application data, measuring and reporting on employee sentiment, and the ability to use these insights to address issues to maintain employee productivity proactively. By taking a proactive stance to ensure a seamless digital environment at your organization, employee experience management becomes a cornerstone of your IT strategy.

With Tanium, you gain real-time visibility into your endpoint devices — and the tools you need to streamline, simplify, and support your ability to protect business-critical assets. This includes our vision for Autonomous Endpoint Management (AEM), which will use composite artificial intelligence to provide intelligent automation and decision-making capabilities for managing IT endpoints. You can request a demo today to see for yourself.