What is social engineering?

Social engineering refers to a number of techniques used to deceive victims into revealing confidential information or carrying out the attacker’s wishes. Learn to spot social engineering attacks.

What is social engineering?

Social engineering encompasses various manipulation techniques to trick users and steal their personal information, money, login credentials, and more. At the core of social engineering is exploiting people’s good intentions and human faults, which is why a successful attack requires an under­standing of human psychology. Social engineering attacks use human inter­action to deceive targets.

Both individual users and organizations are tempting targets for social engineering attacks. Employees of large companies and organizations are often targeted by social engineers to gain access to confidential business information, computer systems and other valuable assets. A single mistake can expose the entire organization to attacks, so employee training and cyber awareness education are needed to protect the whole organization.

How does a social engineering attack work?

Most social engineering attacks follow a similar pattern:

  1. Identifying the victim and gathering information about them.
  2. Approaching the victim under a false identity and a made-up narrative.
  3. Executing the attack after gaining the victim’s trust.
  4. Ending the attack and cleaning up traces that could get the attacker caught.

The goals of social engineering attacks include gaining access to confidential information, directing the user to malicious web­sites, getting the victim to down­load a virus or send money to the attacker. To get their victims to do as they please, social engineers often claim to be someone the victim trusts. This can be their boss, a governmental entity, or someone the victim knows in real life. Some social engineering attacks are used to gain access to a physical device or the targeted organization’s premises.

Often social engineers rely on a sense of urgency, so that their targets do not have time to think. Criminals can also threaten or black­mail the victim to do as they are told. Social engineering attacks are often well-planned scams. The attacker can gather information about their victim before making first contact. The attacks can also target many victims simultaneously.

Because all social engineering techniques rely heavily on people behaving in a predictable manner, social engineering has been referred to as human hacking. By pulling the right strings, online criminals and scammers can make their victims do things that most would consider unlikely — until they become a victim them­selves.

How to prevent social engineering attacks

Because social engineering relies on human error, attacks cannot be prevented only by fixing errors in soft­ware. Luckily, individual users and organizations can do a lot to stop a social engineering attack.

  • Use multi-factor authentication to protect your accounts.
  • Do not click suspicious links or down­load sketchy files.
  • Ensure the recipients’ identity before giving away sensitive information.
  • Never tell others your user credentials, such as pass­words or verification codes.
  • Do not connect physical media to your device if you are not sure of its origins.
  • Be suspicious of unprompted offers, especially if they seem too good to be true.
  • If there are children in your house­hold, educate them about cyber security and best practices for using the internet.
  • Be careful what you reveal on social media as your accounts can be mined for information used to manipulate you.
  • Keep your devices protected with reliable online protection.
  • Use a secure VPN when using public Wi‑Fi networks.
  • Restrict administration rights to limit who can make changes to network settings or install new applications. This is a way to prevent users from installing harmful soft­ware on devices both at home and in large organizations.

Types of social engineering attacks

Social engineering tactics vary and are tailored based on the attacker’s target and goals. Under­standing different techniques used by online criminals is at the core of preventing social engineering attacks.


One of the most common types of social engineering attacks is phishing which involves deceiving the victim to give away personal or financial information that can be exploited by the attacker. The goal can also be to get the victim to down­load a file or soft­ware infected with malware. Although phishing is often done by sending the target an email, there are other methods of carrying out a phishing attack.

  • Vishing: The term vishing is derived from the words voice and phishing. There­fore, it relies on voice-based formats, such as phone calls, to deceive people and gather valuable information. For example, many romance scams are done via phone calls. The fraudster seduces their target on the phone after finding information about them online. In reality, the attacker is only after the victim’s money, who sends it to their assumed new­found love.
  • Smishing: The use of text messages and instant messaging services to scam people is referred to as smishing. As most phones have an internet connection, phishing messages sent via SMS can contain links that direct the user to malicious web­sites.
  • Spear phishing: Social engineers can carry out phishing attacks by targeting multiple victims at once. Spear phishing, on the other hand, refers to a cyber attack where a specific target is singled out. The messages sent to victims of spear phishing attacks are highly personalized and are harder to spot than regular mass phishing attacks. CEO scams are a form of spear phishing where the attacker impersonates a CEO of a company to deceive its employees. This is one way of using the authority of a trusted figure to gain the victim’s trust.


In a social engineering attack known as pre­texting, the attacker fabricates a situation, or a pre­text, to deceive the victim into giving away information or carry out a certain action. Here the key is impersonating an authority figure, the victim’s coworker or someone else the target of pre­texting would trust. Once the criminal has established the target’s trust, they are more likely to get them to reveal sensitive information, click a link or send money. In pre­texting, creating a convincing story is key so as not to raise any suspicion.


Baiting often involves some kind of physical media that is infected with malware. This could be a flash drive or a CD, for instance, that the criminal leaves in a public place or the targeted organization’s premises. Here social engineers rely on people’s curiosity which can be poked even further by including a tempting logo or label in the piece of malware-infested physical media.

F‑Secure Total reinforces your online protection

Even if you are careful and well-prepared against different social engineering techniques, malware and hackers still pose a threat to you and your devices. F‑Secure Total provides all that you need to stay safe online. In addition to an advanced anti­virus, Total offers a reliable VPN that makes browsing in public and protecting your privacy simple. Total also comes with the tools needed for managing your pass­words and protecting your identity online.

Try F‑Secure Total for free and stay protected against online threats.

Read more and try for free