Since the creation of the World Wide Web , malware and other computer viruses have always plagued the internet. Hackers are always trying to find easier and more effective ways to steal information from their victims. However, as antivirus software and computer hardware becomes more secure than ever, hackers are finding it harder and harder to create sophisticated malware that can bypass these security measures.
So, hackers started to turn away from creating computer viruses, and began targeting the humans behind the screen. They began trying to retrieve information directly from the victims by using a variety of tactics and techniques.

(In the context of information security) the act of using deception to manipulate people into leaking confidential information that may be used for malicious purposes is known as social engineering, otherwise known as human hacking.











Types of Social Engineering

There are many types of social engineering. They can occur anywhere where there is human interaction, virtual or physical. Social engineering is generally classified into two categories: digital and physical.

Sidenote: Social engineering vs Scamming, and the Sterotypes Surrounding it

many call social engineering scamming. Indeed, this is mostly true. However, there is some nuance between these terms. The definition of a scam is "to deceive and defraud someone" (Merriam-Webster). With the definition of social engineering, they are a form of a scam, but scams can take on many other forms. Social engineering is simply a form of scamming.
Additionally, social engineering is often attributed to Indians, with their indian accent sounding remarkably similar to those who speak during social engineering attacks. There is no solid evidence that most social engineering attacks aren't from India, it should be noted that social engineering attacks is a large-scale problem, and prejudice against one group is bias.
















Digital Social Engineering

This is by far more common than physical social engineering in this highly digital age. Below are the most common forms one will encounter, some being very ubiquitous, and others being very personalized and targeted.





















A classic example of phishing. The attackers impersonate American Express and claim the victim needs to update their information. That link will send them to a fake website and ask for credentials. Source: thesslstore

  • Spear Phishing

    Spear phishing follows the same concepts as bulk phishing, but the attack is targeted at specific individuals or organizations. Attackers will reserach the targeted comapny or individual to create a more personalized attack which has a higher success rate. These attacks can be devasting since the attackers can easily compromise a company's whole security system through one spear phishing attack.

    • An example of a spearhead phishing attack. Notice that the attack is targeted at a company employee, who believes that they must sign a code of conduct agreement or be fired. The link likely will either infect the computer with malware or demand sensitive information in order to proceed. Source: Norton.

  • Pretexting

    Attackers will create a scenario, or context to convince the victim to hand over sensitive information. The attacker may claim to be a colleague, IT support, or even law enforcement inquiring about sensitive information since it seems to be a part of a legitimate business acitivity. The success of this attack largely depends on attacker's ability to establish trust and credibility with their victims. They exploit their victim's desire to help or compliance with authority to extract confidential information. This attack is especially dangerous in a corporate setting, where employees may unknowingly grant unauthorized access.

    • Notice that pretexting is similar to spearhead phishing. The attackers do some research then create the context that the victim may be hacked. The link will send them to a phony website where when they put in their credentials, they are flatly giving those credentials straight to the attackers. Source: AVG AntiVirus

  • Baiting

    Baiting is a very powerful and deceiving tactic in the realm of social engineering. Attackers use a "bait" to trick victims into downloading files that contain malware when they appear to be legitimate. This is often combined with Pretexting and other techniques to make the attack more likely to succeed.

    • This a classic example of baiting. The attackers give an enticing reward for participation in a "survey". They likely will require you to download something to proceed, and that file will contain malware. This is also where the saying "too good to be true" shows itself. The reward truly is too good to be true. Source: Dummies.com

  • Quid Pro Quo

    In quid pro quo attacks, attackers will provide a service or benefit to the victim in exchange for sensitive information. A common example is an attacker pretending to be IT support, claiming they can resolve a technical issue on their computer but demand the victim's credentials first. This technique relies on the victim's desire to be supported or assisted, and often these attacks only occur when the victim does need said assistance.

    • This Quid Pro Quo attack sets up a pretext that their email will be deactivated, and they can resolve the issue, but will ask for confidential information. Source: WALLIX

  • Watering Hole

    In a watering hole attack, cybercriminals hack into one or several websites that are frequently visited by a specific company or organization. The compromised website injects malware into the systems of its users who download it blindy. This is a very targeted attack and as a result, is devastatingly effective. The malware often goes undetected and steals massive amounts of data or compromise a system completely. This attack is also very difficult to avoid, as it leverages the trust the victims have with the website, and requires highly advanced cybersecurity measures to identify.

    • A diagram of a watering hole attack. Observe that the attacker never makes direct contact with the victims, so detecting and finding the source of one is incredibly difficult. Source: WeSecureApp

  • Scareware

    Attackers will bombard the victim with false alarms in a scareware attack. They relentlessly send false messages that their computer has been hacked or has severe malware installed on it. By clicking on one of the notifications, the attackers demand that you install an "antivirus" program to remove the threats. Once downloaded, the software installs real malware, stealing data and may hold that data for ransom. This attack purely relies on fear, as the constant bombardment of alerts forces one to act fast, and make rash decisions.

    • A typical scareware pop-up. Notice that it combines the fear of being hacked and the pressure to act now as it says "files and app deletion may start at any moment". Source: University of Louisiana Monroe

    Physical Social Engineering

    Physical social engineering attacks are less common than digital attacks, but when they do happen, they are devastatingly effective. These attacks are usually targeted at companies, but they may also happen to individuals who have valuable assests that attackers may want.











    Social Engineering by the Numbers

    Social engineering is by far the most common form of a cyberattack; but exactly how ubiquitous and common are they? Below are several statistics about social engineering.

    1. 94% of businesses are reported to have seen a phishing attack in 2024.
    2. The median time for users to fall victim to a phishing attack is less than 60 seconds.
    3. Phishing and pretexting via email accounts for 73% of all data breaches.
    4. Around 2.9% of all employees click on phishing emails.
    5. The average CEO receives 57 spearhead phishing attacks every year.
    6. 43% of all phishing attacks impersonate Microsoft brands.
    7. 95% of all network invasions rely on phishing techniques.
    8. 68% of all data breaches in 2024 were caused by human error, including social engineering scams.
    9. The average cost of a data breach surged to $4.88 million in 2024
    10. Phishing is the costliest type of data breach, with an average breach cost of $4.91 million.
    Additionally, social engineering attacks are sometimes followed with ransomware attacks. Ransonware attacks encrypt and lock a victim's data, and holds said data for ransom. Below are some statistics regarding ransomware and its devasting effects in the digital world.
    1. Around the world, 59% of all organizations experienced a ransomware attack in 2024.
    2. Ransomware payments spiked to a record high of $460 million in 2024.
    3. The largest ransonware payment ever recorded happened in 2024: about $75 million was paid to the Dark Angels ransomware group.
    4. The median loss associated with ransomware was around $46,000 in 2024.
    5. 32% of all data breaches in 2024 involved ransomware.
    6. Nearly 10% of organizations say they do not know how their systems were infiltrated by ransonware.
    7. Ransomware breahces take 326 days to contain; this is 49 days longer than the average data breach.
    8. Over 50% of all ransomware attacks originated from phishing emails.
    Looking at the data, it is clear that social engineering attacks are deadly enough on their own, but the data breaches and potential ransonware attacks after are even more devasting.
















    Why Does Social Engineering Work?

    Social engineering is by far the most dangerous cyberattack there is, so why does it see so much success? What is there to learn from it?


















    Social engineering comes in many forms, but they all use one common weakness: Social engineering takes advantage of basic human tendencies and decision-making flaws. It exploits human emotion and most importantly, our trust in others.













    1. Trust: Psychological Gold

      Objectively, trust is a good thing. It is what allows us to establish friendships and let us communicate freely with the people around us. However, in the realm of cybersecurity and security as a whole, it is the greateset weakness humans have. The natural human impulse to trust those around us is exactly what makes humans vulnerable to social engineering attacks. All phishing attacks occur because the victim trusted that their sensitive information is safe and with the legitimate company. Prextexting can succeed purely because the victim places all their trust in the attacker. Watering hole attacks are so effective because the victims trust the website they are on and so they will blindly download files from it.

      Trust is one of man's defining tendencies, so attackers will always exploit it.

    2. Sympathy and the Desire to Help Others: Virtues turned to Vices

      Often, social engineering attackers will play on human emotions; one of the most dominant and dangerous one is sympathy, or the desire to help others. Naturally, humans want to be helpful and assist others, a great virtue in the world. However, this sympathy can be dangerous, since people often try to help others even if the request is unusual or suspicious. Attackers capitalize off this natural instinct by portraying themselves as people in need; they pretend as if they are in dire straits, purely to try to trigger that sympathetic emotion. Some pretexting attacks pose the attacker as a pitiful colleague or friend who really needs money or some other assistance. The "coffee trick" mentioned above works because the bystander wants to assist the person holding the cups of coffee.

      Sympathy is a very powerful emotion, one that often induces someone to act without thought,
      a very valuable emotion that attackers use.

    3. Fear: A Hacker's Best Friend

      Fear is another very powerful tool hackers use to increase their chances of succeeding. Drilled into human minds as part of the fight-or-flight response, when intense fear is exerted on a person's brain; it acts without thinking at all, a natural reaction to fear. As a result, they will do things that normally they wouldn't do, like downloading a malicious file that the attacker told them to do. Fear is used in many pretexting attacks, and is the sole driving factor of scareware attacks.

      Fear is an emotion that is deeply rooted in man's brain,
      so it is a very powerful thing that attackers can use to obtain sensitive information.
















    Solution to Social Engineering

    With all the information we've learned, how do we stop social engineering?





















    General

    Below are some general tips to not only defend yourself from social engineering attacks, but also from cyberattacks as a whole.














    Fraudulent Emails or messages

    To defend yourself from fraudulent emails, look for any of these signs:































    The best thing we can do to stop social engineering attacks is to educate and inform others about these attacks. Social engineering is most dangerous against those who are uneducated about these attacks and unaware about these dangers. Educating yourself about these dangers is a good start; but ultimately, we must educate everyone to truly stop social engineering attacks.
    Don't take the bait.