Advertiser Disclosure
All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
Editorial Policy
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Social engineering is a type of cyberattack that takes advantage of your relationships with friends, companies, or even coworkers. Hackers using social engineering might pose as an IT employee, bank representative, or even your boss to try and gather sensitive information like credit card numbers, login credentials, or financial information.
Cybercriminals might also use social engineering scams to open a door for future hacking against you or the organization you work for.
Social engineering attacks come in many different forms, such as baiting, phishing, and quid pro quo. Here’s what you should know about each form of social engineering to protect yourself and your personal data.
12 types of social engineering attacks
1. Baiting
2. Email hacking
3. Pharming
4. Honeytraps and romance scams
5. Phishing
6. Piggybacking or tailgating
7. Pretexting
8. Quid pro quo
9. Scareware or fraudware
10. Smishing
11. Vishing
12. Watering hole attack
How to spot a social engineering attack
How can you protect yourself from social engineering?
Social engineering FAQs
Bottom line
What is social engineering?
Social engineering's end goal is to gain your trust long enough to gather confidential information or access to your accounts. Hackers might use well-crafted email scams, voice mail, and SMS text messages to launch a cyberattack and trick you into sharing sensitive data.
12 types of social engineering attacks
There are several ways hackers use social engineering to try to build trust, trick you into thinking they’re someone else, or even threaten or scare you into sharing personal data.
1. Baiting
In this type of social engineering attack, you might find a new USB stick sitting on your desk or receive an email with an attachment.
Naturally, you might be curious about what’s on the flash drive and plug it into your computer, or you might click on the email attachment. But chances are this USB or attachment is loaded with malware, such as a keylogger, that steals your information.
Baiting attacks can also take the form of enticing pop-up ads that lead to a malicious site or download.
2. Email hacking
Email hacking is a popular method many scammers use. The hacker impersonates the victim by accessing the victim's email account.
Once they’ve gained access, the hacker uses the email account to message the victim’s contact list with phishing scams, malicious attachments, or links leading to malware downloads.
Email hacking is one of the main reasons why you should be skeptical of emails even if they come from a trusted source. If it looks suspicious, don’t click.
3. Pharming
This kind of cyberattack redirects your internet traffic to a fake website. Also called a spoofed site, this fake web page might try to install malware on your device or collect your personally identifiable information (PII).
The PII targeted by spoofed websites could include the following:
- Bank account information
- Login information
- Your Social Security number
- Your phone number
- Answers to your security questions
4. Honeytraps and romance scams
Honeytraps and romance scams play off our desire to be liked, which can make them extra effective. In the case of a honeytrap, the scammer will befriend or even pretend to fall in love with their target and form a (fake) online relationship with them. The scammer then uses this relationship to gather personal information.
Most often, honeytraps lead to a financial scam. For example, consider the popular Netflix show “The Tinder Swindler.” The scammer, Simon Leviev, sent his victims text messages that might say something similar to, "My love, I want to see you more than ever. I am a little short this week. We can be together sooner if you send me some money via Western Union!"
5. Phishing
One of the most common types of social engineering is phishing. Phishing can happen via emails or even text messages and comes in many flavors: spear phishing, whaling, and clone phishing.
The goal of a phishing email or text is to get you to click on a link that leads to a malicious site or download.
Spear phishing
This type of phishing attack targets a certain person or organization. Spear phishing messages tend to be very personalized, down to details like your job title or even company contracts or projects you’re involved in.
Whaling
This is a very specific type of spear phishing attack that typically targets high-level employees, such as CEOs. Whaling attacks are often used to steal confidential or financial information or gain access to a company’s computer system.
Clone phishing
When scammers use clone phishing, they copy emails from a legitimate company in order to establish some sense of credibility with the victim. These fake emails may look exactly like the official messages you get from the actual company, and the hacker may try to fool you even further by saying the fake email is an updated version of a real email you just received.
6. Piggybacking or tailgating
Some social engineering attacks aren’t all that sophisticated and piggybacking or tailgating are two examples. This type of scam involves in-person contact where the hacker will follow you in order to gain access to the secured location without having a key card or access code.
Piggybacking is the main reason why your IT department warns you against holding the office door open for other people behind you.
7. Pretexting
Like phishing attacks, pretexting often starts with a friendly message that seems harmless. It could be a request to take a survey or fill out a form. But once you agree to fill out the survey or form, the scammer starts to ask for personal data, like your bank account info, to supposedly confirm your identity.
8. Quid pro quo
Quid pro quo attacks continue to impact many of us, but most quid pro quo scammers target the elderly. In this type of attack, hackers try to convince the victims they’ll receive something in exchange for providing personal information.
9. Scareware or fraudware
When using scareware tactics, hackers try to create a sense of urgency to scare you into taking action.
Some scareware messages could start with a friendly reminder and eventually become harsh and intimidating. Others might show up in a pop-up ad with a fake message that your device has a virus and you need to click the ad to get rid of it.
10. Smishing
Email isn’t the only means hackers use to phish for sensitive information. SMS text messaging is another very common method, and when hackers use texts to target their next victim, it’s called smishing.
Smishing attacks can come in the form of a text message that seems to be from a legitimate source. For example, a smishing text might ask you to verify a charge to your credit card by clicking on a link. Another type of smishing attack pretends to offer you a deal from your cell phone provider, but you need to click the malicious link to activate it.
11. Vishing
Vishing is a type of phishing attack that uses a voice call to try and manipulate you into giving up personal data. Cybercriminals may call and pretend to be a bank representative who needs to verify your account information.
Other scammers might pretend to be from Medicare, the Social Security Administration, or even the IRS. If you ever receive a call and the person on the other end asks you for personal info, don’t share anything. Instead, hang up, find the official phone number online, and call the company or organization directly to verify that it’s a legitimate request.
12. Watering hole attack
Watering hole attacks target a group of victims, usually by infecting a website or forum the group uses often.
For example, hackers might infiltrate public forums, including chat rooms, blogs, and community groups. Once they’ve gained access, the scammer usually tries to get members of the targeted group to click a link that leads to a malicious site or malware download.
How to spot a social engineering attack
Social engineering attacks use many different methods, including email, chat, SMS, group messaging, and even baiting to plug in a USB. But most attacks have a few common characteristics to look out for, and learning how to spot social engineering will help protect your data and devices.
Suspicious sender address
Before opening any emails, take a moment to check the sender’s email address. Many impersonation emails or lookalike messages will look like they came from an official sender. But if you look closely, many fraudulent emails include typos or misspelled company names.
For example, let’s say you received an email from customercare@fedexhelpers.com. It might seem legit at first glance, but would FedEx really email you from a “fedexhelpers.com” domain? Probably not.
Generic greetings
Another clever email phishing method focuses on simple, impersonal greetings such as:
- Dear valued customer
- Sir/ma’am
- I know you are busy. Did you see my message?
These are often accompanied by a lack of contact info or a signature.
Most trusted companies will address you by name and include contact information as well as a signature in their emails. If you receive a message with a basic greeting and no contact info, it’s safer not to click.
Poor spelling and grammar
One of the easiest ways to spot a phishing or spam email is the prevalence of typos. These messages may look like someone rushed to type them out, or they may use improper grammar. Another common theme to phishing emails is inconsistent formatting.
Typos do happen, but legitimate companies often hire someone to create and proofread any emails that are sent out to customers.
Commonly used email subject lines
Hackers often use similar email subject lines to capture your attention. Some of the most-clicked phishing email subject lines, according to KnowBe4, included:
- HR: New requirements tracking Covid vaccinations
- Password Check Required Immediately
- HR: Vacation Policy Update
- Acknowledge Your Appraisal
- Someone special sent you a Valentine’s Day ecard
- Starbucks: Happy Holidays! Have a drink on us
- Dropbox: Updates about your account
These commonly used subject lines are designed to be friendly or urgent in order to get you to click on the email.
Incorrect links
It’s a good idea to always check any hyperlinks sent in emails before you click them. You can easily do this by hovering your mouse cursor over the link. You want to make sure the link in the text of the email matches the link that appears at the bottom of your browser window when you hover over it.
Keep an eye out for misspelled words or different domains (such as .com or .net) in the links.
Suspicious attachments
It’s fairly normal to receive email attachments, such as a receipt for a purchase, bank statements, or even loan documents. But if you receive an unsolicited email that asks you to open an attachment, it could be a phishing attack.
Some antivirus software includes email attachment scans that can verify whether or not the file is safe to open. But if you don’t have a way to scan the file, it’s safest to not open it.
How can you protect yourself from social engineering?
Ultimately, protecting yourself from identity theft and social engineering starts with awareness. The goal of most hackers and cybercriminals is to steal your information. With that in mind, you can be on the lookout for social engineering attacks.
Verify identity
With every suspicious message or email, call, or text, take a moment to verify the person contacting you.
The best way to do this is to avoid clicking on any links in an email or text message and hang up if someone calls and asks for your info. Then, find the official site of the company that’s supposedly contacting you and call or email them directly using the contact info on the site.
Turn on your email spam filter
Google, Microsoft, and other email providers all offer email filters designed to keep most phishing attacks at bay. Spam filters consider multiple characteristics of each email before deciding whether it belongs in your inbox or in the trash. Most email filters check:
- The sender’s email address
- Whether any links in the email match a database of malicious links
- Whether the email or subject line contains suspicious words
You can also go into your email provider’s spam filter settings to customize it and automatically block emails from certain senders or messages that contain certain phrases.
Consider the circumstances
When you receive an email you believe is fraudulent, chances are it is. Trust your gut and don’t panic. Any message with a threatening tone is most likely false, and it’s safer to not click any links or open any attachments.
Update your antivirus software
Like enabling anti-spam protection from your email service provider, you should enable and update your antivirus software.
Keeping your antivirus up to date is important because new malware is released every day. When you update your antivirus, it replaces the old list of malware files to check for with the most recent version. This ensures your antivirus can spot even the newest types of malware.
Many antivirus programs, like TotalAV and AVG, offer phishing protection that helps spot and block social engineering attacks.
Update your operating system
Antivirus software, spam filtering, and anti-malware software all help protect you and your systems. Updating your operating systems on all devices also will help prevent attacks.
Operating system updates often include security patches that remove newly discovered vulnerabilities that hackers might otherwise exploit.
Use strong passwords
The stronger the password, the more difficult it is to hack. Understandably, you may avoid using strong passwords because they’re hard to remember. This is where a password manager and multi-factor authentication can help.
You should always set up multi-factor authentication (also called two-factor authentication, 2FA, or MFA) on your accounts. MFA ensures that, even if a hacker gets a hold of your password, they still can’t access your account without access to a secondary device or account.
Many websites are also beginning to offer passwordless solutions to help with secure authentication, including:
- Magic links: This involves sending you a link to your email to authenticate yourself.
- Touch ID and Face ID: Both Apple and Android devices support biometric logon by scanning your fingerprint or face.
Don’t overshare online
Social networks constantly invite us to share updates about our lives, but posting about our latest trip or even telling friends how our mom is doing could be dangerous.
Hackers can sometimes gather this information and use it to guess your passwords or answers to your security questions. It’s better to keep this private information quiet and not post it online where anyone could find it — even if they haven’t sent you a friend request.
Social engineering FAQs
What is the best defense against social engineering attacks?
The best defense against social engineering attacks is to understand how these types of cyberattacks work. Knowing how to spot a phishing email or smishing attack can help you avoid clicking on malicious links or sharing personal data with scammers.
The next best defense against a social engineering attack is a good antivirus program that includes phishing protection.
Why do hackers use social engineering?
Hackers often use social engineering as a way to gain access to information because it’s usually easier than finding and exploiting vulnerabilities.
What are the four types of phishing attacks?
The four most common types of phishing attacks include:
- Spear phishing: Targets a specific person or small group of people with personalized emails including information about their jobs or families.
- Whaling: Targets high-profile people like company executives, celebrities, or government officials.
- Vishing: Uses voice calls to trick targets into sharing sensitive info.
- Email phishing: Uses emails that pose as legitimate companies or senders to get victims to click a malicious link or download malware through an attachment.
Bottom line
Social engineering happens daily through email, SMS, phone calls, and even in-person contact. Hackers use social engineering skills to befriend you, gain your trust, and gather sensitive information.
To avoid social engineering attacks, you should first learn how to spot them and protect yourself against phishing emails and other similar, socially engineered threats. Avoid giving out information, even in social media posts.
Protecting yourself with information is the best way to stop hackers and cybercriminals. You should also use online security measures like enabling your firewall and using a quality antivirus for an extra layer of protection.
- All-in-one protection for your personal info and privacy
- Excellent antivirus protection
- Additional features like a file shredder and parental controls
- Multiple pop-ups for text notifications can be annoying