What is a social engineering attack?

Seen some scary headlines about a new “social engineering attack” doing the rounds but not sure what that actually means? Then you’re in the right place as we’ve created this guide to detail what the term means, and some quick tips on how to avoid falling victim to them.

The short version is that a social engineer attack is the point at which computer misuse combines with old-fashioned confidence trickery. Specifically, social engineering attacks are scams that exploit the most vulnerable part of any technical system: the user.

Social engineering attacks can be carried out via the web, email, phone, and SMS or instant messaging, or in person. They rely on deceiving a user into believing that the bad actor is an honest representative of, for example, Amazon or Microsoft for long enough to give the bad actor their login credentials, access to their computer, or money.

Social engineering attacks can take place in real time, with someone actively speaking to you on the phone or physically present at your office; asynchronously as through an exchange of emails with a bad actor pretending to be someone they’re not, or be a passive trap delivered via an email, a website, or even a physical USB drive.

Examples of social engineering attacks

Phishing, in which a bad actor sends out messages, often by email, designed to look like they’re from a legitimate company, with the intention of getting you to hand over your login details or authorise a payment are common example of social engineering attacks. They often do this by offering an irresistible, time-limited deal or threatening dire consequences (such as an imminent overpayment) to make the victim panic and rush to click through without thinking about what they’re doing.

Some attacks of this kind instead focus on getting malware onto a PC by convincing a user that it’s legitimate software. When Adobe Flash was still in use, we often saw malicious sites distributing malware in the guise of a Flash player download. Once the user has been tricked into installing it, the malware can spy on them, attempt to compromise their network, or abuse system resources to participate in botnets, sent spam or mine cryptocurrency.

Tech support scams. Among the most popular are fake support calls pretending to be from Microsoft. An infamous example informed the user that they had a severe malware infection, and “proving” this by having the user open Windows Event Viewer, a log viewer that shows numerous entirely benign errors and warnings that look intimidating to someone who doesn’t know what they’re looking at.

Some tech support scams use browser-freezing “screenlocker” web pop-ups to temporarily disable a victim’s computer and instruct them to call an “official support phone number”, functioning in a similar way to non-encrypting ransomware, which itself uses elements of social engineering.

“Scareware”, a related category which often features online pop-ups warning you that your PC is infected with malware, along with a downloadable “anti-malware” tool that is itself malicious.

Targeted fake calls to or from a business’s IT support team, for example requesting login credentials or others sensitive information.

Physical social engineering attacks can rely on distraction or incongruity, such as a Naomi Wu’s example of a scantily-clad penetration tester, videoing herself with a selfie stick and being thoroughly ignored as she waltzes past reception and security, or the opposite, blending into the background, for example by looking like you’re supposed to be somewhere by carrying a clipboard, walking purposefully and wearing hi-viz to gain access to a secure site.

Once into a supposedly secured site, the bad actor can access computers, keys or data to compromise their target. The “evil maid” attack Wu refers to in her video often involves actual staff of a business (archetypally a hotel) using their access to compromise their target’s electronic device, but this can also be done by an impostor.

Another physical attack, rather past its sell-by date but which requires no human interaction at all is “baiting”. A malware-infested USB drive is left somewhere inviting, potentially labelled to encourage its finder to plug it into a PC and check it. Although we’re long past the days of Windows autorun files being allowed to run from removable media, a cleverly named program and readme file on the drive could still convince the right target to sabotage their own computer by running them.

Read our Security Guide for more tips on leading a safer online life.