$4.99/mo - Save 61% With Exclusive 2-Year Plan + 4 Months Free!Claim Now

What is Social Engineering?

  • Last updated June 24, 2024
  • Gerald Hunt
    Gerald Hunt
    Gerald Hunt
    Editor
    Gerald is a steadfast believer in the inviolable right of every citizen to freedom of expression. Writing about online privacy and security without any regard for political correctness is his way to counter the instruments threatening our liberty. In his spare time, he loves to binge watch Netflix, anime and play video games.
    See Full Bio >
    written by
    Gerald Hunt
    Gerald Hunt
    Gerald Hunt
    Editor
    Gerald is a steadfast believer in the inviolable right of every citizen to freedom of expression. Writing about online privacy and security without any regard for political correctness is his way to counter the instruments threatening our liberty. In his spare time, he loves to binge watch Netflix, anime and play video games.
    See Full Bio >
    Editor
  • Midhat Tilawat
    Midhat Tilawat
    Midhat Tilawat
    Editor
    Midhat Tilawat is an experienced editor at VPNRanks, where she brings focused expertise in privacy-related content. Her interest in VPN technologies was sparked by encountering internet censorship during a research project, which highlighted the critical importance of digital freedom and privacy.
    See Full Bio >
    fact checked by
    Midhat Tilawat
    Midhat Tilawat
    Midhat Tilawat
    Editor
    Midhat Tilawat is an experienced editor at VPNRanks, where she brings focused expertise in privacy-related content. Her interest in VPN technologies was sparked by encountering internet censorship during a research project, which highlighted the critical importance of digital freedom and privacy.
    See Full Bio >
    Editor

Social engineering is a form of manipulation where attackers deceive individuals into divulging confidential or personal information that may be used for fraud.

This technique exploits human psychology rather than technical hacking techniques to gain access to sensitive information or systems. Here is a glossary of key terms related to social engineering to help you grasp the essentials.

This section covers essential terms and concepts related to social engineering. Familiarizing yourself with these terms can help you identify and mitigate social engineering threats.

Advanced Persistent Threat (APT)

A prolonged attack is where an attacker gains access to a system or network for an extended period. APTs typically aim for data exfiltration, targeting sectors like finance and government using tactics such as spear-phishing.

Recognize the signs of APTs and implement advanced monitoring solutions. Regularly update your security protocols to protect sensitive data.

Attack Vector

An attack vector is a path by which a hacker gains access to a computer or network server to deliver a payload or malicious outcome. In social engineering, the attack vector often involves human interaction.

Staying vigilant about potential attack vectors can help identify and mitigate risks. Regular training and awareness programs are essential.

Baiting

Baiting involves offering something enticing to an individual in exchange for their personal information. It often involves physical media such as a USB drive or an online offer.

Avoid accepting unsolicited offers or plugging unknown devices into your computer. Always verify the source before engaging with such offers.

Business Email Compromise (BEC)

A type of social engineering attack where one party in a financial transaction is impersonated. Attackers use compromised or spoofed email accounts to trick victims into redirecting funds.

Verify transaction details through multiple channels. Be cautious of unexpected changes in payment instructions.

Caller ID Spoofing

A direct social engineering attack using a spoofed phone number to create trust. The number appears on the victim’s caller ID, making the call seem legitimate.

Do not rely solely on caller ID for verification. Always confirm the identity of the caller through alternative methods.

Confidence Trick

A confidence trick, or con, is a scam where a trickster uses deception to gain trust and manipulate the victim into divulging sensitive information or performing harmful actions.

Building awareness about common confidence tricks can prevent falling victim to such scams. Trust but verify any unusual requests or offers.

Cross-site Scripting (XSS)

Occurs when a malicious script is injected into a trusted website, allowing attackers to execute scripts in the victim’s browser or redirect them to malicious sites.

Regularly update and patch web applications. Educate users about the risks of clicking on unknown links.

Data Leak

An unintentional release of confidential information to an untrusted environment. Data leaks can result from social engineering attacks or human error.

Implement stringent data handling and disposal procedures. Educate employees about the importance of data security.

Dumpster Diving

Dumpster diving is a technique where attackers search through trash to find documents or items that contain sensitive information. This method exploits the carelessness of individuals and organizations in disposing of confidential data.

Properly shredding or destroying sensitive documents before disposal can thwart dumpster diving attempts. Implement secure disposal policies within organizations.

Elicitation

Elicitation is a technique used to subtly extract information from individuals without them realizing it. Attackers often use conversation tactics to obtain the desired information.

Be cautious about sharing personal or sensitive information in casual conversations. Recognize and challenge probing questions.

Fake Websites

Fake websites are designed to look like legitimate sites to trick users into entering personal information. These sites often mimic banking, social media, or shopping sites.

Always check the URL for legitimacy and look for security indicators like HTTPS. Avoid clicking on links from unknown sources.

Greed Exploitation

Greed exploitation takes advantage of an individual’s desire for financial gain. Attackers may offer investment opportunities or lottery winnings to lure victims into giving up sensitive information.

Be skeptical of offers that seem too good to be true. Conduct thorough research before engaging in any financial transactions.

Honey Trap

A honey trap involves creating a fictitious romantic or sexual relationship to gain the trust and subsequently exploit the target.

Protect your personal information in online interactions. Be wary of overly forward or intimate advances from strangers.

Impersonation

Impersonation involves pretending to be someone else, often a person of authority or trust, to deceive individuals into divulging confidential information.

Verify the identity of individuals before sharing sensitive information. Use multiple methods of authentication when possible.

Job Offer Scam

Job offer scams trick victims by offering lucrative job opportunities. The goal is to obtain personal information such as social security numbers or banking details under the guise of employment verification.

Research the company and the job offer thoroughly. Avoid sharing personal information early in the job application process.

Keylogger

A keylogger is a malicious software or device that records keystrokes to capture sensitive information such as passwords and credit card numbers. It can be used in conjunction with social engineering tactics.

Regularly update and scan your devices for malware. Use secure passwords and enable multi-factor authentication.

Luring

Luring involves attracting someone into a compromising situation. Attackers might use fake scenarios or promises to draw their targets into revealing sensitive information.

Be cautious of unsolicited offers or requests. Validate the legitimacy of any situation before engaging.

Malware

Malware, or malicious software, is often used in social engineering attacks. An example is sending an email with an attachment that, when opened, installs malware on the victim’s computer.

Keep your software updated and use reputable antivirus solutions. Avoid downloading attachments from unknown sources.

Network Exploitation

Network exploitation involves gaining access to a network through social engineering tactics to gather information or cause harm.

Implement strong network security measures, including firewalls and intrusion detection systems. Educate employees about safe network practices.

Online Scams

Online scams encompass a wide range of fraudulent activities conducted over the internet, including phishing, pretexting, and baiting.

Stay informed about common online scams and how they operate. Report suspicious activities to relevant authorities.

Phishing

Phishing is a technique where attackers send fraudulent emails or messages that appear to come from a trusted source to trick individuals into revealing personal information.

Always verify the sender’s email address and look for signs of phishing. Avoid clicking on links or downloading attachments from unknown sources.

Quizzes and Surveys

Quizzes and surveys gather personal information under the guise of a fun or harmless activity. The data collected can be used for malicious purposes.

Be selective about the quizzes and surveys you participate in online. Limit the amount of personal information you share.

Ransomware

Ransomware is malware that encrypts the victim’s data and demands a ransom to restore access. Social engineering is often used to trick victims into downloading ransomware.

Back up your data regularly and keep your security software updated. Be cautious of unsolicited emails or downloads.

Search Engine Optimization (SEO) Poisoning

Social engineers build websites around popular search terms to lure users into actions like downloading malware or divulging information.

Be cautious when downloading software or entering information from search results. Verify the legitimacy of websites before interacting with them.

Security Awareness Training

Educates users about IT security risks and compliance with security policies. Effective training makes users more resilient to social engineering and vigilant with data handling.

Conduct regular training sessions and measure their effectiveness. Tailor the content to the skillset and culture of your organization.

Spam Filter

It prevents spam or malicious emails from reaching your inbox. Spam filters use AI, heuristics, and NLP to classify emails, though some phishing emails may still get through.

Regularly update spam filters and educate employees on identifying phishing emails. Encourage reporting of suspicious emails.

Spear Phishing

Spear phishing is a targeted form where attackers customize their messages to a specific individual or organization to increase the likelihood of success.

Be wary of personalized emails requesting sensitive information. Verify the sender’s identity through independent channels.

Tailgating

Tailgating, or piggybacking, involves an unauthorized person following an authorized person into a secure location. This physical social engineering technique exploits human courtesy.

Implement strict access control measures and educate employees about the dangers of tailgating. Always challenge unknown individuals attempting to enter secure areas.

USB Drops

USB drops involve leaving infected USB drives in public places. When someone picks up the drive and plugs it into their computer, malware is installed.

Avoid using unknown USB drives. Report any suspicious devices to your IT department.

Vishing

Vishing, or voice phishing, uses phone calls to trick individuals into revealing personal information. Attackers may pose as bank representatives or tech support.

Verify the caller’s identity before sharing any information. Use official contact numbers to reach out to organizations.

Whaling

Whaling is a form of phishing that targets high-profile individuals such as executives or senior officials, using personalized messages to trick them into divulging sensitive information.

Implement robust security measures for high-profile individuals. Educate them about the risks and signs of whaling attacks.

Exploiting extension

Exploiting extension refers to using browser extensions or add-ons as a vector for social engineering attacks. Malicious extensions can capture sensitive data or redirect users to phishing sites.

Only install extensions from trusted sources. Regularly review and update your browser extensions.

Yielding to Authority

Yielding to authority involves attackers posing as authoritative figures to exploit individuals’ natural tendency to comply with perceived authority figures’ requests.

Always verify the credentials of individuals claiming authority. Follow established protocols for sharing sensitive information.

Zero Trust Principle

The Zero Trust Principle is a security concept that emphasizes verifying the identity of every individual attempting to access resources, regardless of their location or network.

This principle helps mitigate social engineering attacks by requiring continuous authentication and authorization.