• HOME
  • 10 common social engineering tactics

10 common social engineering tactics

Across the globe, cybercriminals are taking new routes to reach their targets. Threat actors propagate these attacks to far-reaching ends based on the access level each user's account has, resulting in a much higher magnitude of these attacks than anyone could predict. 

A well-known example of such a scenario is the 2020 X attack, affecting the X accounts of multiple high-profiles figures such as Barack Obama, Elon Musk, and Apple. While there are more sophisticated threats that also could have caused this attack, threat actors didn't have to try too hard in this case. They manipulated X employees with social engineering tactics, convinced that they were internal IT staff, and urged them to hand over credentials to internal tools. 

Within hours, the attackers had taken control of some of the world’s most influential voices by manipulating trust. Using their credentials, they reset the account password of the targeted accounts through backend tools and posted messages from these high-ranking professionals' accounts. Through these messages, the hackers conducted a bitcoin scam in which they collected over $120,000 from their followers. 

Clearly, you don't need to hack a system to take control of something. Such is the nature of social engineering. In this article, we’ll break down the most common tactics in social engineering, from phishing and pretexting to deepfakes and quid pro quo schemes, so you can recognize the signs and strengthen the one thing that matters most in cybersecurity: human awareness.

What is social engineering?

Social engineering attacks rely on human error rather than exploiting the system they’re targeting. In a social engineering attack, the cybercriminal psychologically manipulates their target using different tactics and extracts sensitive information or payouts from them.

These attacks exploit the human factors of trust and curiosity to compromise sensitive data that would cause issues to both the individual and the organization. Initially, the threat actor conducts sufficient research into their target, determines the best way to extract information from them, carries out the attack, and finally retreats after they attain their motive. 

Why are social engineering attacks effective?

Social engineering attacks are successful because of a combination of human nature and the elaborate means hackers use to create these attacks. Some of the reasons why they work so well are:

  • Threat actors research and pick targets who will trust the impersonated identity of the hacker and the scenario they're cooking up. This heightened trustworthiness is a common factor cybercriminals bank on.
  • Most people lack awareness about the common tactics used by cybercriminals. So, their own judgment fails, making them easy prey.
  • Because of the manipulation tactics used, which are alarming and urgent, humans let their emotions take over, taking actions before analyzing the request.
  • Attackers conduct extensive research through their targets’ public profiles, which is easier than going through the motions of hacking accounts, systems, or a network.
  • Basic security solutions can only protect humans from cyberattacks that have certain indicators. If the hacker cleverly designs the attack to evade these systems, the threat slips through, undetected.

Common tactics used

Cybercriminals use different methods of social engineering to manipulate human behavior and infiltrate organizations. We'll discuss the most common tactics used and the realistic scenarios attackers spin to achieve their motive.

Phishing

Phishing emails make up a vast percentage of cyberattacks. About 3.4 phishing emails are sent every day, making it one of the most-used attack mechanisms. In phishing, the attacker uses a false scenario or an impersonated identity to extract sensitive information or money from their target. The attackers may target a specific individual, or use the person as an entry point into an entire organization. The goal of these attacks is to extract login details, transaction information, credit card numbers, and other sensitive information. 

The threat actor sends an email, SMS, or gets in touch through any communication medium that will lead their target to a phishing website that impersonates a legitimate site. The hacker asks the target to enter information that the hacker will use to propagate the attack. 

Different types of phishing attacks are prevalent, based on the mode and the target. 

Spear phishing: In spear phishing attacks, rather than sending bulk emails to multiple recipients, the threat actor selects someone specific and targets them. This could be someone from an organization's finance team, HR, or C-suite—even the CEO. Because these attacks involve more effort, they mostly target someone higher up in the organization who can share important data or perform high-level transactions.

Whaling: Whaling, also known as CEO fraud, refers to a type of phishing in which attackers go after the “big fish”. This includes the CEO, CTO, CFO, or other C-suite officers. Threat actors impersonate these high-profile employees' identities or take over their accounts and communicate with other employees in their company. When a request comes from a higher authority, the lower-level employees go ahead and perform the requested action.

Vishing:Vishing refers to voice-based phishing attacks. These attacks most commonly occur through phone calls by impersonating the identities of bank officials, government authorities, or, in the case of an organization, someone from the finance or HR team. Using AI, threat actors can emulate the voices of these professionals and demand they take sensitive actions. 

Smishing: Attackers reach their targets through SMS messages. SMS usually isn’t regulated or scanned for spam by most carriers. This provides an enticing entry point for threat actors. They create attacks that lure recipients into taking action. Some might create scenarios such as job offers, gift offers, free vacations, and more unrealistic scenarios to make their targets take action. 

Impersonation

Impersonation, or spoofing, is a mechanism that threat actors have used for decades now. It’s an underlying mechanism used by threat actors in different attacks. However, when hackers are carrying out a social engineering attack, impersonating someone of authority gets them one step closer to their motive. In most cases, the impersonated identity is someone the target closely interacts with and trusts. This could be a fellow employee or even a friend. Sometimes, the attacker takes over the identity of a bank or other authorized bodies. 

Pretexting

Pretexting is a type of social engineering attack in which the threat actor creates fake scenarios to trick their target. They typically spoof the identity of someone who has the power to make requests such as password changes, login details, and other financial information. Like most cons, this attack relies on the ability of the attacker to convince and flatter their target to perform a certain action.

Some examples include an IT admin sending over a link to change their account password or a company's HR personnel asking their employees to update their records. Such personally identifiable information proves helpful for attacks like identity theft.

Quid pro quo

In quid pro quo attacks, threat actors pose as someone offering a service or helping out a person. But for them to provide the service, they nudge their target to share some information by citing believable reasons. For example, someone posing as an employee of an internet service provider (ISP) and pretending to resolve an issue with the internet connection may request the WiFi password or the router configuration details to fix it. Unassuming targets share the information in the hope and desperation to have their problem solved. 

Baiting

Baiting is a cyberattack in which threat actors lure their victims into their trap by offering something enticing. In an organizational context, this could be something sensitive, such as salary details or other insider information. Sometimes, the bait could also be in the form of gift cards, free software, and other such offers people tend to fall for. By mandating some information from their target to deliver the promised gift, they gain access to sensitive information. In most cases, the bait proves to be fake, fooling the victim with the intention of gathering information.  

Scareware

As the name suggests, scareware refers to a threat in which attackers scare their targets into performing a certain action. Attackers create nuanced scenarios that lead their targets to believe that their digital data is in an imminent threat. By scaring their targets, they get their victims to perform sensitive actions such as password changes, money transfers, or sharing vital details. 

Some examples of this attack include the threat actor faking a password leak and mandating an urgent password change through a phishing link or a bank official stating that money has been withdrawn from the target's account and asking for a PIN change in case of any suspicious activity. 

Honeytraps

In honeytrap attacks, the threat actor creates a public dating or social media profile and gives the illusion that they're romantically interested in their target. They scour multiple profiles to find targets who seem easy to convince and send flirtatious messages. In many cases, they create scenarios in which they can avoid physical meetups. They either say that they live abroad and they're in a situation where they can't visit the country. Slowly, by gaining their target's trust, they request financial means to return to the country and end up disappearing without a trace.

Watering hole attacks

Watering hole attacks are those in which cybercriminals infect a website that people often visit with malicious code. In these attacks, criminals bank on the possibility that their targets may make a typo while entering a web address. Therefore, they buy lookalike domains of legitimate brands and phish for the information people enter or input malicious executable files in place of legitimate file downloads. While these attacks often focus on lookalike domain names, threat actors even manage to take control of the original domain, exponentially increasing the damage.

Deepfakes

While social engineering attacks have been widely successful, the prevalence of AI has made it easy to create convincing scenarios that can imitate other people. Using deepfakes, threat actors manipulate the voice or even take over the image of a prominent individual and send messages to their targets. This could be the CEO of a company or other popular public figures. With the validation of a known voice or figure, the targets fall prey to the request. These attacks are an increasingly dangerous threat because of the deep research and proficiency the attackers use to create them.

Tailgating

All of the social engineering tactics that we've discussed so far are digital. But a common physical social engineering attack is tailgating or piggybacking. In this attack, threat actors aim to get through a physical gateway or entry point by using the access of someone who has gone in before them. This is typically done in situations where a criminal is trying to get access to a restricted area to steal sensitive information. In some cases, they misuse a target's politeness or willingness to help to exploit access controls. 

Wrapping up

Social engineering attacks work because they target people, not just technology. Whether it’s a phishing email, a fake tech support call, or a USB left on a desk, these tactics rely on tricking someone into making a small mistake. 

But the good news is that you can stop most of these attacks by raising awareness, following protection measures, and using an effective security solution. When people know what to look for, like urgent messages, strange requests, or offers that seem too good to be true, they’re much less likely to fall for the trap. Adding a security solution gives much-needed protection from threats that are invisible to the human eye.


eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.

Leave a Reply

Your email address will not be published. Required fields are marked

By submitting this form, you agree to the processing of personal data according to our Privacy Policy.