What is a Social Engineering Cyber Attack?
What is a Social Engineering Cyber Attack?
Throughout each of these cyber security posts, we’ve touted the importance of heightened awareness as important in preventing fraud. The vast majority of scams – whether they occur via email, text, on social media, or over the phone, rely on one thing: the participation of the person getting scammed.
But what, precisely, should you be looking out for? Besides a website or email that somehow feels off, what tactics do these scams rely on, and how can you train yourself to better and more quickly recognize them?
Most scams that require your participation rely on some form of social engineering. They create a sense of urgency and familiarity, then combine it with some other vulnerable human characteristic to get you to let your guard down and click on the suspicious link, download the suspicious app, or enter your credentials into the fake website.
The familiarity is created by the imitation of trusted names and sites that you already use: your bank, credit card company, a charity you regularly give to, a spoofed email address for a person on your contacts list, or well known companies like Adobe, PayPal, and Docusign.
The urgency is created by making the request time sensitive in nature, or offering only a limited number of items or spots.
The rest of social engineering is typically done by exploiting one or more of several human emotions:
Fear/Anxiety

These types of social engineering attacks drive people to click on links by threatening the loss of something important.
Some examples of fear-based schemes can look like:
- Payment Declined: Your Photos will be deleted immediately if you don’t update your payment information.
- An unsolicited notification in your system settings or a pop-up window that says something like, “Critical Virus Alert – Click Here to Scan.”
- Texts or emails from your bank saying your account will be closed unless you verify your information.
- Texts that threaten late fees or penalties for unpaid tolls or tickets.
- Texts claiming to be from package delivery companies asking you to click a link to verify information, or pay an additional fee because your package is stuck somewhere.
Fear and anxiety-based social engineering relies on creating an intense sense that if you don’t act immediately, something important to you will be lost.
The absolute best thing to do is to train yourself to recognize when an unsolicited text, email, or phone call has triggered a sense of fear in you. Even a small reaction like, “oh no,” should be an indicator to pause. If you feel any level of fear, anxiety, or urgency related to a message you’ve received, consider that a big stop sign.
A good first step, if you’re not sure of the validity of a message like this, is to do a quick internet search for this type of scam. Oftentimes just entering the content or subject-line of the message into a search engine will verify for you whether this is a scam or not.
If you’re still uncertain after that – reach out to the company directly and independently, using trusted contact information (not the information contained in the suspicious message).
If you’re really worried about unpaid tolls, contact the Department of Transportation directly, if you’re worried about a package stalled in delivery – go to the delivery company’s website and enter the tracking number, if you’re worried about your bank account being suspended or closed, call or go down to your local branch and talk to someone you know, and whose identity you can verify.
Greed/Need

Another common emotion that these types of social engineering scams exploit is the greed/need response. Offering a financial reward, prize, or compensation that offers a high reward for a small investment.
These can often be particularly tempting messages for folks who are barely getting by, or who are facing an unexpected need for funds they don’t have. Many social engineering experts characterize these as greed-based, but I think it’s more accurate to think of need as being the most common driver behind people who fall for this type of social engineering attack. Messages that seem too good to be true are easy to ignore if you aren’t having a hard time making ends meet, but can be very tempting for those who are.
Some common examples of this type of scam include:
- Job offers for full time, high-paying remote work (all you have to do is give them your SS number, and pay a small application fee).
- Crypto or other investment “opportunities” offering very high returns for small initial investments.
- A complicated variation of this is the “pig butchering” scam, where for a while, an investment actually does appear to be paying you back a high rate of return, convincing you to add more and more money to it (and maybe tell your friends about it), and then when they think they’ve gotten from you all that they can get, they disappear with your investment and your perceived returns.
- Lottery or inheritance scams that require an administrative fee to “unlock” the prize or inheritance.
- Emails or texts saying that you have a payment on the way that you are not expecting and requiring you to click a link or download something to see the information about the payment.
These types of social engineering are almost always offering something that seems too good to be true. And for someone facing a financial need or crisis that they don’t know how to solve, the arrival of the offer that is too good to be true is tempting because it offers to solve an immediate problem.
Trust/Helpfulness

For those not overly prone to fear or greed, don’t worry, there’s a social engineering attack out there for you, too.
Trust and helpfulness attacks tend to exploit the target’s trust, sense of empathy, and desire to help folks around them. Though these types of attacks sometimes rely on the impersonation of a trusted individual or organization, they can be slow-building, where trust is established over time before a financial or informational request is made of the target.
Some common examples of this type of attack include:
- Someone impersonating a trusted individual or organization (a family member, colleague, boss, or charity) in crisis and immediate need of assistance.
- Pre-texting or Storytelling type attacks, where someone reaches out to you, oftentimes claiming to be a wrong number, but also in some type of crisis that compels the recipient to want to help. These can feel very innocent at first, like a person looking for a lost pet who has accidently texted the wrong number.
- Pre-texting and Storytelling attacks often go hand in hand with an attempt to build rapport and get to know the target first, through small talk, or helpful acts. They aim to lower the guard of the target before asking them to share sensitive information or give over funds.
- Fake Offerings – From I.T. support to Free Virus Scanning Software, these free offerings of support are often ways that bad-actors are using to install malware or viruses onto computers.
- A fake store front or marketplace on social media that has a compelling, often sad story about why they need your business or need you to order from them.
No matter how urgent or interesting, whenever you are being approached by someone you trust, who claims to have an urgent financial need, you should find a way to independently verify the identity of the person you are talking to, especially in this day and age where voice and even visual impersonation (deep fakes) are on the rise.
And be wary or cautious of a stranger’s sad story shared over social media that ultimately sends you to a place to make a payment or purchase from them. Always take the time to verify, outside of the initial platform where contact was made. Even a quick google search of, “is _______________ a scam?” can yield a lot of valuable information.
Curiosity

This can seem like the most benign type of scam. It’s not typically asking you to do anything. It doesn’t prey on an emotion, but rather on the human desire for information, entertainment, or “insider” knowledge.
These attacks are characterized by headlines or subject lines that pique curiosity. They’re also unlikely to ask you for information or money, instead, they’re typically built to install some sort of malware on your computer through the downloading of an attachment or the clicking of a link (or even the physical insertion of a USB drive).
Some common examples of what this looks like in practice are:
- An email simply saying something vague, like “check this out” with a link. (Studies have shown this context-free line has been one of the most successful ways to get people to click on random, potentially harmful links, with an over 40% click rate).
- A confidential document “accidently” shared via email, like a spreadsheet that appears to come from HR with every employee’s salary information.
- Shared documents through work indicating some sort of confidential news like staffing changes or cuts.
- Intriguing news or links to what promises to be a shocking video or piece of information, these are often current event lures, or celebrity news lures.
- USB Drives labeled as if they contain something interesting that have been “accidently” left in an unsecured location.
Our impulse to follow our curiosity, even if we know something potentially detrimental is on the other side of it, can be extremely strong. And when it comes to cyber security, we’re also less wary of curiosity, which means it’s easier for many of us to let our guard down during a curiosity-based cyber attack. Ultimately, one of the best things you can do is try to stop and recognize, in all situations, where social engineering is at play, and pay attention to which types of social engineering you seem to be most susceptible to. After all, the reason there are so many is because when it comes to taking advantage of human vulnerabilities, one size does not fit all in terms of which method works best. I like to practice this with advertisements on television, social media, and even with news coverage and headlines. Make a game or routine of noticing which human emotion or experience an advertisement is tugging at in low stakes situations (and which methods you are most susceptible to) and you’ll be better at more quickly recognizing them when the stakes are high. It’s also a great thing to practice with kids, who tend to be extremely susceptible to social engineering until they’ve gotten a lot of practice learning how to recognize it. It’s important to realize that no one is immune to social engineering – we’re all susceptible to it under the right conditions, particularly when we’re in a hurry, or just not paying attention. Recently, I experienced watching a room full of smart people watch an ad on television whose product or services weren’t completely clear at the end of the ad. But when it was over, everyone in the room was on their phones, looking it up – “What do they do? Who are they?” They were also complaining that the ad itself wasn’t that good if we didn’t know what it was advertising, but I suspect its objective was met if most of the people who watched it went directly to their website (driven by nothing but curiosity) to learn more. To me, it was an entertaining reminder of how easy it is to get people to visit a website that they have no way of validating or understanding the legitimacy of. No matter your preferred source of media or communication, there are lots of opportunities to practice noticing and recognizing social engineering at play in our everyday lives. There are a lot of lures out there trying to get your valuable information and money, but the more you see them, the more you’ll be inclined to practice a pause before you click, and be on the lookout for these attacks that rely on your participation, and exploit your most vulnerable human tendencies.

