Tip - Learn the Steps in a Social Engineering Attack

Learn how to identify and protect against social engineering attacks to safeguard yourself and your business.

Social engineering is the scheme of manipulating, deceiving, or influencing a victim to gain access to personal or financial information or control a device or computer system. Attackers use psychological tactics to trick users into giving sensitive information or making security mistakes.

Watch: Anatomy of a Social Engineering Attack

Types of Social Engineering Attacks

Social engineering is a broad term for attackers trying to access users' data, sensitive information, or devices using psychological tactics. You and your company should be aware of different types of social engineering attacks.


Phishing is a social engineering tactic used where attackers send fraudulent emails and claims to be from a reputable source. Attackers often impose a reputable source and, for example, could claim they have important information about your account. They might ask you to reply with your full name, date of birth, social security number, etc., so they can verify your identity. 

Phishing casts a long rod and targets as many users as possible. Other types of phishing target specific users, such as spear phishing or whaling.


As the name sounds, baiting puts something in front of the victim to lure them into a social engineering trap. The bait ranges from a variety of different things, but the main goal of it is to make it enticing or curious to the victim. 

Vishing & Smishing

Voice phishing (vishing) happens when an attacker tricks a victim into revealing sensitive information or gives the attacker access to their computer over the phone. The victim often receives threats, and the attacker will try to scare them into giving sensitive information.

SMS phishing (smishing) incorporates the same aspects as vishing, except through SMS/text messages. 


Attackers will create a false scenario where the victim must comply under false pretenses. This attack is usually used against corporations with client data, financial data, or utilities.

Tailgating & Piggybacking

Attackers use tailgating to gain physical access to an actual unauthorized location. An attacker will follow an authorized user into the area without notice or catch the door right before it closes. 

Unlike tailgating, an authorized user is aware and allows the individual to “piggyback” off their credentials. 

Quid Pro Quo

In quid pro quo, the attacker attempts a trade of service for information. For example, an attacker could offer “tech support” in exchange for sensitive information, device access, or financial advances. 

How Can I Recognize a Social Engineering Scam?

You and your company need to know how to recognize social engineering scams. If you receive an email that looks suspicious, whether it’s the wording, email address, or context, it’s best not to click on it; the same goes for text messages or phone calls. There are many different ways that you can identify a social engineering scam, such as:

The Sender Asks for Something Out of the Normal (With Urgency)

Requests from an attacker usually ask or request the victim to send or do something out of the ordinary. Some want you to send or get money, send information, open a link or document, etc. A big takeaway to tell if this is a scam is if the sender has never asked for anything like this or if you’ve never communicated with the sender. Phishing emails often come from people or companies that we trust. Another giving sign this might be a scam is that attackers could also threaten action from their victim. It's best to avoid being asked to do something that’s never been requested before.  

Attachments: URLs and Unusual Files

If the email tells or encourages you to click on a link, you probably shouldn’t click on it. Attackers could include URLs or unusual attachments in the email. Sometimes, the email tells you to send or fill out your information by clicking one of these links. If you click on one of them, there’s a risk of malware or other harmful viruses being downloaded onto your device. Attackers use this tactic to infect your device or to gain control of it. 

Too Good to Be True

If the sender offers you an offer too good to be true, it’s most likely a scam. If you receive money or a prize, think twice before clicking that link or sharing your or your company's personal information to claim it. 

How Can I Prevent Social Engineering?

User awareness and education are some of the first steps to prevent social engineering scams. But there are more ways to ensure that you, your company, and your information are safe from these attacks. 

Spam Filters

Spam filters are just as they sound: to keep spam and unwanted emails out of your inbox. Spam filters are designed to recognize any dangerous emails and effectively protect you and your inbox. While spam can also contain relatively harmless content, it’s a safety net that gets rid of anything that could be potentially dangerous.

Multi-Factor Authentication

Relying on only one factor can leave you and your information vulnerable. Enabling two or even multi-factor authentication can add an extra layer of protection. Let’s say you accidentally give your username and password to an attacker. If that attacker is trying to get into your account and you have enabled multi-factor authentication, they cannot. They would also need your mobile device to authenticate the sign-in. 

Penetration Testing

Penetration testing will test your computer system for vulnerabilities. This test targets components, applications, or systems as a whole to determine any flaws within the system. This can help limit social engineering messages and attacks because the test can tell how easily an intruder can convince employees into your system. 

Keep Learning about Social Engineering and How to Keep You and Your Company Safe

a fish hook on computer keyboard representing phishing attack on computer systemSocial engineering is an attack that is out to get you and your company. Taking the right precautions to prevent these attacks is crucial to protect you, your company, and sensitive information within those two. Combating modern email threats calls for a comprehensive, cloud-based email security solution that safeguards the inbox against all fraudulent mail that could potentially lead to compromise.

CyberSecurity Month

Get Your Guide