Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2021
- by Brittany Day

In a previous blog post Think Like A Criminal: How To Write A Phishing Email, we examine phishing from the eyes of an attacker to help you understand and protect against this notorious email scam that is to blame for over 90% of all cyberattacks. In this article, we'll take a look at social engineering - or techniques that attackers employ to manipulate psychology. Considering 98% of all cyber attacks rely on social engineering, we want to provide you with information on the topic and advice for protecting against social engineering attacks that you can use to safeguard your users and key business assets. Here is what you need to know about social engineering in 2021.
What Is Social Engineering & How Is It a Threat to My Business?
Social engineering refers to the use of deception to manipulate individuals into sharing confidential or personal information that can be used for fraudulent or malicious purposes. Criminals have been leveraging social engineering techniques for centuries; however, in recent years, the magnitude of this threat has increased exponentially. Threat actors are now able to obtain extensive information on targets by searching the Internet - relying heavily on widely-used social media platforms for their research.
Social engineering scams are highly successful because they exploit human nature. Attack campaigns often prey on people’s inherent desire to help or leverage trust relationships built with a superior, colleague, partner or organization.
Like other cyber threats, social engineering attacks generally follow a standard lifecycle methodology that can be broken down into four clearly-defined steps:
1. Information Gathering: Threat actors identify a target, employ Open Source Intelligence Techniques (OSINT) to gather as much information on the target as possible and select the attack method(s) they will use.
2. Establish Relationship: Cyber criminals engage with the victim though targeted communications such as social media messages or spear phishing emails.
3. Exploitation: Attackers use information and the relationship they’ve built with the target to gain a ‘foothold’ (i.e. giving away sensitive information).
4. Attack Execution: Threat actors perform the attack - carefully erasing any digital footprints (such as malware) in order to remain undetected.
Phishing: A Favorite Lure Among Social Engineers
Phishing is the most common type of social engineering attack used to gain access to account credentials, sensitive data, confidential business information and funds. Phishing has dominated the email threat landscape for decades; however, with the recent increase in remote workers and the proliferation of popular cloud platforms like Microsoft 365 and Google Workspace, there has been a resurgence in phishing attacks. Unlike past phishing campaigns, modern phishing attacks are sophisticated, evasive and rely heavily on social engineering to appear legitimate. These malicious scams carry serious consequences for businesses including data theft, financial loss, reputation damage, significant downtime and, in many cases, permanent shutdown.
How Can I Defend Against Social Engineering Attacks?
The majority of social engineering attacks are so targeted and deceptive that it has become difficult to blame a user for falling for a scam. After all, even the most security-conscious individuals can be tricked by social engineering. Thus, defending against social engineering attacks requires a comprehensive, fully-managed email security solution capable of anticipating and blocking advanced and emerging threats in real-time that and preventing all malicious mail from being delivered, creating a safeguarded environment around the user.
In addition, users and organizations should use strong passwords for all accounts and be aware of the information they make publicly available online. We suggest checking websites for personal information that may be publicly available (like addresses, phone numbers, etc.), and requesting that it be removed. Websites like haveieenpwned, which notify users when their information is discovered online, can be helpful in monitoring the availability of your personal information on the Internet.
The Bottom Line
People are not computers - but they can still be hacked through the use of social engineering tactics. Combating modern email threats that leverage social engineering techniques requires a fully-managed, all-in-one email security solution that safeguards the inbox against all fraudulent mail that could potentially lead to compromise.
Interested in partnering with an industry leader to secure your users, your data and your brand against the most advanced email threats? Let’s Get In Touch>
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself Now
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know
- Complete Guide to Email Viruses & Best Practices to Avoid Infections
Latest Blog Articles
- Thinking Strategically about Email Security in 2021 and Beyond
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Microsoft 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Microsoft 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs