What Is Social Engineering?

3 min readMar 4, 2021

Social Engineering is a collection of psychological techniques used by cybercriminals to manipulate you into giving up private information.

Criminals use social engineering to trick people into taking certain actions or revealing data. It might be to download an unsolicited attachment, infecting your computer with malware. Or, it might be to reveal login details or private data such as banking details or social security numbers.

Around 94 percent of all malware is delivered by email. These emails mostly use social engineering tactics to convince users to download a malware-infected attachment. About 48 percent of malicious email attachments are disguised as seemingly innocuous Microsoft Office files.

In this article, we’ll be taking a deep dive into exactly how social engineering is used and what you can do to protect yourself against it.

Why Do Criminals Use Social Engineering?

The Hollywood image of the hacker is drawn more from the Matrix films than reality.

Rather than lone individuals using scrolling lines of code to hack down your account defenses, cybercriminal groups often have complex, almost corporate, structures. They also rely far more on human error and social engineering than brute force attacks.

Why? Because it’s much easier to do.

The reality is that 95 percent of all cybersecurity breaches are caused by human error. A sufficiently complex password takes a significant investment of time and effort to crack. It might not even be possible to crack.

It’s far easier to simply convince the owner of the account to surrender the password willingly or download malware into the target machine.

What Does Social Engineering Look Like?

Social engineering most commonly looks like a legitimate email. It might come from a friend, a business contact, or a trusted source, such as a bank or software provider.

The email will create a scenario in which you are baited into either downloading an attachment or clicking on a link. These links and attachments are vectors for malware.

These are known as phishing attacks and are one of the most consistently successful forms of cyberattack. According to Verizon, phishing attacks that use social engineering are responsible for around 93 percent of successful data breaches.

Once downloaded onto your system, the malware can conduct a number of malicious activities:

Ransomware might lock your system by encrypting certain files and then demand money in return for the decryption key.
Trojan Horses provide backdoor access to your computer for cybercriminals.
Viruses damage your computer and spread to other computers.
Spyware tracks your activities and reports your passwords and account details back to the hacker.

What Are Common Social Engineering Techniques?

While there are a huge number of social engineering techniques used by hackers every day, some of the most common are:

The Legitimate Email

These most commonly seem to come from financial institutions and are generally reporting a threat to your account or that you are owed money because of a mistake. The email will ask you to log in, via a provided link, to verify your account or get paid.

The link either leads to a spoof version of the financial institution’s webpage which records you login details as you enter them or just infects your computer with malware.

You’re a Winner!

Known as greed phishing, these emails inform you that you are the winner of a lottery, prize getaway, 10,000th customer offer, or similar windfall. In order to claim your winnings, the email will ask you to prove your identity, normally by clicking on a link and entering your social security number.

Message from the Boss

People are predisposed to trust emails from their managers. If hackers are able to get access to company email accounts through phishing or a data breach, they can mass-send emails telling employees to download a malware infected file.

How to Protect Yourself from Social Engineering

There are a number of steps you can take to protect yourself from social engineering attacks:

Delete any email that asks you for any kind of personal, financial, or security information.
Never follow any link sent to you in an email. Instead, simply search for the website you’ve been directed to yourself.
Always be suspicious of emails from financial institutions. They represent the most common companies impersonated by cybercriminals.
Never download any file from an email unless you personally know the contact and are expecting them to send a file.
Maintain a healthy level of skepticism. If an email seems too good to be true, it’s because it is.