Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack. 

Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon's 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.

In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.

What is social engineering?

A dictionary definition of social engineering (in the context of cybersecurity) is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” 

At the most basic, this includes the mass-market spamming of individual email accounts with a phishing attempt such as an offer for a free gift certificate from a well-known retailer. Consumers who click a link to a malicious website or open an infected file attachment and enter personal information may open themselves up to criminal exploitation.

For higher-value, enterprise targets, the technique can become quite a bit more elaborate — or remain stunningly simple.

Roger Grimes, data-driven defense evangelist at security awareness training vendor KnowBe4, calls it for what it is: a con, a scam. “It's someone pretending to be a brand, company or person you would … trust more than if you know the message was being sent by a complete stranger trying to trick you into doing something that will impact you or your organization's own interests,” he explained. “The desired actions are often to launch a malicious program, provide logon passwords, or to provide confidential content (e.g., social security number, banking information, etc.).” 

The criminal uses psychological manipulation to trick the user into performing actions or divulging confidential information. Seven means of persuasive appeal, as outlined by Robert Cialini in Influence: The Psychology of Persuasion, are commonly cited in explaining why people are vulnerable to their application in social engineering:

    Many social engineering attempts come via email, but that is not the only channel. Social engineering is also accomplished via SMS messages, websites, social media, phone calls or even in person. 

    As Manos Gavriil, head of content at hacking training firm Hack The Box, points out, “Social engineering is considered the number one threat in cybersecurity, as it exploits individual human error, which makes it very hard to stop, and even the simplest forms of attack can have a devastating impact.”

    Types of social engineering techniques and methods

    Social engineering is accomplished in a variety of ways:  

      These types of attack are often combined or tweaked to incorporate new wrinkles:

        However, social engineering doesn’t have to be sophisticated to be successful. Physical social engineering usually involves attackers posing as trusted employees, delivery and support personnel, or government officials such as firefighters or police. Another effective ploy is to leave a USB stick somewhere labeled “bitcoin wallet” or even, in a company parking lot or building toward the end of the year, “annual raises.”

        As Igor Volovich, vice president of compliance for Qmulos, shares, “Recently, a pair of social media figures set out to prove that they could get into concerts by simply carrying a ladder and ‘acting official.’ They succeeded multiple times.”

        10 top best practices to detect and prevent social engineering attacks in 2022

        Follow these best practices to thwart social engineering attempts within an organization:

        1. Security awareness training may be the most fundamental practice for preventing damage from social engineering. 

          2. Employees should be tested regularly for their response to threats — both online and in person.

            3. Foster a pervasive culture of awareness.

            According to Grimes, “If you create the right culture, you end up with a human firewall that guards the organization against attack.” Well-executed training and testing can help to create a culture of healthy skepticism, where everyone is taught to recognize a social engineering attack.

            4. It should be easy to report attempts and breaches.

            Systems should make it easy for personnel to report potential phishing emails and other scams to the help desk, IT or security. Such systems should also make life easy for IT by categorizing and summarizing reports. A phishing alert button can be placed directly into the company email program.

            5. Multifactor authentication (MFA) is important.

            Social engineering is often intended to trick users into compromising their enterprise email and system access credentials. Requiring multiple identity verification credentials is one means of keeping such first-stage attacks from going further. With MFA, users might receive a text message on their phone, enter a code in an authenticator app, or otherwise verify their identity via multiple means.

            6. Keep a tight handle on administrative and privileged access accounts.

            Once a malicious actor gains access to a network, the next step is often to seek an administrative or privileged access account to compromise, because that provides entry to other accounts and significantly more sensitive information. Therefore it is especially important that such accounts are given only on an "as needs" basis and are watched more carefully for abuse.

            7. Deploy user and entity behavior analytics (UEBA) for authentication.

            Along with MFA, additional authentication technology should be used to stop initial credential breaches from escalating to larger network intrusions. UEBA can recognize anomalous locations, login times and the like. If a new device is used to access an account, alerts should be triggered, and additional verification steps initiated.  

            8. Secure email gateways are another important tool.

            Although not nearly perfect, secure email gateways cut down on the number of phishing attempts and malicious attachments that reach users.

            9. Keep antimalware releases, software patches and upgrades current.

            Keeping current on releases, patches and upgrades cuts down on both the malicious social engineering attempts that reach users and the damage that occurs when users fall for a deception or otherwise make an erroneous click.

            10. Finally, the only way to 100% guarantee freedom from cyberattack is to remove all users from the web, stop using email, and never communicate with the outside world.

            Short of that extreme, security personnel can become so paranoid that they institute a burdensome tangle of safeguards that slow down every process in the organization. A good example is the inefficient TSA checkpoints at every airport. The process has negatively impacted public perception about air travel. Similarly, in cybersecurity a balance between security and productivity must be maintained.