Stay Safe Online: How to Identify 7 Types of Social Engineering Attacks

What do you think is the most effective and potentially devastating way for a criminal to launch a cyber attack on a business? Directly hacking through the firewall? Waiting for someone to happen across the attacker’s malware online? Maybe injecting code into their website?

These are all potential options for cybercriminals out there, but any organisation’s weakest spot is the 1.4kg mound of gelatinous blancmange between its team’s ears. Yes, organisations of all kinds can be crippled using psychological tactics referred to as social engineering. In fact, PurpleSec report that social engineering is used in over 90% of all cyber attacks!

But what kinds of social engineering attacks do criminals use to impact businesses? And how do those attacks work?


What is Social Engineering?

Social engineering is where criminals use psychological manipulation to encourage victims into sharing valuable private information or permitting access to IT systems, which the criminals can then use for fraud. Due to the psychology at play, it can be remarkably effective.

There are a number of ways that criminals can socially engineer people both online and offline.

Why is Social Engineering so Effective?

Human psychology is far from perfect. We are hardly the empirically logical, top-of-the-food chain thinkers we like to think we are; especially when we’re made to feel rushed, under duress, or tempted by something too good to be true. We respond starkly to perceived loss, scarcity, or when we believe we’re going to be missing out – sometimes without thinking rationally. When faced with a phone call or email claiming to be from law enforcement for example, our fear of authority may encourage some victims to panic and go ahead with the caller’s demands unquestioningly.


Social engineering leans heavily on the psychology of psychological influence which you can learn more about here: What Is Social Engineering? And How Can You Stay Safe?


7 Types of Social Engineering Attacks

What is Phishing?

Phishing is a type of social engineering attack whereby criminals send out emails claiming to be from a reliable source or authority figure. They use this leverage to manipulate victims into sharing sensitive information, making fraudulent payments, or allowing an infection into their system.

How Does Phishing Work?

Many “basic” phishing emails purport to be from a trusted or authoritative source with wide brand awareness and appeal. Therefore, they can adopt a “spray and pray” approach – sending out blanket emails to huge email lists, taking advantage of public trust in that brand. It’s purely a numbers game – the larger the email list, the more people will potentially take the bait. Additionally, hackers are getting better at using design and language to impersonate well-known brands – and to put psychological pressure on victims.

Phishing emails can really run the gamut in terms of what they set out to achieve. Here are some common examples of phishing campaigns:

  • Messages claiming to be from a company like Amazon or PayPal, requesting that the recipient log in to their account immediately using a given link; however the link is a fake site that harvests victim login credentials.
  • Messages pretending to be from a governmental entity or law enforcement, demanding action now or face legal proceedings. These scams are designed to scare the victim into action – whether that’s downloading an infected file, paying a phony “fine”, or sharing personal information.
  • Messages purporting to be from a lawyer or foreign dignitary, claiming you’re the recipient of a sudden windfall – they just need all of your personal information and a down payment to get the funds to you. Yeah, right.
  • Messages that contain a mysterious invoice – personal or professional – that needs settling immediately.

What is Spear Phishing?

Spear phishing is a targeted social engineering attack aimed at a specific individual, group, or organisation. The resulting phony messages usually claims to come from a source the victim knows, which may make them more likely to comply with fraudulent requests.

How Does Spear Phishing Work?

Spear phishing requires a lot more planning than the blanket “spray and pray” approach of regular phishing because attacks are carried out with a highly specific victim organisation or group in mind. Let’s take a look at some hypotheticals.

Say a cybercriminal wants to get malware into a specific organisation. They may start researching the organisation, only to find out that they offer life insurance from a certain provider or membership to a certain gym as employee perks. In this case, the criminals’ job would be simple – send those employees an email purporting to be from the insurance provider or gym that encourages recipients to click on a link that will infect their machines. In an even more targeted hypothetical attack, a hacker may send an infected Excel file to a whole finance team, or may send phony Office 365 login prompts to a whole department in order to access internal information or send further fraudulent emails.

What is Whaling?

Whaling is a type of phishing attack that specifically targets top-ranking and/or high-profile individuals at an organisation. These “big fish” (hence the name) are most likely to have access to incredibly privileged information, making them a hot target for cybercriminals.

For example, C-Suite individuals may have highly sensitive data and assets to hand like critical administrative passwords, financial information, and even company/trade secrets; all things that your average criminal would love to get their mitts on.

How Does Whaling Work?

Because whaling attacks are so targeted, they require a lot of planning and research beforehand. Hackers will generally stake out the individual’s social media feeds and any publicly facing press activity (if applicable). What information they’re after may depend on the intended attack but an understanding of who the target works most closely with may be particularly useful.

With this research at hand, they could then send a spoofed email pretending to be a known, trusted colleague or customer, demanding payment of an urgent invoice. Alternatively, they may request highly sensitive login credentials or confirmation of trade secrets. The target may equally be prompted to open an infected link or attachment.

What is Vishing?

Vishing is a kind of social engineering attack that uses phone calls and/or voice messages to deceive victims into doing the attacker’s bidding. These messages may urge the victim to reveal sensitive information, give criminals access to their devices, or send money to the criminals somehow.

How Does Vishing Work?

Vishing – a portmanteau of “voice” and “phishing” – pulls on a number of psychological strings. Because vishing calls usually claim to come from some kind of authoritative source or trusted household brand, the recipient is more likely to comply from the get-go.

The urgency of a phone call – where people have to act in the here and now – is another factor. Email recipients have all the time in the world to interrogate incoming mail for inconsistencies and errors. But a phone or voice call requires you to think on your feet – something we’re not all great at.

Here are some example vishing attacks you may encounter in the wild:

  • You may receive a phone call claiming to be from Amazon, saying that someone has hacked into your account and purchased an expensive item, or that your Prime subscription is due for renewal. The end goal with these calls is usually to get onto your computer and/or extort money.
  • Criminals may claim to be from your bank or another kind of financial institution, claiming that some kind of fraud has occurred and that the operative needs to move their money to a “safe” account. It’s not a safe account – it’s just not yours.

You might receive a call or recorded message claiming to be from a governmental department accusing you of a crime and requiring you to pay purported “fines” using gift cards. These scams may seem laughable, yet they’re scarily effective.

What is Smishing?

Smishing is basically where a social engineering attack takes place over SMS text or instant messaging apps, rather than email or a phone call. The goal is usually to gather confidential information or to elicit some kind of payment.

How Does Smishing Work?

Though many of us are aware of fraudulent emails, considerably fewer are aware that many of the same scams can occur by text. Older and more vulnerable people are less likely to have an email address but they will most likely have a mobile phone with texting capabilities. Sadly, this makes smishing a wellspring of fraudulent potential for criminals.

Though it feels like hackers would have more luck finding email addresses, it’s easier to generate possible usable mobile numbers. In the UK, other than the “07” bit, you can tap in any sequence of numbers and have a chance of reaching someone. Therefore, hackers can send out blanket scam texts to countless numbers in one pass.

Smishing messages themselves generally purport to be from a household name brand and usually link to a URL designed to ape that brand’s official web address. During the pandemic, as people were shopping more online, hackers took to sending phony texts claiming to be from courier companies, asking for more information or payment in order for the recipient to receive a (spoiler alert: non-existent) package that was being held.

Other smishing attacks may pretend to be your bank, provide fake survey links, or promise fake giveaways or winnings.

What is Baiting?

Baiting is a social engineering attack that “baits” the victim with an attractive item, giveaway, or potential profit, only to scam them out of money, information, or both. It callously uses the victim’s own curiosity or greed against them.

Any scam that promises wealth, desirable property, or even a romantic relationship (called “catfishing” or “romance fraud”) in return for information and/or money can be considered a baiting attack.

How Do Baiting Attacks Work?

The wide scope of baiting attacks means they can take numerous different forms.

Some scams present themselves as a lottery or giveaway which requires you to enter some personal information (which are really scams designed to steal personal data). Others may offer a free piece of software or a movie download (which can steal data and infect you with malware). And others still may just be an unassuming, lost-looking pen drive, waiting for you to plug it into your computer, which can then infect your device and others on the network. You could also argue that attacks that threaten some kind of loss (like a purportedly hacked Amazon account or a fake fine) are baiting attacks too. Psychologically, we are quite loss averse, so this can equally coerce victims into action.

Lucky draw box vector created by vectorjuice – www.freepik.com

What is Tailgating?

Tailgating is a kind of physical security attack that seeks to gain access to a restricted location. The attacker simply follows an authorised party to a locked door, lets them enter with their credentials, and catches the door before it closes behind them.

How Do Tailgating Attacks Work?

Tailgating may not immediately seem like a social engineering attack, but tailgating attacks can hinge on psychology in a handful of ways. Firstly, some people may not feel comfortable approaching and questioning a stranger hanging around on the premises, citing concerns about their personal safety or fearing a dressing down from a manager!

Secondly, many of us hold the door open for people behind us without thinking – even when we don’t know quite who they are. It just feels like the polite thing to do. In other situations, a bad actor may strike up a conversation with an employee during lunch or a smoking break and leverage that familiarity to follow them back into restricted areas.

So, unless you know who you are holding the door open for – be that physically or digitally – don’t do it.


Social engineering is a highly effective method of attack because it leans on the fallibility of human psychology and knowledge rather than the automatic, always-on nature of antivirus and firewall controls. However, there is one hugely powerful way of combating potential social engineering attacks: cyber-awareness training.

Enquire today about our cyber security awareness workshops which empower your team to stay safe from social engineering attacks, steer clear of WiFi nasties, maintain strong password policies, and much more! Find out more here and take the first step towards a cyber-secure future today!