What is a social engineering attack?

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission.Learn more.

Social engineering attacks can be carried out via the web, email, phone, and SMS or instant messaging, or in person. They rely on deceiving a user into believing that the bad actor is an honest representative of, for example,Amazonor Microsoft for long enough to give the bad actor their login credentials, access to their computer, or money.

Social engineering attacks can take place in real time, with someone actively speaking to you on the phone or physically present at your office; asynchronously as through an exchange of emails with a bad actor pretending to be someone they’re not, or be a passive trap delivered via an email, a website, or even a physical USB drive.

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

Examples of social engineering attacks

Phishing, in which a bad actor sends out messages, often by email, designed to look like they’re from a legitimate company, with the intention of getting you to hand over your login details or authorise a payment are common example of social engineering attacks. They often do this by offering an irresistible, time-limited deal or threatening dire consequences (such as an imminent overpayment) to make the victim panic and rush to click through without thinking about what they’re doing.

Some attacks of this kind instead focus on gettingmalwareonto a PC by convincing a user that it’s legitimate software. When Adobe Flash was still in use, we often saw malicious sites distributing malware in the guise of a Flash player download. Once the user has been tricked into installing it, the malware can spy on them, attempt to compromise their network, or abuse system resources to participate in botnets, sent spam or mine cryptocurrency.

Tech support scams. Among the most popular arefake support callspretending to be from Microsoft. An infamous example informed the user that they had a severemalwareinfection, and “proving” this by having the user open Windows Event Viewer, a log viewer that shows numerous entirely benign errors and warnings that look intimidating to someone who doesn’t know what they’re looking at.

Some tech support scams use browser-freezing “screenlocker” web pop-ups to temporarily disable a victim’s computer and instruct them to call an “official support phone number”, functioning in a similar way to non-encryptingransomware, which itself uses elements of social engineering.

“Scareware”, a related category which often features online pop-ups warning you that your PC is infected with malware, along with a downloadable “anti-malware” tool that is itself malicious.

Targeted fake calls to or from a business’s IT support team, for example requesting login credentials or others sensitive information.

Physical social engineering attacks can rely on distraction or incongruity, such as aNaomi Wu’s exampleof a scantily-clad penetration tester, videoing herself with a selfie stick and being thoroughly ignored as she waltzes past reception and security, or the opposite, blending into the background, for example by looking like you’re supposed to be somewhere by carrying a clipboard, walking purposefully andwearing hi-vizto gain access to a secure site.

Once into a supposedly secured site, the bad actor can access computers, keys or data to compromise their target. The “evil maid” attack Wu refers to in her video often involves actual staff of a business (archetypally a hotel) using their access to compromise their target’s electronic device, but this can also be done by an impostor.

Another physical attack, rather past its sell-by date but which requires no human interaction at all is “baiting”. A malware-infested USB drive is left somewhere inviting, potentially labelled to encourage its finder to plug it into a PC and check it. Although we’re long past the days of Windows autorun files being allowed to run from removable media, a cleverly named program and readme file on the drive could still convince the right target to sabotage their own computer by running them.

Read ourSecurity Guidefor more tips on leading a safer online life.

You might like…

K.G. Orphanides is a writer and developer whose areas of expertise include internet security, VPNs, Linux for the desktop, small-scale game development, software preservation and computer audio techno…

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

What is a social engineering attack?#

In This Article#

Examples of social engineering attacks#

You might like…#

Why trust our journalism?#

What is a social engineering attack?

In This Article

Examples of social engineering attacks

You might like…

Why trust our journalism?