For many users, cybersecurity attacks can feel depersonalized—coming from scripted codes, automatic malware, or distant bots. But social engineering attacks differ in one key aspect: they’re based in human interactions.

Rooted in psychological manipulation, social engineering attacks occur when attackers trick users into sharing sensitive security information. With cybersecurity becoming stronger, different types of social engineering attacks allow bad actors to exploit something that firewalls can’t defend against: human weakness. According to a 2019 report, 99% of cyberattacks use social engineering techniques to trick users into installing malware. You’ve likely been the victim of one yourself, even if you didn’t realize it at the time.

There are many different types of social engineering attacks, but all of them exploit more than just a technical vulnerability. By targeting a human vulnerability, they gain victims’ trust—and ultimately use it against them.

Here are some types of social engineering attacks commonly used by these bad actors:

  • Phishing. The most popular of all social engineering attacks, phishing attacks use infected email attachments, text message campaigns, malicious links, and more to exploit human error, fear, and curiosity—spreading malware and harvesting victims’ personal information and credentials as a result.
  • Baiting. Another common attack, baiting takes advantage of human greed—enticing victims online with free gifts, giveaways, and too-good-to-be-true promotions, or offline with infected flash drives or discs claiming to contain valuable information.
  • Scareware. A form of malicious software that often appears as warning popups and banners (but can also occur as emails), scareware alerts victims that their security software is out of date or that malware has been detected on their device—and tricks them into engaging with infected materials.
  • Pretexting. Pretexters tend to gain the trust of their victims by impersonating people of authority, and then pretend to “need” victims’ personal information or data for a specific purpose or task—resulting in the sharing of valuable private information.
  • Vishing. A targeted social engineering attack, vishing is enacted through the use of voice, most commonly occurring over the phone. Prerecorded messages ask victims to input sensitive information through the phone dialpad, and that’s how the breach begins.

For more detailed descriptions of these tactics, visit What is Social Engineering?

Steps to social engineering prevention

Of course, all types of social engineering attacks are designed to trick you. If you do fall for a scam, you’re not alone. But there are proactive prevention measures you can take—starting with staying aware and alert.

Here are some social engineering prevention tactics:

  • Don’t open suspicious messages. If you receive an email from a suspicious source, whether it’s someone you don’t know, or an acquaintance asking for something strange, it’s best not to open any links or attachments. In these situations, take steps to verify the source—and their motives—before engaging any further.
  • Don’t skip cybersecurity software updates. It may seem simple, but many victims make this mistake. Be sure that automatic updates are engaged for any antivirus or antimalware software that you have on your devices, and check in regularly to ensure scans and updates are running smoothly.
  • Don’t disregard multi-factor authentication. Though it may seem like a superfluous extra step, multi-factor authentication can make a measurable difference in protecting your account login credentials. If you haven’t enabled this feature, don’t wait any longer.
  • Don’t be tricked by tempting offers. If an offer sounds too good to be true, it probably is. Always be on guard when you see enticing gifts or giveaways, and do your research on the topic before giving away any personal information. Often, an intriguing offer can quickly turn into a trap.

In the end, effective social engineering prevention starts with understanding what you’re up against, and the different types of social engineering out there. For more information, check out SiteLock’s “What is Social Engineering?” blog post.