What is Social Engineering? Examples, Attack Techniques, and How To Prevent It

April 22, 2022

Social engineering is when cybercriminals exploit human psychology to gain a favorable result for themselves, like tricking people into providing their password. It is easier for criminals to exploit people’s instinctive tendency to trust than to find ways to hack devices or networks.

See 10 reasons why Graphus is better than other email security solutions. SEE THE LIST>>

What is social engineering?

The term social engineering, first used by French industrialist JC Van Marken in 1894, is a phenomenon of influencing people to take any action that may be against their best interest. It is the art and science of controlling the masses to comply with one’s wish.

What are examples of social engineering?

A threat actor may use social engineering to entice an employee into downloading a malicious file by convincing them that the file is an important, harmless document. During the COVID-19 pandemic, cybercriminals would get people to open malicious files by presenting them as COVID-19-related company policies. 

Social engineering can also be used to trick an employee into giving over their password when cybercriminals spoof messages from well-known brands like Microsoft that instruct the victim that their password needs to be changed because messages from big brands may be perceived as trustworthy.

Social engineering is used in business email compromise and conversation hijacking attacks by convincing the victim is someone the victim already has a business relationship with. This can be used to persuade the victim to transfer money to pay an invoice or give the bad guys sensitive data.

AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>

What are social engineering attacks?

Social engineering attacks are any cyberattack that is based on psychological trickery. The psychological aspects, more than the technical aspects of the attack, are the gateway for significant damage, such as opening dodgy emails, handing over passwords and clicking on a suspicious link, are a few to mention. Social engineering is the catalyst for 93% of successful data breaches.

Types of Social Engineering Attacks

Social engineering attacks are carried out in a number of ways. Here are a few of the most popular tactics:


Phishing is the most common form of social engineering attack. A phishing message aims to persuade the recipient into taking a specific action that will serve the cybercriminal’s goals, like downloading a document that carries ransomware. Cybercriminals favor phishing because it is cheap, easy, versatile and effective – 97% of users can’t spot a sophisticated phishing message.

Spear Phishing

In spear phishing, the perpetrator engineers their message to be extremely appealing to a specific pool of victims. Messages are tailor-made based on things like education, job roles and contact details. A typical scenario may involve a bad actor trying to an impersonate IT consultant working for the victim’s company requesting a password change, thereby deceiving the employee into assuming it is an authentic message.


Like phishing and spear phishing, whaling is a digitally enabled fraud that uses social engineering techniques to craft phishing messages designed to target high-ranked or highly privileged employees in an organization. It often encourages the victim to perform secondary actions such as a wire transfer of funds.


Scareware has the same characteristics as malware and uses social engineering tactics to create confusion, shock and anxiety to manipulate users into buying or installing malicious software. A typical scenario of a scareware attack would include tricking the user into believing that their computer is infected with a virus, then suggesting the user buy/pay for antivirus software to remove it.

Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>

Social engineering red flags

Social engineering attacks are increasing, and security teams must be on the lookout for potential attacks with the users on the last line of defense. However, the end-users must be responsible for monitoring their actions. Here are some red flags to watch for.

  • Password request – Unsolicited emails seeking personal information like passwords must be rejected and should be reported to the security team immediately.
  • Immediate assistance – Hackers can disguise themselves as technical support of an organization. If one did not request any assistance, consider any offers or requests as scams. 
  • Spam emails— Unsolicited bulk emailing can increase the risk of flooding the employee’s inbox with malicious links, potentially leading to a major phishing attack.
  • Text messages— Don’t fall for text message requests asking users to reply with temporary passwords received on their devices.

The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>

Social Engineering Prevention

  • Set spam filter to high –Click the spam filter feature in your email client to high, which will help stop more suspicious messages, but may cause a delay in communications.
  • When in doubt, change your password –  If an employee may have given away their password to a bad actor, an instant change in the password can help minimize the damage.
  • Incorporate two-factor or multi-factor authentication – Two-factor authentication (2FA) or multi-factor authentication (MFA) prevents 99.9% of cyberattacks.
  • Stay alert for unexpected messages. when in doubt, report a suspicious message to your administrator or supervisor.
  • Use a high-quality email security solution. Choosing advanced tools that use machine learning and artificial intelligence to detect suspicious activity keeps dangerous messages out of employee inboxes.

See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>

Prevent social engineering attacks with Graphus

Keeping up with a computer-based social engineering landscape can be daunting for businesses. New sophisticated forms of attack can easily outfox traditional phishing filters. Traditional security tools compare incoming messages to a checklist of possible trouble signs.

Powered by intelligent AI technology Graphus can detect and quarantine potential phishing attempts by learning the unique communication pattern of without interrupting the flow of traffic while catching 40% more phishing messages than a SEG or traditional/onboard email security. 

TrustGraph uses more than 50 separate data points to detect and analyze phishing attempts before sending them to their recipients—it never ceases to learn and is always on the lookout for new threat intelligence.

EmployeeShield adds a bright, noticeable box whenever there is a new line of communication— keeping employees vigilant whenever handling unknown messages. By marking a message authentic or malicious with one click, each employee can contribute to safeguarding business security.

Phish911 completes triple-layered protection by making it effortless for employees to report any suspicious messages to the administrator. Messages are instantly removed from everyone’s inbox anytime an employee reports suspicious activity to avoid further trouble.

Social engineering attacks can make a business go bankrupt in their wake— 60% of businesses never recover after a cyberattack. Our experts can show you why Graphus is this ideal solution to safeguard businesses against social engineering and other sophisticated cyberattacks.

Schedule a demo!

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus