The Ultimate Guide to Social Engineering Attacks (And How to Prevent Them)

Katrina Power

Katrina Power

April 11, 2016

When one thinks of technological vulnerabilities and methods of intrusion, their thoughts usually veer towards malware, redirects, spam, Trojans, and other frightening things that go bump in the night.

You’d be surprised to learn, then, that the top hacking threat facing internet users today is not a computer-based attack at all.

It’s human interaction.

Known in our circles as social engineering, the art and science of exploiting human elements to gain access to sensitive information and other unauthorized resources.

Unlike typical attackers—who primarily use programs, coding, and technological know-how to penetrate a target—social hackers use psychological tricks and techniques to get what they want.


You should be.

But don’t fret. We’re here to help, with our handy list of the most common techniques that social engineers use to steal YOUR private details.


Dumpster Diving



Shoulder Surfing


Making copies of legitimate websites…

…and of IVR systems (AKA “Vishing”)

Phone Calls


Spear-phishing (and corporate whaling)

Quid pro quo

Diversion theft

Targeting tools


Take note of anything out of the ordinary

Avoid falling into patterns of behavior

User awareness training

Keep up-to-date

Physical security controls

Social engineering penetration tests

Enable all social media privacy settings

Be email smart

Reduce your digital footprint

Anonymize your data

Lock your screens

Use your head


Dumpster diving

Dumpster diving may seem to be a thing straight out of the movies, but it’s a tool still widely used by social engineers looking to launch attacks on computer networks.

It’s one of the oldest tricks in the book for a reason: It works.

While some safety-conscious companies still make the use of paper shredders (remember those?) in their offices mandatory, the vast majority of people are tossing valuable pieces of information into the trash whole.

We’re not just talking about the access code you absentmindedly jotted down on a sticky note here.

Seemingly unimportant things like business calendars, phone lists, day planners, and the like are veritable treasures to a social engineer, who’ll use these pieces of information in their efforts to breach the network.


Pretexting is the practice of presenting oneself as someone else with the goal of something naughty like information theft or industrial espionage.

In pretexting, social engineers will assume a new identity or role that they can play convincingly enough to be trusted by their target. In gaining trust, they can quickly gain access to buildings, departments, information systems, and more.

While it seems farfetched, finding out which type of person would be considered trustworthy by a target is embarrassingly simple in this day and age.

All a social engineer has to do is take a glance at someone’s Facebook or LinkedIn profile and they’ll find a valuable nuggets of information such as birthdate, birthplace, place of employment, job position, relationships status, names of relatives…

Need we go on?

A new coworker you haven’t met yet. A prospective employee in for a job interview. A fellow alumni from good old State University. Your wife’s brother’s second cousin.

These are only a fraction of the roles that social engineers can play convincingly enough to make their target comfortable enough to reveal information that they’d typically have on lock.


Also known as piggybacking, this is when a social engineer bypasses the physical security controls of a building based on someone else’s authentication.

Social engineers can employ this tactic in a number of ways, the two most common being posing as a delivery person and posing as a fellow employee.

In a delivery person’s uniform, all the social engineer has to do is walk to the entrance carrying a heavy box and kindly ask an authorized employee to open the door for them. Because people are not naturally jerks, more often than not they will give the engineer a helping hand and let them in.

Should the company be big enough, a social engineer could also dress up as an employee, walk on up to a group smoking outside, offer a light and small talk, and then walk into the building with the rest once their break is over.

But these are not the only masks that social engineers can wear. Repair people, post people, fire marshals, police… There’s no end to the number of authority figures that they can impersonate.

Shoulder surfing

This method is largely self-explanatory.

Using sneaky techniques such as looking over someone’s shoulder, a social hacker directly observes someone without their knowledge to retrieve sensitive information.

This technique goes hand-in-hand with pretexting and tailgating, as once in a workspace a social hacker can easily peer at your keyboard while you’re entering your login information.

That said, it is also an incredibly effective tactic in public spaces. If you are in a crowded place or simply being careless, a social engineer can easily take a glance at the information you’re writing on a form, or the pin code you’re entering into an ATM.


Curiosity killed the cat. Or in this case, infected its computer with information-stealing malware.

This tactic involves little work for the crafty social engineer. All they do is drop USB sticks (the “bait”) around their target company—either in the entrance or inside the offices, should they have gained access—and human nature will take its course.

More often then not, an inquisitive employee will stick the USB drive into a company computer. Should they click on or install any of the files therein—which are usually Trojans, spyware, or other types of malware under the guise of enticing names such as “Employee Salaries 2016”—they’ll release a virus into the network that’ll spread, collect private details and information, and e-mail that information back to the social engineer.

Don’t believe that professionals would fall for such a simple trick? Think again.

Making copies of legitimate websites…

Riffing on existing trust is easier than gradually building it up.

That’s why creating spoof websites—websites that are clones of the real deal—for trusted organizations is such a popular and effective technique for tech-savvy social engineers to employ.

There are usually some giveaways to the fact you’re browsing a fake, such as a slightly different URL or lack of a secure connection (“HTTPS”).

Unfortunately, some people fail to notice these small but deadly details until it’s too late.

…and of IVR systems! (AKA “Vishing”)

IVR (interactive voice response) are a necessary evil, used by the likes of banks, governments, and other institutions who experience high call volumes.

Sure, they’re infuriating.

But people trust them.

Have you ever taken a second to check the validity of the IVR number you’re on the line with before entering sensitive information, such as passwords and credit card numbers?

We guess the answer is “No.”

People trust IVR’s so wholly and so blindly that they’re the perfect tool for social engineers to steal sensitive information. All they have to do is create a legitimate-sounding copy of a trusted organization’s IVR system, and presto!

Phone calls

Using details that they found through shoulder surfing, pretexting, or plain old research, social engineers can ring up their target company’s helpdesk and convincingly pose as an employee, computer technician, or the like.

Given that the helpdesk’s aim is to give, well, help, should they be convinced by the social engineer’s charade, helpdesk personnel are more than likely to provide them with the exact details they’re looking for.


A tactic anyone who has the faintest idea about information security is familiar with, phishing is a social engineering favorite.

Posing as a trusted individual or organization, social engineers will send out emails or create websites that solicit private information, such as social security numbers, addresses, and bank details.

While some are embarrassingly easy to spot—everyone’s received that email from a stranded friend in need of a money wire or a suspiciously in-depth donation form—when authentic logos and details are used, phishing scams can be very convincing indeed.

While the most common forms of phishing used by fraudsters are posing as credit card companies or popular sites like eBay, they also tend to take advantage of current events including epidemics, natural disasters, political elections, and holidays.

Spear-phishing (and corporate whaling)

Riding on the coattails of phishing, spear-phishing is the direct targeting of a particular person, rather than of an entire company.

Corporate whaling, meanwhile, is a spear-fishing attack on lucrative targets such as chief executives, government personnel, senior management, and other people in high-level positions.

Corporate whaling is an especially dangerous form of phishing because the social engineering techniques used tend to be more stealthy and sophisticated, which heightens their chance of success.

Should the credentials or access codes of such important figures be acquired, the company’s whole network would be compromised.

Quid pro quo

“Quid pro quo” literally means “something for something”, in that a social engineer will give something to an unsuspecting victim in exchange for sensitive information.

The most common tactic for this is to pose as IT support and spam the target organization(s) with phone calls until they come across a worker who has an actual IT problem. Under the instruction of the social engineer, the worker is susceptible to giving away access codes, disabling vital programs, and installing malware parading as a software update.

Another tactic that is embarrassingly effective is posing as a survey taker. Sad to report, but workers have been known to go as far as giving away important passwords in exchange for something as lame as a cheap pen.

Diversion theft

Diversion theft is an old social engineering attack that consists of duping couriers or other transport and delivery services into delivering a letter or package to a location other than its intended destination.

The tactic can also be used digitally, in that a social engineer can cleverly convince someone to send emails originally intended for their target to them instead.

Whether the delivery was made in person or over the internet, once it is in the social engineer’s hands, they can harvest the desired contents or information from it with their target none the wiser—until it’s too late.

Targeting tools

As technology evolves and advances, more and more tools specifically designed (or which could be easily used) for malicious intent are being developed.

There is no shortage of software and targeting tools that a social engineer can use to find out information about their target, whether that information is to be used for impersonation, diversion theft, phishing, or the like.

CUPP, CeWL, Shodan, Scythe, Creepy, and Harvester are only a few available out there, and absolutely anyone can download and use them.


While there is no software to prevent social engineering attacks, there are ways to reduce the likelihood of them occurring.

Always stay a step ahead of would-be hackers by practicing the following:

Take note of anything out of the ordinary

If something seems suspicious or out of place, it could be indicative of something more sinister.

See an unfamiliar person poking around the office? Ask to see their pass. Received an email from your boss in which they sound oddly unlike themselves? Report it. Received an unsolicited phone call from tech support, asking for passwords or other private information? Hang up and double-check their number online.

You won’t regret it.

Avoid falling into patterns of behavior

There’s danger in being a creature of habit. If your daily pattern is predictable, it is easier for social engineers to figure out your schedule and plan their ploys around it.

We suggest switching up your routine now and again, as it’ll make you a much more elusive target.

User awareness training

Knowledge is power—and the number one way to ward off social manipulation.

Build a human firewall by making user awareness training mandatory for both existing and incoming employees. Teach them about what social engineering is, the most common modes of manipulation that exist, as well as put a protocol in place should such an attack be suspected.

Keep up-to-date

Social engineering has existed for thousands for years, and only continues to evolve. With every new technological advance and new social media application, there’s a new hacking tool at the social engineer’s disposal.

Make a point of keeping up to date and familiarizing yourself with the newest known tricks and techniques. The more you’re on top of things, the less the chance that you’ll fall for a scheme.

Physical security controls

Putting sufficient security into place in high-risk areas, such as dumpsters or smoking areas, can drastically reduce the likelihood of your company falling prey to social engineering attacks such as dumpster diving, tailgating, and impersonation.

Consider putting fences around company dumpsters and hiring security people to man building entrances and exits. Also, set up an access badge and card reader system for employees if you have not done so already.

Social engineering penetration tests

You have fire alarms to test employees’ abilities to exit the building quickly in case of an emergency. So what’s keeping you from having the same in the event of a social engineering attack?

Test your company’s ability to combat social hacking by hiring a white hat social hacker to implement a penetration test.

Once the attack is complete, you’ll have an up-to-date assessment of your company’s ability to combat social manipulation.

Enable all social media privacy settings

If you’ve got an account on Facebook, Twitter, LinkedIn, Snapchat, or any other social media platform, don’t make your identity a free-for-all—lock it up! Not only will you be protecting yourself, but you’ll be protecting your company, colleagues, and loved ones as well.

Be email smart

Be critical of every email that pops into your inbox.

If you receive an unsolicited email that is asking for sensitive information, verify the source to make sure it’s actually the institution that it claims to be, and not just someone going phishing.

Also, never, ever click on an embedded link, or download an email attachment from an unknown sender. Information-stealing software could very well be lurking beneath!

Reduce your digital footprint

Your digital footprint is the data that you leave behind whenever you do something on the internet, such as sending an email, uploading a photo, posting on a social media account, or updating your blog.

Once made, you can never erase a digital footprint completely.

Lighten the step you leave by limiting the information that you share online. A scarcity of information makes it more difficult for social engineers to follow your tracks.

Removing telling photos and posts, limiting authorized access to your private information, minimizing your visibility on social media and other websites, and moderating comments made to your public profiles are all good ways to reduce your digital footprint.

Anonymize your data

After cleaning up your digital paper trail, secure your future internet surfing by enabling the privacy features on your browser and making a point to clear cookies every now and again.

You can take your online security up another notch by signing up for a VPN service. While it won’t make you completely anonymous, it will get you really close to it!

Lock your screens

Computers, smartphones, tablets, and most other technological devices have the option to be password-protected. Take advantage of this!

In the case that your device is lost or stolen, make sure to set it to lock screen whenever it is left unattended or is not in use. If its data is inaccessible, it’ll be nothing more than a fancy paperweight to a social hacker.

Double up your security by giving a unique password to each device, and by avoiding using obvious numerical codes like your birthdate or “1234”. (Seriously, don’t be one of those people.)

Use your head

Skepticism and common sense are two of the biggest defenses people can have against social engineering attacks.

If something seems odd or too good to be true, don’t even second-guess it.

Do something about it.

Social Engineering Guide Conclusion

Social engineering seems like something straight out of Hollywood, causing it to be largely undervalued by security teams. This is a huge mistake, as it is very much real, as well as one of the most pressing threats facing the privacy of organizations and individuals today. Becoming familiar with the most common tactics and taking all the necessary preventative measures—as are outlined in this guide—will drastically reduce the chances of you or your business becoming victimized.

Exclusive Offer
Get NordVPN for only