Skip to content Skip to navigation Skip to footer

What is Social Engineering?

Social Engineering Definition

Social engineering refers to a wide range of attacks that leverage human interaction and emotions to manipulate the target. During the attack, the victim is fooled into giving away sensitive information or compromising security.

A social engineering attack typically takes multiple steps. The attacker will research the potential victim, gathering information about them and how they can use them to bypass security protocols or get information. Then the attacker does something to gain the target’s trust before finally manipulating them into divulging sensitive information or violating security policies.

How Does Social Engineering Work?

In this definition of social engineering, a social engineering attack begins with the attacker figuring out what they want from an organization or person. They then study the behavior or likes and dislikes of a human target to figure out how best to exploit them. Then the hacker will execute the attack, trying to gain access to sensitive data or secured networks or systems.

Human Behavior Misused for Committing Social Engineering Attacks

There are certain traits that are endemic to human behavior that social engineering cyberattacks seek to exploit.


People have a tendency to give more credibility to those they like than those they do not. To exploit this, a social engineering attacker may try to appear trustworthy, attractive, or like someone who shares similar interests.


have been given something. Social engineering attackers abuse this tendency by offering advice, something exclusive, or personalizing their offer to make the target feel obliged to give something back.


After someone commits to a course of action, they feel obligated to stick with their decision. An attacker using social engineering tools can exploit this by having the victim agree to small things before asking them for something bigger. They may also have them agree to an action before its risks are obvious.

Social Proof

People are far more likely to get behind a product if other people they trust have endorsed it. Attackers may use social networking to exploit the social proof concept by claiming that the victim’s online friends have already endorsed an action, product, or service.


People naturally tend to trust authorities more than those with less experience or expertise. Hence, an attacker may try to use phrases such as “according to experts” or “science proves” to convince a target to agree to something.

History of Social Engineering

Despite the existence of so many modern social engineering examples, the practice actually has a long history—dating back to the 18th century. 

French Noblemen

After the French Revolution, prisoners in France falsely claiming to be valets for French noblemen sent out letters that claimed they had hidden their master's vast treasure and would provide a map to help the recipient find it. In return for this “priceless” information, they would request a modest amount and hoped for a little preferential treatment. 

While computers were centuries from being invented, this kind of scam certainly fit the common social engineering definition.

European Nobleman

These kinds of early social engineering attacks continued with a similar prison-based scam involving someone incarcerated in Spain. 

The convicted would write a letter claiming to be a European nobleman who had been wrongly imprisoned. The bars not only kept him from freedom but also from his impoverished daughter, who needed him free to survive. The letter would ask the recipient for enough money to secure the prisoner’s release while promising a handsome payment—far more than what the recipient provided—as soon as the prisoner saw the light of day.

Nigerian Prince

What is social engineering today? 

As time passed, the technologies and text changed but the psychological manipulation did not—as could be seen in the Nigerian Prince scam. 

The social engineering toolkit for this scam simply involves an email account and some faked documents. Someone pretending to be a Nigerian prince claims there is money locked away that they cannot access without help. If the recipient gives them the cash they need to bribe officials or pay the fee needed to gain access to the funds, the “Prince” will share the loot with the recipient. Of course, there never is any money at all, and anything the target wires never gets returned.

Techniques of Social Engineering Attacks

1. Baiting

A baiting attack attempts to draw in a victim by promising something that appeals to their sense of curiosity or greed. This lures the target into installing or clicking on something that ends up putting malware, such as that used for pharming or spyware, onto their system.

2. Scareware

Scareware bombards a target with fake threats or false alarms in the hopes that their natural inclination to protect themselves or something they value drives them to taking the desired action. One of the more common types is using realistic-looking banners warning that their computer may be infected with a virus or some other kind of malware.

3. Pretexting

In an attack that uses pretexting, the attacker lies to the victim regarding their identity. After they have gained the target’s trust, they trick them into handing over sensitive information.

4. Phishing

In a phishing attack, the attacker creates a sense of urgency or appeals to the victim’s curiosity. They then either get them to click on a malicious link or provide private information via a form.

5. Spear Phishing

With a spear-phishing attack, the victim is specifically targeted, and the attacker often performs extensive research ahead of time. Once the attacker knows how to manipulate the victim, they launch the attack, phishing for information, credentials, or sensitive data.

6. Water Holing

With water holing, the attacker tries to compromise a targeted group of individuals by infecting sites they trust. The attacker may focus on sites that the people visit frequently, knowing they are likely to feel safe on those pages.

7. Quid Pro Quo

In a quid pro quo attack, the attacker pretends to provide something to the victim in exchange for information or a specific action. For example, the attacker may pretend to be someone from tech support and then convince the target to enter commands or download software that installs malware onto their system.

8. Honey Trap

With a honey trap attack, the social engineer assumes the identity of an attractive person. They then engage in a relationship with the victim online to try to get sensitive information from them.

9. Tailgating

Tailgating involves the attacker following someone with security clearance into a building. The target either trusts the tailgater or, out of courtesy, holds the door open for them.

10. Rogue

With a rogue attack, the victim is tricked into paying to have malware removed from their system. The malware is not taken off the system, but the victim still ends up paying the attacker.

11. Vishing

Vishing, short for voice phishing, uses a conversation over the phone to get financial or personal information from the target. They often hide their identity using spoofing, which changes their caller ID. As with other social engineering tactics, the attacker tries to gain the individual’s trust or uses fear to get them to divulge valuable information.

Well-known Examples of Social Engineering Attacks

Frank Abagnale is probably the most famous example of a social engineering attack. The book and movie Catch Me if You Can depict how Mr. Abagnale impersonated several people, including a doctor, a lawyer, and an airplane pilot to gain people’s trust and take advantage of them.

In 2011, an attacker penetrated the security company RSA by sending phishing emails to groups of employees. The emails had an Excel spreadsheet attached. The spreadsheet had malicious code embedded in it, which used a vulnerability in Adobe Flash to install a backdoor into the system. If the employees had not been socially engineered into opening the file, the attack would not have been successful. 

Phishing in a pandemic is also common, so users should always be on the lookout.

How To Identify Social Engineering Attacks

To spot a social engineering attack, look for the following signs:

  1. An emotional plea that leverages fear, curiosity, excitement, anger, sadness, or guilt
  2. A sense of urgency around the request
  3. An attempt to establish trust with the recipient

In short, anytime someone tries to get you to provide money or sensitive information through manipulation or coercion, you are being targeted with a social engineering attack.

Tips To Prevent Social Engineering Attacks

Safe Communication and Account Management Habits

Always be careful when communicating online, and never trust anyone whose identity you cannot confirm. Most importantly, never click on anything that looks suspicious, and never divulge sensitive information.

Never Click on Links in an Email or Message

Instead of clicking on a Uniform Resource Locator (URL), type it in manually in the address bar. Double-check the origin of all URLs before clicking on them, and if you cannot verify their legitimacy, avoid them.

Multi-factor Authentication (MFA)

Using more than a password to access an account can help prevent social engineers from breaching a system. This could include biometrics or temporary passwords sent through a text message.

Using Strong Passwords and a Password Manager

Your passwords should be both complex and unique, never repeated for more than one site or account. You can use a secure password manager to organize them and have them available when needed.

Be Cautious of Building Online-only Friendships

A relationship that does not include any in-person interaction or phone conversation can easily be used for social engineering in 2021. Beware of anyone who wants to interact solely online.

Safe Network Use Habits

Never Let Strangers Connect to Your Primary Wi-Fi Network

Allowing someone to access your primary Wi-Fi network leaves it open to eavesdropping. To prevent this, use a guest network for those who visit your office or home.

Use a VPN

A virtual private network (VPN) provides you with a secure, encrypted tunnel through which communications pass. Even if someone were to snoop on your communications, the VPN would encrypt the transmissions, rendering them useless for the attacker.

Keep All Network-connected Devices and Services Secure

While your Wi-Fi connections at and around the office are likely secured, as are your mobile devices, it is important to not neglect other devices such as infotainment systems in your car. Getting within these systems can help a social engineer further personalize their attack.

Safe Device Use Habits

Use Comprehensive Internet Security Software

Internet security software can protect your system from malware that gets implanted via a social engineering attack. Some security solutions can also track the source of the attack, which can be reported to authorities to aid in their investigation of the crime.

Do Not Ever Leave Your Devices Unsecured in Public

Your computer and mobile devices should always be locked up or securely on your person. This holds true whether you are in a public place or a semi-public environment like your job.

Keep All Software Updated

Software updates help ensure your applications are impervious to the newest kinds of attacks on the landscape. After an attack has been successful, the software’s design team may address the vulnerability in an update, so frequent updates provide you with the most up-to-date security.

Check for Known Data Breaches of Your Online Accounts

Some companies keep track of accounts that have been compromised by hackers. If your account information is on their list, take steps to secure it by changing your password or adding MFA.

Cyber threat assessment to know your vulnerabilities

Get the Facts About Your Network Security

Organizations need to continuously assess their networks against the evolving threats to identify security risks and network utilization.

Take an assessment Now to Know Your Vulnerabilities!

How Fortinet Can Help

Fortinet secure email gateway (SEG) solutions provide you with the ability to perform deep email scans to identify fraudulent emails that may contain threats. Fortinet SEGs also come with data leak prevention and give you the ability to archive messages and apply full encryption.

Also, the Fortinet FortiSandbox protects you from zero-day attacks by confining the actions of an infected program within a safe sandbox that keeps it from infecting other areas of your network. Even if a team member were to fall prey to a social engineering attack, the malware would not be allowed to spread beyond their workstation. It could then be studied to gather intelligence on the threat and discarded.

Additionally, with the FortiWeb web application firewall (WAF), known vulnerabilities existing in any of your web applications can be protected from attacks. This includes all of the OWASP Top 10 threats and more. FortiWeb can tell the difference between a harmless analogy and malicious activity, which makes it possible for benign bots to interact with your site while still keeping it secure from threats.


What is social engineering?

Social engineering refers to a wide range of attacks that leverage human interaction and emotions to manipulate the target. During the attack, the victim is fooled into giving away sensitive information or compromising security.

How does social engineering work?

A social engineering attack begins with the attacker figuring out what they want from an organization or person. They then study the behavior or likes and dislikes of a human target to figure out how best to exploit them. Then the hacker will execute the attack, trying to gain access to sensitive data or secured networks or systems.

What are the well-known examples of social engineering attacks?

Well-known examples of social engineering include Frank Abagnale and the attack on the security company RSA. Mr. Abagnale impersonated several people to defraud his victims, as depicted in the book and movie Catch Me if You Can. In the RSA attack, a malicious link embedded in an Excel email attachment was used to compromise the company’s system.