Social Engineering Attacks on the Rise

Social engineering techniques are various cyberattacks in which threat actors manipulate people into supplying sensitive data, account credentials, or enabling access to secure networks or systems to get sensitive information. Office files comprise 48% of all malicious email attachments, and spear-phishing was used by 65% of malicious actors as the primary mode of attack.

In social engineering attacks, hackers pose as trusted officials, customer service staff, and bank workers to defraud unsuspecting victims of millions of dollars each year. Cybercrime and human hacker scams tend to trick unsuspecting users into divulging data, spreading malware infections, and granting access to restricted systems. The second type is more sophisticated and involves coercing users and cheating them in real-time through telephone scams.

What is a social engineering attack?

Social engineering is an attack that involves a form of psychological manipulation to lure users or employees into the release of confidential or sensitive data. Social engineering can include emails or other communications that cause urgency, anxiety, or similar emotions in victims, causing them to reveal sensitive information, click malicious links, or open malicious files. Social engineering attacks can be used to steal confidential information and data from employees. The most common forms of social engineering cyber attacks are done over the phone or email.

Other social engineering attacks include criminals posing as service personnel or technicians to gain unnoticed access to physical websites or businesses. Social engineers can be very cunning and use manipulative tactics to get their victims to reveal private and sensitive information. Concerningly, 56% of Americans don’t know what steps to take in the event of a data breach. 

Social Engineering Attack Statistics

According to Verizon’s 2019 Data Breach Investigations Report, 32% of breaches involved phishing. Your IT team works around the clock to implement and maintain cybersecurity defenses while the rest of your employees click on suspicious links and reply to phishing emails, putting your entire business at risk. 

The majority of cyber attacks begin with end-users. When an attacker compromises one device, like an employee’s laptop or tablet, they gain a valuable foothold into the entire network that can be exploited to launch further attacks on your organization. Awareness and education are some of the best ways to decrease risk. Read on to learn more about social engineering attacks and phishing scams.  

Types of Social Engineering Attacks

The most common types of social engineering attacks include: 





Water hole attacks


Spear Phishing


Phishing is a social engineering technique where attackers send fraudulent emails pretending to come from reputable and trustworthy sources. Social engineers trick their victims into providing private or sensitive information so they can access their social accounts, bank accounts or trick users into giving them money. According to the FBI, phishing was the most prevalent cybercrime in 2020, with 114,702 occurrences in 2019 and 241,324 incidents in 2020.

Vishing (Voice Phishing)

Vishing tries to dupe victims into handing over confidential information over phone calls. Cybercriminals may ask for bank account information, routing details, social security numbers, or other sensitive information over the phone while impersonating a legitimate organization. 

Smishing (SMS Phishing) 

Smishing is a type of cybercrime that employs SMS text messages to trick victims into sharing sensitive information with a cybercriminal. URLs may be inserted in a text message as a short link, enticing the user to click on the link, usually redirecting to a malicious site. This type of cyber attack has been present since the early 2000s. Still, it has become more common in recent years, thanks to an increase in the number of people working remotely and businesses communicating with consumers over text messages.

Watering Hole

Malicious code injection into the public Web pages of a site that the target uses is known as a watering hole attack. The attackers infiltrate websites in a particular industry that are often visited by targets for the assaults. The watering hole approach is not new, and cybercriminals and hackers utilize it frequently.


Pretexting is a form of social engineering attack in which individuals are deceived. For example, an attacker may email a respectable credit card business or financial institution asking for account details and suggesting a problem. 

The customer success manager at your bank claims to have critical account information and requests that you respond with your full name, date of birth, Social Security number, and account number so that they can verify your identity. If a user provides such account information in response, the attacker can exploit it to obtain access to the account.

Spear Phishing Attacks

Spear phishing is a type of cyber attack that precisely targets high-ranking individuals at a company and impersonates them hoping to gain money or information from subordinates at the company. 

How to spot Phishing Attacks?

The sender’s address is suspicious. The sender’s address might be a spoof of an honest company. By changing or deleting a few characters, cybercriminals may create an email address that looks quite similar to one from a respectable firm.

Signature and generic greetings. A generic greeting, such as “Dear Valued Customer” or “Sir/Ma’am,” as well as the absence of contact information in the signature block, are both red flags for phishing emails. In most cases, a legitimate organization will contact you by name and give their contact information.

Forged websites and URLs. If you hover your mouse over any links in the email body and the links do not match the text that appears when hovering over them, the link may be forged. Malicious websites may seem precisely like legitimate ones, but the URL may be misspelled or used differently.

Spelling and layout are essential. Other signs of a probable phishing effort include poor language and sentence structure, misspellings, and weird formatting. Customers’ correspondence is produced, verified, and proofread by committed employees at reputable organizations.

Suspicious connections. A frequent distribution technique for malware is an unsolicited email demanding that the recipient download and open an attachment. A cybercriminal may create a false feeling of urgency or importance to convince the target to download or open an attachment without first examining it.

Touchstone Security also offers bespoke cybersecurity awareness training provided by a senior-level CISO. Our staff has extensive experience providing cybersecurity and cybersecurity training to large organizations, including Fortune 100 companies and government entities. Live training can be custom-tailored to meet your needs and educate employees about crucial compliance requirements and industry-specific threats that your organization may face. 

We can help train your employees regarding their requirements under the NYDFS Cybersecurity Regulation, HIPAA Security Rule, and other cybersecurity compliance requirements. Request a free consultation to find out how we can help you achieve regulatory compliance, reduce risk, and give your employees the confidence they need to succeed at cybersecurity. Security awareness training can dramatically reduce the risk that you need Ransomware Removal or other malware removal services.