10 Social Engineering Attacks You Need to Know

social engineering attacks

Simply put — social engineering works. Ask any Threat Actor in the business. Social engineering was behind more than 95% of the attacks reported last year by Purplesec. Consequently, educating your staff on what it is and how to spot it is nothing less than critical. Here are the top 10 most common types of social engineering attacks you need to ensure your staff understands.


By far the most prevalent type of social engineering attack on the threat landscape these days and has been for some while, is typically done via phishing. The attack is carried out through spoofed email addresses and links to fool recipients into providing login credentials, credit card numbers or other personal information. Variations include:

  • Angler-Phishing – using spoofed customer service accounts on social media
  • Spear-Phishing – targeting specific businesses or individuals
  • Whaling – spoofing senior executive’s email addresses to initiate fraudulent financial


A social engineering attack is what lures victims into providing sensitive information or credentials by promising something of value for free in exchange. For instance, the victim receives an email that promises a free voucher if they click a link to take a survey and then the link redirects them to a spoofed Office 365 login page that captures credentials.


Smishing — or “SMS phishing”— is phishing via SMS (text messages). The victim of a typical smishing attack receives a text message, purportedly from a trusted source, that requests their personal information. It can be a problem for organisations that embrace texting as a primary method of communication. They are also used to spoof multi-factor authentication requests by redirecting recipients to bogus websites that collect their credentials or install malware on their phones.


Vishing — or “voice phishing” — is phishing via phone call. Vishing scams commonly use Voice over IP (VoIP) technology. Similar to other types of phishing attacks, the victim of a vishing attack receives a call or a voicemail from the Threat Actor pretending to be a trusted person who requests for their personal details such as credit card or login details.

Watering Hole

In a watering hole attack, the Threat Actor infects a legitimate commercial website that their targets are known to use. When the victim logs into the website, the Threat Actor captures their credentials and uses them to breach the victim’s network or installs a backdoor trojan to access, to achieve the same ends.


This is a more sophisticated type of social engineering attack where the Threat Actor creates a believable “pretext” or fabricated scenario such as – pretending to be from the HMRC and requesting the victims’ personal or financial details. In this type of attack, a Threat Actor can also attempt to physically acquire access to a victim’s computer by pretending to be someone from the IT Department, a vendor or a delivery person.


Piggybacking is a social engineering tactic where the Threat Actor physically follows a staff member into a secure or restricted area – ‘piggybacking’ on their access. Threat Actors will pretend to forget their access card or engage the targeted staff member in an animated conversation as they both pass the physical control to cover their bypassing the authorisation method.


Scareware is a form of social engineering where the Threat Actor inserts malware into a webpage that insets a “scary” flashy, animated pop-up window to appear. The pop-ups state a virus has been downloaded to the victim’s device, and they are to download their security software to remove it. The download installs malware on the targeted device.


In this type of social engineering attack, the Threat Actor obtains sensitive data by tricking the victim into sending it to (or sharing it) with the wrong person. Threat Actors do this by spoofing the email address of someone in the victim’s business or someone they do business with, such as a financial service provider.

Honey Trap

This attack comes in many forms but is essentially when the Threat Actor pretends to be romantically or sexually interested in the victim and lures them into an online relationship. The

attacker then persuades the victim to reveal confidential information or pay them large sums of money. It happens more than we cite in our industry, and it often goes unreported due to the embarrassing nature of the trap.

There you have it. The 10 most reported types of social engineering attacks.

Ensure your staff is prepared for Social Engineering Attacks

If you need more information or some help with educating your staff, get in touch. Staff awareness training is what we do.

Staff Awareness Courses            Social Engineering Testing          Contact the Crew

Risk Crew