Three Types of Social Engineering Attacks to Know

Share with your network!

Some of the most infamous data breaches in recent history were the direct result of social engineering, a type of attack where scammers gain a victim’s trust to trick them into granting access to sensitive information.

Social engineering attacks are so dangerous because they rely on the most vulnerable vector in organizations today: people.

Social engineers have the same goal as attackers, but they focus on tricking people rather than breaking into networks. Often, the easiest way for these criminals to gain the information they want is to simply ask for it.

Here are the three types of social engineering attacks cybercriminals use to compromise organizations. To learn more about how to stop them, check out our social engineering awareness training materials here.


Phishing scams and smishing (fake SMS/text messages) are socially engineered attacks that trick users online and over the phone into giving up sensitive information or money.

Email fraud is particularly dangerous because these socially engineered attacks are hard to detect with conventional cyberattacks. Many don’t have a payload, so there’s no attachment or URL for security tools to detect, analyse and sandbox.

Additionally, many social engineers rely on techniques like domain spoofing to frustrate any attempt to authenticate emails and verify the identity of the sender. Some lookalike domains may swap out characters, such as the numeral “0” for the letter “O”, an uppercase “I” for a lowercase “L”, or a “V” for a “U.” Others might insert additional characters, such as an “S” at the end of the domain name, that a casual viewer won’t easily notice.

There are countless combinations fraudsters can use to counterfeit trusted email domains. And unless your organization has registered them all, email authentication alone won’t stop them. To learn what it takes to implement a complete defence, download our guide to stopping email fraud here.


Not all types of social engineering attacks take place online. Some criminals prefer to launch their attack in person, visiting a location using a false identity, such as a contractor or even an employee.

These human interaction attacks attempt to gain access to files, the network, or other sensitive infrastructure.

The social engineer may gain trust and access into the workplace by appearing at an employee gathering spot or by approaching an employee claiming to have left their identification badge back at their desk or following behind another employee to gain access into the building.


Passive attacks take place when social engineers wait and watch. This passive technique is known as “shoulder surfing.”

They may watch you enter a PIN at an ATM, see your credit card number at a coffee shop or memorize usernames, passwords, and other sensitive information to gain access later.

A criminal can learn a lot just by perusing the dumpsters behind your workplace. Information such as invoices, telephone directories, confidential documents, printed emails, and much more sensitive information can be found. They can also find and use discarded computers or mobile devices to retrieve sensitive information.


Employee social engineering awareness training is the best defence against all engineering types of attacks. Proofpoint offers free resources to help you and your team fight them. Register for them here.