Social Engineering

Malware and antivirus software

Social Engineering

Social Engineering (in cybersecurity)

Social engineering describes a range of non-technical attack techniques that are used by cybercriminals to manipulate users into overriding security or other business process protocols, performing harmful actions or giving up sensitive information.

Reading time icon

5 min read

Reading time icon

5 min read

How does social engineering work?

Most social engineering techniques do not require any technical skills on the part of the attacker, meaning that anyone from small-time thieves to the most sophisticated attackers can operate in this space.

There are many techniques that fall under the umbrella term of social engineering in cybersecurity. Among the most well-known are spam and phishing:

Spam is any form of unsolicited communication sent in bulk. Most often, spam is an email sent to as many users as possible, but can also be delivered via instant messages, SMS and social media. Spam is not social engineering per se, but some of its campaigns utilize social engineering techniques such as phishing, spearphishing, vishing, smishing or spreading malicious attachments or links. 

Phishing is a form of cyberattack in which the criminal impersonates a trustworthy entity to request sensitive information from the victim. These types of fraud usually try to create a sense of urgency, or employ scare tactics to coerce the victim into complying with the attacker’s requests. Phishing campaigns can target large numbers of anonymous users, or a specific victim or specific victims.

Why should SMBs care about social engineering?

SMBs are increasingly aware that they are targets for cybercriminals, according to a 2019 survey conducted by Zogby Analytics on behalf of the US National Cyber Security Alliance. Almost half (44%) of companies with 251-500 employees said they had experienced an official data breach within the past 12 months. The survey found that 88 percent of small businesses believe that they are at least a "somewhat likely" target for cybercriminals, including almost half (46%) who believe they are a "very likely" target.

The damage is real and extensive, a point well-illustrated by the FBI's Internet Crime Center (IC3) annual report. The FBI estimates that, in 2018 alone, US companies lost more than $2.7 billion to cyberattacks, including $1.2 billion attributed to business email compromise (BEC)/email account compromise (EAC) that allowed unauthorized transfers of funds.

How to recognize a social engineering attack?

There are several red flags that can signal a social engineering attack. Poor grammar and spelling is one giveaway. So is a heightened sense of urgency that seeks to prompt the recipient to act unquestioningly. Any request for sensitive data should immediately ring alarm bells: reputable companies do not normally ask for passwords or personal data via emails or text messages.

Some of the red flags that point to social engineering:

5 ways to protect your organization from social engineering attacks

1. Regular cybersecurity training of ALL employees, including top management and IT personnel. Remember that such training should show or simulate real-life scenarios. Learning points must be actionable and, most of all, actively tested outside the training room: social engineering techniques rely on the low cybersecurity awareness of their targets.

2. Scan for weak passwords that could potentially become an open door in your organization’s network for attackers. Additionally, protect passwords with another layer of security by implementing multi-factor authentication.

3. Implement technical solutions to tackle scam communications so that spam and phishing messages are detected, quarantined, neutralized and deleted. Security solutions, including many that ESET provides, have some or all of these capabilities.

4. Create understandable security policies that employees can use and that help them to identify what steps they need to take when they encounter social engineering.

5. Use a security solution and administrative tools, such as ESET Cloud Administrator, to protect your organization’s endpoints and networks by giving administrators full visibility and the ability to detect and mitigate potential threats in the network.

Combat social engineering now

ESET Cloud Administrator product card

Protect your organization against social engineering by using ESET multi-layered endpoint security solutions, including LiveGrid® protection via the cloud and network attack protection, and ESET Cloud Administrator, to give your admins full, detailed network visibility, 24/7.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.