See all Security articles
See all Privacy articles
See all Performance articles
Select language
Select language
Avast Academy Security Other Threats What Is Social Engineering and How to Prevent It

What Is Social Engineering and How to Prevent It

In any security chain, humans are generally the weakest link. While machines can be tricked, people are susceptible to falling for all kinds of manipulative tactics. These tactics are referred to as social engineering, and hackers have developed many types of social engineering attacks to gain access to private information and steal data, money, and more. Thankfully, strong security software like Avast One features built-in protections to help you avoid falling victim to social engineering tricks.

Editors' choice
Editor's choice
Top Rated

What is social engineering?

The definition of social engineering covers various types of psychological manipulation. Sometimes, social engineering can lead to positive outcomes, like in the case of promoting healthy behavior. In terms of information security, however, social engineering is often used solely for the attacker’s benefit. In these cases, social engineering involves manipulation to obtain sensitive information, such as personal or financial information. So, social engineering can also be defined as a type of cybercrime.

Hamburguer menu icon

This article contains:

    How does social engineering work?

    Social engineering works by taking advantage of people’s cognitive biases, or “bugs in the human hardware.” And unfortunately for humans, there are a lot of cognitive biases that unsavory characters can exploit to their advantage, snatching victims' personal or financial information right from under their noses. For instance, the human tendency to trust people we perceive as likeable, attractive, or as authority figures can be used against us in social engineering attacks.

    And social engineering techniques exploit this tendency toward trust. In 2018, vacation rental phishing scams, in which hackers impersonated landlords offering real vacation listings, were common enough that the US Federal Trade Commission issued a warning about them. In many cases, real landlords’ contact information and emails were hacked, leaving little reason for victims to think that they weren’t discussing a rental with the actual owner.

    Why is social engineering so dangerous?

    There is something particularly insidious about the manipulative tactics of social engineering. Often, victims of social engineering do not even realize they’re being manipulated until it’s too late, and the thief has already gotten access to the sensitive data they were looking for. While cognitive biases may have adaptive purposes, they can certainly be used against us. Social engineering attacks trawl for users’ private information, and that can lead to identity theft, identity fraud, extortion, and more.

    Social engineering attacks often appear as an email, text, or voice message from a seemingly innocuous source.

    Social engineering techniques exploit peoples' sense of trust.Social engineering attacks often come from apparently trustworthy sources.

    And it’s not just your finances that are at stake — sometimes victims’ credit scores and online reputations tumble, and the debt in their name can skyrocket. While such situations are reversible, it can take weeks and endless back-and-forths with companies and authorities to clear your name. Using antivirus software can help, but it doesn’t make your brain hack-proof. The best way to ward off social engineering attacks is to learn to recognize them when you see them, and to avoid them as much as possible.

    If you think you’ve fallen victim to a social engineering attack and someone has accessed your personal information, Avast BreachGuard can help. BreachGuard scans the dark web to check if your personal information has leaked, and it will guide you in how to respond if it has.

    And if your info finds its way onto data broker databases, Avast BreachGuard will help you remove it and assess your security protocols to ensure it doesn’t happen again. Don’t become a victim of social engineering attacks — get BreachGuard today and start shoring up your digital defenses immediately.

    What do social engineering attacks look like?

    Have you ever been socially engineered? You may not have noticed, because social engineering attacks take on many different forms. In the context of information security, social engineering attacks often appear as an email, text, or voice message from a seemingly innocuous source. You might think you can spot a suspicious email on your own, but attackers have gotten much more sophisticated with their delivery.

    Some famous social engineering attacks include the 2014 cyberattack on Sony Pictures, the 2016 email hack of the Democratic Party in the US, and the 2017 hack of the Ethereum Classic cryptocurrency, where hackers impersonated the owner of Classic Ether Wallet and stole thousands of dollars in cryptocurrency.

    More recently, Twitter became the site of social engineering attacks where the accounts of Barack Obama, Bill Gates, Elon Musk, and others were hacked in an attempt to solicit Bitcoin from their followers. These cases show that even organizations and individuals that should have sophisticated defenses against cyberattacks can fall victim to social engineering.

    Social engineering online

    Social engineering can happen in person, over the phone, or online. These days, social engineering happens frequently online, often through email attacks or even in social media scams in which attackers pose as a trusted contact or authority figure to manipulate people into exposing their confidential information.

    Counter to what the term "engineering" implies, social engineers don’t need to have strong technical skills. In fact, social media engineering is as easy as setting up an account, because it doesn’t involve hacking machines as much as hacking people, tricking them into revealing the information that hackers want.

    And social media has helped social engineers get more savvy, setting up fake profiles that can easily pass as real, or even impersonating real people. That’s why it’s important to stay vigilant when looking at strange or unknown profiles on social media.

    Common types of social engineering attacks 

    Instances of social engineering may be hard to identify, but that doesn’t mean it’s impossible to spot these scams. There are nearly as many types of social engineering attacks as there are cognitive biases to exploit, and some even make the news every now and then. We’ve already mentioned some notable examples of social engineering attacks. Now let’s review the most common social engineering techniques out there.

    Email spamming

    Email spamming is one of the oldest forms of online social engineering and is responsible for essentially all the junk in your inbox. At best, email spam is annoying; at worst, it’s not just spam but a scam to get your personal information. A lot of email servers automatically screen for malicious spam, but the process isn’t perfect and sometimes dangerous emails slip into your inbox.


    Similar to email spamming, phishing is usually done through email, but it’s always masked as legitimate. Phishing is a type of social engineering attack in which emails disguised as being from a trusted source are actually designed to trick victims into giving away personal or financial information. After all, why should we doubt the authenticity of an email that comes from a friend, family member, or business we frequent? Phishing scams deliberately take advantage of this trust.


    Social engineering attacks don’t always originate online — they can start offline, too. Baiting refers to when an attacker leaves a malware-infected device — such as a USB drive — where someone is likely to find it. These devices are often labeled provocatively to entice curiosity. If someone who is particularly curious (or perhaps greedy) picks it up and plugs it into their own computer, they may unwittingly infect their device with malware. Obviously, it’s not a good idea to pick up unknown flash drives and load them onto your device.


    Vishing, also known as “voice phishing,” is a sophisticated form of phishing attack. In these attacks, a phone number may be spoofed to appear legitimate, as attackers disguise themselves as technicians, fellow employees, IT personnel, etc. Some attackers may also use voice changers to further conceal their identity.


    Smishing is a type of phishing attack that comes in the form of text messages, or SMS. These attacks usually solicit immediate action from a victim, by including malicious links to click or phone numbers to contact. They often ask victims to disclose personal information that the attackers can then use for their benefit. Smishing attacks often convey a sense of urgency and exploit peoples’ trust of smartphone messages to get them to act quickly and fall for the attack.


    Pretexting is a type of social engineering attack that involves pretending to be someone else in order to obtain private information. Pretexting attacks can happen online or off, and it’s now easier than ever for would-be pretexters to research and stalk potential victims to come up with a credible story (or pretext) to fool them with.

    Pretexting attacks are among the most effective, because they can be the hardest to spot. Attackers often do a lot of research to pass themselves off as authentic. It’s not easy to see through a pretexter’s ruse, so you should always be very careful when sharing confidential information with strangers, even customer service reps, IT techs, and others who might otherwise seem legitimate.

    These are just the most common types of social engineering attacks that are used to access victims’ personal information. Attackers keep finding new ways to trick humans and computers alike, especially with long-standing social engineering attacks like email spamming and pretexting.

    At Avast, we stay on top of these evolving online threats by constantly updating the threat-detection engine that powers Avast One, our comprehensive security and privacy app. Plus, our built-in anti-phishing Web Shield will make sure you don’t unintentionally land on a phishing site. Download Avast One for real-time protection against social engineering attacks, as well as malware and other online threats.

    Who’s most at risk?

    Anyone can be a victim of social engineering. We all have our own cognitive biases, and we’re not aware of them most of the time. Some groups are particularly vulnerable, such as the elderly — who may lack tech-savviness, often have fewer human interactions, and can be perceived as having plenty of money and assets to part with. But technological know-how alone, even in business, can’t protect people from psychological manipulation.

    How to prevent social engineering

    Once you’re caught in a social engineer’s web, it can be difficult to disentangle yourself. The best way to prevent social engineering attacks is to know how to spot them. Thankfully, you don’t need to be a tech expert to practice good social engineering prevention — you just need to use your intuition and some old-fashioned common sense.

    Deploy trusted antivirus software

    You can save time and the hassle of checking sources by using trusted antivirus software to flag suspicious messages or websites for you. Security software detects and blocks malware and identifies potential phishing attacks before they get a chance to lure you in.

    Change your spam email settings

    You can also adjust your email settings to strengthen your spam filters, if spam is slipping into your inbox. Depending on which email client you use, the procedure may be slightly different, so be sure to check out our guide to preventing spam emails.

    Research the source

    If you receive an email, SMS, or phone call from an unfamiliar source, plug that address or phone number into a search engine and see what comes up. If it’s part of a social engineering attack, the number or email address has likely been flagged before. Even if the sender looks and claims to be legitimate, check anyway, because the email address or phone number may turn out to be just slightly different from the real source — and it may be tied to an unsafe website.

    If it sounds too good to be true… It probably is

    Remember that recent Twitter attack mentioned above? The result was that celebrities such as Elon Musk and Bill Gates appeared to be tweeting out offers to give away thousands of dollars in Bitcoin... if followers only gave them $1,000.

    It’s pretty clear that celebrities simply giving away thousands of dollars in Bitcoin sounds too good to be true. So in this form of social engineering attack, intuition and common sense can go a long way — be wary of offers that tout lavish rewards for a seemingly token amount of money or information. And if the solicitation seems to come from someone you know, ask yourself, “Would they really ask me for this information in this way? Would they really share this link with me?”

    Protect yourself against social engineering attacks

    When it comes to social engineering attacks, an ounce of prevention, as they say, is worth a pound of cure. And in many cases, there is no “cure” to social engineering other than changing your passwords and absorbing any financial losses with however much dignity you can muster. But as powerful as the human brain is, it can sometimes be set up to fail.

    That’s where Avast One comes in to help safeguard your system. Avast One uses smart analytics to detect and block viruses before they can infect you. And it’ll scan suspicious files before you inadvertently open them and help you patch cracks in your own system. Best of all? Avast One features a built-in Web Shield for dedicated phishing protection, so you’ll never fall victim to social engineering in your inbox. Don’t delay — start protecting yourself today.

    Protect your Android against online threats with Avast One


    Protect your iPhone against online threats with Avast One