Cybersecurity: social engineering
Social engineering is just one of the threats that the EU is working on to promote cyber resilience and fight cybercrime.
Social engineering
Social engineering is a strategy used by individuals or groups to manipulate and deceive people into revealing sensitive information or performing actions that compromise their security. It relies on psychology and human behaviour, rather than technical know-how.
In social engineering attacks, the attacker often poses as a trusted person or source in order to gain the victim's trust. The attacker uses tactics such as impersonation, persuasion or trickery to extract valuable information such as:
- passwords
- financial details
- access to systems and networks
Social engineering attacks can take various forms. The strategy is to exploit human vulnerabilities to achieve the attacker's objectives, whether these are gaining unauthorised access, stealing data or money.
The different techniques used in social engineering
Phishing
Attackers send deceptive emails, messages, or links to websites that appear legitimate, aiming to trick recipients into clicking and revealing sensitive information such as passwords, credit card numbers, or personal data.
Spear phishing
Similar to phishing but highly targeted. In order to appear even more convincing, attackers customise messages based on specific information about the target.
Baiting
Attackers offer something enticing, such as free software downloads, in exchange for personal information or system access. This can involve infected files or links.
Pretexting
Attackers create a fabricated scenario or pretext to obtain information. This often involves impersonating someone trustworthy, such as a colleague or bank representative.
Vishing
A form of phishing that occurs over voice communication, usually phone calls. Attackers impersonate trusted entities and persuade victims to reveal sensitive information.
Impersonation
Attackers pretend to be someone else, either online or in person, to gain trust and manipulate the target into disclosing confidential information or taking specific actions.
Angler phishing
Attackers mainly target social media users and often take advantage of popular or trending topics to create deceptive messages, making them appear relevant and trustworthy.
Ransomware and extortion
Attackers threaten to reveal sensitive information or disrupt systems unless a ransom is paid. They instil fear in order to coerce their victims.
Protection against such attacks
Awareness is your shield
Be vigilant and recognise the signs. If something feels odd or too good to be true, it may be a scam.
Think before you click
Avoid clicking on links or opening emails from unknown sources.
Guard your personal information
Never share sensitive details such as passwords, credit card numbers, or personal data in messages or emails, no matter who asks.
Set strong passwords
Use unique, strong passwords for different accounts.
Use multi-factor authentication
Wherever possible enable multi-factor authentication, it adds an extra layer of security to your online accounts
Verify the caller’s identity
If someone contacts you claiming to be affiliated to a company or an organisation, ask for proof of identity or contact the organisation directly to verify the information.
Stay informed
Keep learning about new scams and techniques.
Stick to trusted sources
Use trusted sources to download files in order to avoid malwares.
If you become a victim
- notify your competent local authorities
- change your passwords
- enable multi-factor authentication
- scan your devices for malware
- alert friends and colleagues that your accounts were breached
See also
Cybersecurity
How the EU combats cybercrime
Cyber threats in the EU: facts and figures
Last review: 5 February 2025