One of the most effective tactics used by cybercriminals is not technical or even sophisticated in nature. It’s social engineering, specifically an awareness of how to trick and manipulate people into giving up sensitive information. This is the basis behind phishing attacks and other malicious campaigns that manage to convince people to fall for a scam. A report released Thursday by business VPN provider NordVPN Teams examines three different types of social engineering attacks and offers advice on how to combat them.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Social engineering attacks jumped during the first half of 2020, according to NordVPN Teams. Earlier this year, the FBI reported that as of May 28 it had received almost the same number of complaints about social engineering attacks as it did for all of 2019. The 2020 Verizon Data Breach Investigations Report found that social engineering now accounts for more than two-thirds of all cyberattacks, with 96% of those conducted via phishing.

In its report, NordVPN Teams identified three different attack vectors involving social engineering.


The most common type of social engineering attack, phishing campaigns use email, text messages, and websites to scam their victims. By impersonating some familiar reference or trusted source, these attacks work by tricking someone into revealing sensitive personal information or turning over money. These campaigns usually kick off by convincing the recipient to click on a malicious link in the email or message.

SEE: Don’t click on ransomware disguised as political ads (TechRepublic)

“Criminals could trick an individual by posing as a legitimate business or government agency,” NordVPN Teams CTO Juta Gurinaviciute said in the report. “For instance, you could receive an email asking for donations that’s supposedly from a non-profit, or a phone call from your bank requesting your social security number.”


In this type of attack, cybercriminals create and use a fake identity to convince people to provide private information. As one example, an attacker might pretend to be an IT service provider who requests the person’s account details and passwords in order to help them resolve a technical problem.

SEE: Hackers have only just wet their whistle. Expect more ransomware and data breaches in 2021. (TechRepublic)

“The reality is, cybercriminals are constantly attempting to manipulate their way into secure digital locations,” Gurinaviciute said. “It often starts with a friendly ‘Hello’ and ends with businesses losing thousands—sometimes, millions—of dollars.”

Baiting and quid pro quo attacks

In a baiting attack, cybercriminals tempt their victims by promising something, such as a free download or advice about COVID-19. In reality, the download is likely a malicious file designed to infect the person’s system.

A quid pro quo attack is similar. But rather than offer something of value, the attacker promises to perform a certain action in exchange for an action from the victim. As an example, the attacker might phone different extensions at an organization pretending to be returning a call about technical support.

SEE: Cybersecurity policy is a must in government (TechRepublic)

“The most common quid pro quo attack occurs when a hacker impersonates a member of the IT staff in a large organization and then offers them some kind of upgrade or software installation,” Gurinaviciute said. “They pretend to be helping, but they instruct the victims to perform actions that will compromise their machine.”

How to protect your business against these attacks

To protect your organization against social engineering attacks, NordVPN Teams offers several bits of advice.

  • Security awareness. One way to reduce the threat of social engineering attacks is to put security awareness at the top of your agenda. Confidential data, intellectual property, and digital systems are only as secure as the weakest users in your organization. Without a security awareness program, your risk management strategies won’t be as effective.
  • Multi-factor authentication (MFA). Even with security measures like antivirus software, firewalls, encryption technology, and regular vulnerability tests, an attacker can still compromise accounts and data if you don’t have any type of MFA in place.
  • Zero standing privileges. Gartner recommends adopting zero standing privileges as part of your security posture. With this method, a user is given access rights to a certain system, file, or other asset only for a specific task and only as long as is required to complete that task. Afterwards, those rights are rescinded. Even if a cybercriminal compromises the user’s credentials, they won’t gain access to any sensitive assets.

“Social engineering and unpatched software will remain the top two root causes of successful exploits, as they have been for more than 30 years,” Gurinaviciute said. “Cybercriminals capitalize on instability, which is one reason why social engineering attacks are on the rise during COVID-19.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday