Social Engineering Examples: Real-World Tactics

Social engineering refers to the psychological manipulation of individuals, or the act of deceiving them, in order to obtain something valuable. Cybercriminals use social engineering techniques to persuade employees to disclose company secrets, expose confidential information, or transfer large amounts of money.

In 2025, the global average cost of a cyberattack reached USD 4.44 million. This includes financial theft and regulatory penalties. Damage to brand reputation can be even more significant, although it is difficult to quantify. Around 60% of small businesses close within six months after experiencing an attack.

How can organizations reduce the risk of social engineering and its negative consequences? This article examines common attack methods, real-world cases, and prevention approaches.

What are social engineering attacks?

Social engineering is a general term for attack methods that exploit human behavior. Rather than focusing on technical weaknesses in systems, attackers focus on human weaknesses. They attempt to create fear, urgency, or another form of psychological pressure that causes people to reveal confidential information.

In some cases, attackers also try to make an employee click a malicious link or download a harmful file. As a result, malware can enter the environment and cause additional damage.
There are many forms of social engineering attacks. Several examples are described below.

Phishing

Phishing is the most common type of social engineering attack. Threat actors send messages that appear to come from a trusted source.

Email phishing

In email phishing campaigns, attackers send fraudulent emails while pretending to represent legitimate organizations. These emails include links to fake websites where victims are asked to enter sensitive information.

For example, threat actors impersonating the United States Department of Labor (DoL) sent emails to businesses in an attempt to steal employee Office365 credentials. The emails were sent from fake domains that closely resembled the legitimate DoL domain, dol.gov. Examples included:

  • dol-gov[.]us
  • dol-gov[.]com
  • bids-dolgov[.]us

The emails contained professionally prepared content, official-looking letterhead, and a three-page PDF attachment with a submit button. Users were asked to submit a bid application that required them to log in with their Office365 credentials. The form even displayed an error message after the first login attempt to make sure victims entered valid credentials.

Spear phishing

In spear phishing attacks, criminals personalize their messages with specific details in order to target particular individuals. These targets are often high-profile employees.

For example, the Belgian bank Crelan was targeted in a fraud campaign aimed at its CFO. The incident resulted in a loss of more than 70 million euros. The attacker pretended to be a client requesting an urgent money transfer for a business transaction.

Vishing

In vishing attacks, criminals use phone calls instead of emails to deceive victims into sharing personal information. They may pretend to be legitimate company representatives, technical support specialists, or senior executives. As AI voice cloning technology becomes more widely available, the level of risk continues to increase.

For example, a finance employee at a multinational company in Hong Kong was deceived into transferring $25 million to criminals. The attackers used AI voice cloning to impersonate the company’s CFO during a video conference call.

Barrel phishing

In barrel phishing attacks, criminals first send several harmless emails to build trust with employees. Only after that do they send the actual scam email.

For example, hackers impersonated Dropbox support and began sending employees at a U.S. company general Dropbox information and cloud storage tips. Later, they sent an email claiming that a file shared by a colleague was too large and had to be viewed in Dropbox through a provided link. After clicking the link, users were taken to a fake Dropbox login page, where their credentials were stolen.

Mobile phishing

In mobile phishing attacks, criminals use text messages to send fake warnings, alerts, or other notifications. These messages include links that redirect victims to counterfeit versions of legitimate websites. For example:

  • Attackers may impersonate local tax authorities and send messages claiming that unpaid taxes are due.
  • Attackers may impersonate parcel delivery services and claim that a package could not be delivered.
  • Attackers may impersonate a major brand and claim that the recipient has won a prize.

Pretexting

In pretexting attacks, criminals create a believable scenario, or “pretext,” to steal information. They pretend to be a trusted person, such as a colleague, service provider, or authority figure. Under the appearance of a legitimate request, they ask for personal details, passwords, account numbers, or other confidential information.

For example, MacEwan University in Canada transferred almost $12 million to a scammer who impersonated a contractor. The attacker emailed staff and asked them to update payment details intended for a construction vendor partner. The fraud was not discovered until the real vendor requested payment several months later.

Quid pro quo

In quid pro quo attacks, criminals offer something in exchange for information or access. Victims believe they are receiving help, but in reality they provide valuable information to the attacker.

The most common form of quid pro quo attack involves technical support. The attacker pretends to be a legitimate support representative from a well-known company. They offer to fix a fake issue on a device, such as a non-existent computer virus. In exchange for this “help,” they request remote access to the system. What appears to be a harmless interaction can allow attackers to access sensitive information or install malware on the device.

For example, employees searching for “Microsoft support” or “Apple support” may accidentally click a sponsored advertisement placed by a fraudulent company. They may then call the advertised scam number and believe they are speaking with genuine Microsoft or Apple representatives. In reality, they are interacting with sophisticated criminals who manipulate them into disclosing confidential information.

Watering hole attack

Watering hole attacks focus on third-party websites that employees or professionals in a specific industry visit often. The attacker compromises the third-party website so that visitors are redirected to a fake version designed to collect data.

For example, APKMonk is a third-party app store used by enterprise developers to download Android Package files for Android application development. Attackers pretending to be APKMonk deceived site visitors into downloading spyware files. Within five months, the attackers gained access to data from infected devices belonging to military personnel, government officials, medical professionals, and members of the general public.

Security officials recovered 6 thousand call recordings, 30 thousand images, and 600 videos containing private information. They also found copies of detailed travel data, GPS coordinates from images, internal government communications, photos from closed-door meetings, and other information relevant to espionage activity.

Prevention is better than cure

The attacks described above represent only a small part of the overall threat landscape. Similar to the many-headed Hydra from Greek mythology, social engineering attackers have an almost unlimited number of ways to deceive unsuspecting employees. As security authorities identify one attack method, new variations continue to appear.

Cybersecurity solutions provide only a basic layer of protection. Ultimately, employees must remain alert during every digital and electronic interaction.

Arsen helps organizations respond to these risks by providing cybersecurity awareness training for employees and simulation kits for security teams. Its AI-powered simulations make it possible to test and evaluate a company’s ability to withstand advanced social engineering attacks. Training can cover everyone from the CEO to junior employees, helping them recognize criminal activity, report it, and protect business assets.

Subscribe to news