Top 14 Social Engineering Attack Types And Their Subcategories

Hackers are not always technical wizards—often, they exploit human nature. Social engineering attacks rely on psychological manipulation to trick people into revealing sensitive info or taking harmful actions. These scams often create a false sense of urgency or trust, bypassing even the strongest digital defenses.

From phishing emails to deepfakes, tactics are evolving fast—making it easier than ever for attackers to fool both individuals and businesses. What makes these threats especially dangerous is that they target the weakest link in your cybersecurity posture: human error.

14 Social Engineering Attack Types Explained

1) Phishing

Phishing is one of the most common types of social engineering attacks. There are many variations of phishing attacks. Some of the most widespread ones include:

Attackers impersonate trusted sources to steal data. They send mass emails containing fake links or attachments, using fear or urgency to trick victims into revealing personal information.

Spear phishing takes a more focused approach. Attackers start by researching their target—gathering specific details such as the person’s name, role, and other personal information. With this intel, they create tailored messages designed to appear familiar or trustworthy, increasing the chances that the victim will fall for the trap.

This attack involves a cybercriminal posing as a top executive—often the CEO—to deceive an employee, usually in finance or HR, into sending money or sharing sensitive data. It typically relies on urgent, convincing messages as part of a business email compromise scam.

In whaling attacks, the targets are high-level executives—often referred to as “whales.” This form of phishing is explicitly aimed at influential figures like CEOs or politicians, with the goal of stealing sensitive information or getting them to approve large financial transactions.

Pharming is a more advanced type of phishing that silently redirects users to a fake website to steal their personal information. This is done by tampering with the victim’s computer settings or exploiting flaws in DNS servers. Unlike typical phishing, users do not need to click a link—they are taken to the fake site automatically, where attackers can capture sensitive data like passwords or credit card numbers.

Smishing is a type of phishing that uses text messages to deceive victims into giving up personal information. These texts often appear to come from trusted sources, like banks or well-known companies and may include links or urgent requests—taking advantage of the recipient’s trust to carry out fraud.

Vishing—short for voice phishing—is a scam where attackers use phone calls to manipulate people into sharing private or financial details. Posing as legitimate entities, like banks or government agencies, they rely on sounding convincing to earn the victim’s trust and extract sensitive information.

2) Pretexting

Pretexting is when an attacker makes up a fake story or situation to trick someone into giving away sensitive information or doing something that puts their security at risk. They usually pretend to be someone trustworthy—like a bank representative or a company employee—to gain the victim’s confidence. The fake scenario is often designed to tap into the victim’s instinct to be helpful or follow authority. To make the lie more believable, the attacker frequently does some homework on the victim beforehand and uses persuasive, well-crafted tactics to manipulate them.

3) Baiting

Baiting plays on basic human impulses—curiosity, temptation, and the lure of getting something for nothing. Think of it as a trap disguised as a gift. An attacker might drop a mysterious USB drive in a parking lot with a label like “Company Layoffs – 2025” or post an irresistible download link offering a blockbuster movie for free. Whether it is a physical item or a digital file, the goal is the same: spark enough interest for someone to take the bait. The moment that curiosity wins and the bait is opened, hidden malware springs into action—infecting the device, stealing information, or opening the door for deeper attacks.

4) Tailgating \ Piggybacking

Tailgating, or piggybacking, is a social engineering trick where someone sneaks into a secured area—like an apartment building or gated community—by closely following a resident. They exploit everyday politeness, such as holding the door open for a “delivery person” or someone who says they forgot their key. By appearing harmless and blending in, these individuals bypass security and gain access to private spaces, putting residents and personal property at risk.

5) Diversion Theft

Diversion theft happens both online and offline, targeting deliveries. Online, attackers trick customers into changing shipping addresses or hijack accounts to reroute packages. They may intercept tracking updates to redirect goods before delivery. Offline, thieves pose as couriers, using fake uniforms or IDs to grab packages mid-route or steal them from doorsteps. In both cases, the goal is the same: deceive, divert, and steal goods during the delivery process for personal gain.

6) Romance Scams \ Honey Traps

A romance scam or honey trap attack uses emotional or romantic manipulation to deceive victims. The attacker pretends to be romantically interested, often using fake profiles and flattery to build trust. Over time, they aim to extract money, personal details, or access to sensitive data. These scams often involve seductive messages, convincing backstories, and prolonged online communication designed to emotionally hook the target before exploiting them.

7) Extortion

Criminals use fake extortion schemes to scare victims into paying. These scams rely on fear and threats, often convincing targets to act quickly. Many fall for them, fearing imagined consequences. Below are typical examples:

Scareware is fake security software that tricks users into thinking their device is infected. Alarming pop-ups or fake scans create panic, urging victims to buy bogus antivirus tools or share personal info. It exploits fear and limited tech awareness.

Sextortion is blackmail using threats to expose sexual content. Attackers demand more explicit material or money, exploiting fear and shame. Victims are manipulated psychologically, with threats to share compromising content unless demands are met.

Doxing is the act of publicly exposing someone’s personal details—like home address, phone, email, or workplace—without consent, often as a threat.

Cybercriminals threaten Distributed Denial of Service attacks to disrupt personal websites unless payment is made.

• Reputation Damage Threats

Extortionists threaten to ruin reputations with false or damaging info unless demands, like payment, are met.

• Extortion With Threat To Kill

Extortion scams involving death threats prey on deep fears. Scammers demand money, claiming they’ll harm the victim or their family if payment isn’t made. These threats are meant to pressure and terrify victims into compliance.

8) Watering Hole

A watering hole attack is a social engineering method where hackers compromise websites their targets frequently visit. By injecting malicious code into these trusted platforms—like industry news sites or forums—they infect users’ devices without direct interaction. This tactic exploits user trust in familiar sites, allowing attackers to silently breach systems of specific individuals or organizations.

9) Quid Pro Quo

Quid pro quo is a social engineering tactic where cybercriminals offer a benefit or favor in exchange for sensitive information or access. They may pose as IT technicians or service providers, offering help, quick fixes, discounts, or exclusive services. The attacker exploits the victim’s trust and willingness to reciprocate, using the offer to gain confidential data.

10) Typosquatting

Typosquatting, or URL hijacking, is a cybercrime tactic that exploits typing mistakes in website addresses. Attackers register domains nearly identical to popular sites, relying on users to mistype URLs. These fake sites often mimic the look and feel of the real ones, tricking users into entering login credentials or downloading malware.

11) Social Media Mentions

Attackers exploit the @username feature on social media to appear credible. By tagging real users or organizations, they make their posts seem trustworthy, tricking others into engaging with deceptive content or falling for scams disguised as legitimate interactions.

12) Hoaxes

A hoax spreads false information to mislead targets, often using alarming messages to create fear or warn about fake threats, manipulating victims into unnecessary actions or panic.

A well-known hoax is the tech support scam, in which fraudsters falsely claim the victim’s computer has a problem. They impersonate support staff from trusted companies to gain remote access or pressure the user into paying for bogus services they do not actually need.

Charity scams often appear after disasters, pandemics, or during holidays, asking for donations to fake causes. Exploiting empathy, scammers trick people into acting emotionally, leading to unsafe actions and potential security risks.

Scammers claim you have won money, then demand personal info or a fee to claim the fake prize.

13) Dumpster Diving

Dumpster diving is a low-tech tactic where scammers rummage through household trash to find discarded documents containing sensitive information. Items like bank statements, medical bills, or personal letters can reveal names, account numbers, or login details. With this data, attackers can steal identities, access accounts, or commit fraud. Some home users unknowingly make themselves targets by tossing out unshredded papers, making proper disposal of personal information essential for protecting privacy and security.

14) Shoulder Surfing

Shoulder surfing is a tactic where someone watches another person type or view sensitive information, like passwords, PINs, or credit card numbers. It does not always require close proximity—attackers can use cameras, binoculars or even spy during video calls. This simple but effective method allows cybercriminals to gather valuable personal data without hacking.

How Home Users Can Fight Back Against Social Engineering: 11 Tips

Here is how home users can safeguard themselves from social engineering attacks:

1. Shrink your digital footprint. Be thoughtful about what you post online—especially on social media—to make it harder for cybercriminals to gather personal details about you.
2. Protect your devices with trusted antivirus tools. A strong antivirus program is your first line of defense against malware and other cyber threats.
3. Stay calm and collected when online. Do not rush—whether you are clicking links, filling out forms, or responding to messages. A level-headed approach can prevent costly mistakes.
4. Handle unexpected emails and links with care. Avoid opening attachments or clicking on links from unknown senders. Always double-check URLs and email addresses to spot fakes.
5. Monitor your bank accounts and credit reports regularly. Fraudsters often go after your finances—catching suspicious activity early can make all the difference.
6. Avoid plugging in unfamiliar USB drives or gadgets. External devices can carry hidden malware. If you do not know where it came from, do not connect it.
7. Keep your devices and accounts private. Never let anyone else log into your phone, computer, or online accounts.
8. Use a VPN when browsing or shopping online. A Virtual Private Network adds a layer of encryption that helps shield your activity from prying eyes.
9. Turn on Multi-Factor Authentication. Adding an extra step to your logins greatly improves your security.
10. Watch for leaked personal data on the dark web. If your info ends up there, you will want to know—and act—fast.
11. Consider signing up for identity theft protection. These services can help detect suspicious activity and guide you through recovery if needed.