Social engineering continues to evolve in various ways:

Still, many companies fail to educate themselves on how the social engineering attack cycle starts and progresses. In fact, according to a survey, only 27% of businesses have given employees awareness training for social engineering attack scenarios.

That means for nearly 75% of companies, social engineering exploits may already be in progress, and they don’t even know it yet.

And traditional cybersecurity tools have no way of flagging or even detecting it, because threat actors use natural language to communicate with and manipulate their victims.

To the untrained eye, socially-engineered emails look like any other email from a colleague, friend, or a legitimate company. Legacy network and email gateway cybersecurity controls were engineered to detect payloads and/or links, so they end up missing emails that use language crafted to weaponize human trust.

But what does a social engineering attack cycle look like? Why is it effective? And how does one break it? Here are the five notable stages of a social engineering attack.

Stage 1: Research and Reconnaissance

The first stage of the social engineering life cycle entails gathering as much information as possible. In most social engineering exploits, the attacker performs research and reconnaissance on the target.

If the target is an enterprise, the threat actor gathers intelligence on the organizational structure, internal operations, common lingo used within the industry and possible business partners, among other information.

This includes learning about the “weakest links” of any organization: the human workforce.

That doesn’t mean to say every employee in your company is inherently weak against these attacks. Rather, social engineers are expert manipulators who know which strings to pull and which details to use to gain their target’s trust.

One of the more common social engineering attack vectors is focusing on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or receptionist.

Attackers can also scan social media profiles for personal information and study their behavior online and in person.

Stage 2: Fake Profile Setup

In the case of social media phishing, attackers often build fake profiles and perform their target recon on the various platforms that their target uses.


Facebook, one of the more famous social media sites, has also become “a hotspot for social engineering cyber assaults,” according to a ResearchGate case study. Approximately 1.7B fake accounts that were taken down by Facebook in Q4 of 2021.

However, it is still unknown how many fake accounts and profiles remain at large as of the moment.

One of the more recent examples, the Bearded Barbie campaign, targets Israelis employed in sensitive/regulated industries through Facebook. The threat group APT-C-23 creates a fake Facebook profile, usually of a beautiful woman, and initiates conversations with unsuspecting Israeli men. As the social engineer earns the victim’s trust, they move that conversation to a different medium, usually WhatsApp. Here, they begin to send 2 pieces of malware, one disguised as an application and the other as an explicit video. The victim who downloads and interacts with these pieces of malware end up giving the threat actors the ability to infect and spy on their devices, steal data, and maintain persistence.

Learn how to protect Facebook >>>


Most professionals have leveraged LinkedIn for professional networking and job hunting. But threat actors also use LinkedIn to exploit their unsuspecting victims.

We’ve come to a point where threat actors fabricate credentials, experience, and positions on LinkedIn to impersonate high-value individuals to be able to reach out to a real person deemed as a high-value target.

SafeGuard Cyber experienced this firsthand: a person posing as an associate professor at a top-tier research university reached out to one of our executives to “discuss possible research collaboration.” However, after a manual verification process, we quickly found out that the individual’s profile was fabricated and his intentions were fraudulent. As a result, we ceased communications with the individual and all the other profiles the individual has made connections to were promptly notified of the attempt.

Still, what makes things worse for these kinds of attacks is the fact that many of the fake profiles on LinkedIn are using AI-generated faces that are nearly indistinguishable from photos of real people, which makes it even more difficult to identify what is real and what is not.

LinkedIn reports that they’ve removed about 15M fake accounts in the first half of 2021. However, fake profiles are constantly being added.

Learn how to protect LinkedIn >>>


For WhatsApp, attacks often take the form of brand impersonation.

Recently, WhatsApp uncovered fake accounts that have been posing as WhatsApp’s support team. The scammers try to “gather personal information like credit card details and the six-digit PIN code that keeps the app secure”, according to the report, by impersonating legitimate CS agents.

On the other hand, there have also been reports of cybercriminals spoofing WhatsApp and sending voicemail phishing messages disguising themselves as notifications from the messaging platform.

Researchers found that threat actors based in Russia are targeting about 28,000 organizations from various industries like retail and healthcare with a spoofed version of a WhatsApp voicemail. That is, the phishing voicemail does not come from or is sent through WhatsApp – it’s just made to look and sound like it does.

This sophisticated attack is, truly, four cyberattack types rolled into one: social engineering, brand impersonation, legitimate domain exploitation, and business email workflow replication.

Learn how to protect WhatsApp >>>


Telegram is one of the more reliable and secure messaging platforms out there, but even that reliability has its limitations.

Cybercriminals are also active in Telegram, especially since it has become a common mode of communication for the crypto industry. There are various instances of phony Telegram accounts scamming people out of their crypto coins, incidents of stolen crypto wallets, and secret surveillance of the platform’s users.

Learn how to protect Telegram >>>

Take Security Product Tour

Stage 3: Building Trust and "Amygdala Hijacking"

The next stage of the social engineering life cycle is using the information threat actors gathered to start building trust with target victims. This is often referred to as “amygdala hijacking” which is, essentially, bending people to your will by tapping into emotional responses. Coined by psychologist Dr. Daniel Goleman:

An amygdala hijack “occurs when any strong emotion — anger, fear, anxiety, or even extreme excitement — impairs the prefrontal cortex, the part of the brain in the frontal lobe that regulates rational thought.”

Christopher Hadnagy, a professional ethical hacker and author of the book Social Engineering: The Art of Human Hacking, worked with Dr. Goleman, along with other psychology experts Dr. Paul Ekman and Dr. Paul J. Zak, and discovered how emotions have become a powerful tool in social engineering attack scenarios.

Social engineers can trigger physiological and psychological responses before the brain has time to kick in, as well as how the logic centers of the brain “actually shut down when strong emotions like fear are triggered.”

Subsequent security tests with simulated phishing emails yielded worrisome results:

  • The phishing email promised the victims they’d ‘win’ a new iPhone if they clicked on the link provided and entered their domain credentials. Out of 1000 people who received the phishing email, 75% complied.
  • As a follow up to the first test, another simulation was launched with the would-be attacker posing as “Paul from tech support” and informing the top 25 of those who complied with the first test that their device was infected with malware. To ‘clean’ it, they were told they needed to download an app, which was actually a reverse shell allowing access to their desktops. 24 out of 25 obeyed.

Threat actors use emotion to impair logical thinking, and its success relies on a threat actor’s understanding (and exploitation) of human nature and behavior:

  • Inclination to help others
  • Avoidance of conflict
  • Willingness to follow direction

There is also the use of pretexting – the fabrication of a scenario or a lie about one’s identity in order to deceive the target into providing sensitive or personal information.

Stage 4: Malware Delivery and Credential Skimming

By this point, the attacker is in an excellent position to launch an attack by sending a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device.

According to 2022 data:

  • 560,000 new pieces of malware are detected every day.
  • There are now more than 1 billion malware programs out there.
  • Every minute, four companies fall victim to ransomware attacks.
  • Trojans account for 58% of all computer malware.

Aside from delivering malware, threat actors can also redirect their victims to a bogus website that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.

Phishing emails remain the most common social engineering attack vector, especially for malware delivery and credential skimming. However, hackers have now developed various ways to use social media platforms to send over malicious payloads and fake website links.

Stage 5: Post-Compromise Exploitation

Social engineering exploits give birth to more attacks (hence why it’s called a ‘cycle’), as access to credentials of one employee can lead to stolen credentials from other coworkers, outside contractors, or business partners and clients. This is the fifth stage of the social engineering life cycle, after which actors restart their campaigns against the same or new targets.

Cases in point:

  • In 2021, Microsoft shared details of post-exploitation attack activity, which included multiple ransomware payloads and a cryptocurrency botnet, following cyberattacks on their Exchange Server.
  • The Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory warning that threat actors may be chaining VMware vulnerabilities to gain full system control across various VMware tools and platforms, as well as user accounts.

Breaking the Cycle with Natural Language Understanding

What it all comes down to is this: the social engineering attack cycle is highly reliant on the language and words that the threat actor uses. The more natural it sounds, the more effective it is for tricking people.

Most  traditional cybersecurity tools and programs don’t have the necessary capabilities to detect, track, and flag language-based threats.

Renown hacker Kevin Mitnick says that social engineering attacks are particularly dangerous because hackers can use a variety of tactics to gain unauthorized access to your organization. 

“All types of social engineering involve the use of a number of tactics that can sidestep your cybersecurity protocols and give the threat actor access to your organization’s sensitive information and infrastructure. Without understanding why social engineering can be dangerous, an organization may be more vulnerable to an attack.” 

However, with the help of cybersecurity solutions that wield the power of Natural Language Processing and Understanding (NLP/NLU), companies can:

  • Identify different social engineering exploits by scanning and identifying key attributes of text and content that would signal a potential attack.
  • Zero in on determinants like a sense of urgency or discussion around payment or credentials as key components of an imminent social engineering attack.
  • Recognize patterns from various samples of social engineering attack cycles, and use these patterns to analyze and pinpoint social engineering attempts with an extremely high level of accuracy.

To learn more, read this guest post from Scott E. Augenbaum, a retired FBI Supervisory Special Agent on the evolution of social engineering over the last 25 years >>>

SafeGuard Cyber integrates directly into communication channels via APIs to process content and metadata using patented Natural Language Understanding technology and cloud-based machine learning, empowering organizations to detect and respond to cyber and compliance risks at scale.

With SafeGuard Cyber, businesses can detect and respond to threats, properly manage risk, and comply with the regulatory requirements in cloud workplaces while maintaining employee privacy. Organizations protect themselves against the social engineering attack cycle, gaining business agility with better security and time to value.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product