Social Engineering: How to Protect Yourself
Social engineering scams don’t discriminate. They can target anyone.
These scams view your personal data as a treasure trove, providing access to linked accounts and data caches stored on corporate servers. Such attacks result in millions of dollars in losses annually. So, how can you safeguard yourself and your business from social engineering attacks?
What is Social Engineering?
Social engineering attacks involve fraudsters impersonating trusted individuals, like a billing department representative or an employer, to persuade their victims to reveal sensitive information such as passwords or account numbers.
At its core, social engineering is a confidence scam based on trust. The scammer selects a victim, gains their confidence, and then tricks them into sharing confidential information. This typically involves four key principles:
- Confidence: Posing as someone you trust or an authority figure (e.g., a boss or government official).
- Consensus: Leveraging peer pressure or social proof to coerce someone into acting against their best interests.
- Familiarity: Pretending to have complex emotions to manipulate victims into taking action, such as in a dating scam.
- Urgency & Scarcity: Creating a sense of urgency in conversations to rush victims into acting without thinking.
Social engineers usually target victims via email, online messages, text messages, or phone calls. Regrettably, these scams are becoming more common and widespread every year.
8 Most Common Social Engineering Scams
Social engineering scams are often customized to fit their victims, making them highly adaptable. Here are eight of the most common tactics:
#1. Business Email Compromise (BEC)
This scam involves emails that seem to come from a legitimate source within a company but are actually sent by imposters trying to trick employees into revealing sensitive information.
#2. Catfishing
Also known as a “honey pot” scam, catfishing involves fraudsters posing as romantic interests on dating websites or apps, then convincing their victims to send them money after developing an online relationship.
#3. Pretexting
Scammers use a series of small lies or half-truths to convince victims that they hold a position of authority, such as an HR representative, to extract sensitive information.
#4. Phishing
This technique tricks individuals into voluntarily giving up personal information, typically targeting financial data. Variations include “voice phishing” (or “vishing”) as well as targeted attacks (called “spear-phishing”).
#5. Scareware
Designed to induce stress or heightened emotions, scareware scares victims into actions like clicking malicious links or downloading malware. It often targets younger individuals or less tech-savvy older generations.
#6. Tailgating & Piggybacking
These physical attacks involve scammers entering a company or organization to steal data or deliver malware, often by posing as an employee or a worker hired to fix a technical issue.
#7. Water Holing
Scammers study victims’ online habits and then inject malicious code into frequently visited sites or marketing emails to attract clicks.
#8. Quid Pro Quo
These attacks involve scammers promising something in exchange for something else, often making empty promises with no intention of fulfilling them.
Social Engineering Red Flags
Social engineering scams are popular because they are effective, and humans are often the weakest link. Targeting individuals is often easier and cheaper than developing costly software to bypass security systems. Scammers focus on tricking people into making mistakes rather than attempting to brute force their way through security systems.
Defeating social engineering attacks requires self-awareness and vigilance. Stay calm, think critically, and don’t act impulsively when you encounter a situation that demands sensitive information or funds. Social engineers profit from making you act without thought. Here are some specific red flags to watch out for:
- You’re Emotional: If you receive a call, email, or text message that tries to provoke fear, anger, or urgency, take a moment to pause and investigate the situation before acting.
- Something Seems Off: If the content of a message doesn’t align with a previous conversation, seems strange, or feels off in any way, take the time to verify its legitimacy by contacting the person through other channels.
- Details Don’t Fit: Watch out for messages with sending domains, addresses, or other details that are slightly off or contain extra numbers or characters. Investigate before clicking on any links.
- It’s “Too Good to Be True”: Be cautious of messages offering unrealistic benefits in exchange for clicks or sign-ups. Remember, if it sounds too good to be true… it probably is.
- Messages Contain Links or Downloads: Avoid clicking links or downloading files unless you can verify the sender or are expecting the message. Always confirm a link is safe before opening anything, especially at work.
Protecting Yourself from Social Engineering Attacks
The key to stopping social engineering is to pause and think before reacting, as scammers rely on your impulsive responses.
Here are a few tips to safeguard yourself from social engineering attacks:
✓ Education and Awareness
Keep yourself informed about the latest social engineering techniques and scams. Share your knowledge with family, friends, and colleagues to create a security-conscious environment.
✓ Be Cautious
Always consider requests for information or help carefully, especially if they’re unusual or unexpected. When in doubt, contact the entity directly through trusted methods, like official phone numbers or websites.
✓ Maintain Strong Passwords
Use unique, complex passwords for all your online accounts, and enable two-factor authentication (2FA) when available for added security.
✓ Keep Software Updated
Regularly update your computer’s operating system, web browsers, and antivirus software to guard against known vulnerabilities and security threats.
✓ Secure Your Personal Information
Be mindful of the data you share on social media, as attackers can use this information to craft targeted social engineering attacks. Adjust privacy settings to limit personal information visibility to trusted contacts.
✓ Verify Caller Identity
If you receive a call from someone claiming to represent a reputable organization and requesting sensitive information, politely end the call and contact the organization through an official number to confirm the request’s legitimacy.
✓ Monitor Financial Accounts
Regularly review bank statements, credit card transactions, and credit reports for signs of fraud or unauthorized activity.
✓ Be Wary of Public Wi-Fi
Avoid using public Wi-Fi networks for sensitive tasks like online banking or shopping, as attackers can intercept data transmitted over these networks.
✓ Report Suspicious Activity
If you suspect you’ve been targeted by a social engineering attack or have fallen victim to one, report the incident to appropriate authorities, such as your local police department or the Federal Trade Commission (FTC).
By keeping informed about common scams, recognizing red flags, and adopting preventative measures, you can protect yourself and those around you from falling victim to social engineering attacks.