What is Social Engineering and How Do You Prevent It?

Cybercriminal tries to scam victim in social engineering tactic
Click here for a quick guide to social engineering
A Quick Guide: What is Social Engineering and How Do You Prevent It?

In cybercrime, social engineering is a manipulation technique that bad actors use to get personal information from victims. This could be passwords, login data, credit cards, or account numbers. Cybercriminals often pose as customer service, technical support representatives, or even new employees and authority figures to get what they want.

As the world moves more and more online, it’s more important than ever to recognize the scams and techniques that these crooks use.

Popular social engineering tricks include:

  • Phishing emails from friends and trust sources
  • Vishing calls from phony customer and tech support
  • Fraudulent smishing SMS messages 
  • Baiting with free offers
  • Pretexting
  • Quid Pro Quo
  • Piggybacking and tailgating

To learn more about social engineering and how to protect yourself, read the full article below.

In the world of cybercrime, black-hatted crooks are always after sensitive data like passwords and account login credentials. They also try to urge victims to take action in haste, like send money or make transfers of Bitcoin or other hard-to-trace cryptocurrencies.

Rather than actually hacking exploits in computer networks or systems, criminals can do this by preying on a victim’s trust. This act of manipulation is called social engineering, and it has been proven to be a very successful (and much easier) way for criminals to get what they want.

As our lives become more and more digitized, social engineering tricks and tactics have become more sophisticated and harder to spot. In this article, we’ll delve into how social engineering works, some common scams and cons to look out for, and how you can protect yourself and your business.

How Does Social Engineering Work?

In a social engineering attack, a cybercriminal will interact with victims and gain their trust in order to obtain sensitive data or get them to perform an act they might not otherwise do.

If they’re trying to infiltrate a corporate network, con artists might pose as tech support, a new employee, or a person of authority. If they’re looking to drain individual bank or cryptocurrency accounts, cybercriminals might pose as customer service representatives.

The end goal for scammers is to ask questions, engage in conversation, and squeeze sensitive information like passwords or login credentials out of targets. In social engineering, the bad actor could also be trying to pry out other information like names, positions, and company or private knowledge to use on other victims, furthering their credibility.

Examples of Social Engineering Attacks

Social engineering attacks usually come in the form of emails, phone calls, text messages, and sometimes face-to-face interaction. Whatever the means of communication, social engineering attacks tend to have a sense of urgency, fear, or some other strong emotion connected to them. The aim is to push victims to take action without careful thought.

When flustered, victims might do a number of things without fully thinking the situation through:

  • Hand over personal or company data
  • Give up passwords, login credentials, or multifactor authorization codes
  • Click a malicious link
  • Download a malicious file
  • Send money, gift cards, or cryptocurrency to a fraudulent account
  • Give remote access control of a computer

In social engineering attacks, it’s estimated that 70% to 90% start with phishing. Here are a few examples:

1. Phishing emails or messages from a friend or contact

The domino effect that social engineering can cause is alarming. Once a social engineer has successfully hacked someone’s email or social media account, they’ve got access to the victim’s entire contact list. Now, the cycle continues as the cybercriminal tries to compromise all of the accounts on that person’s contact list.

While the details of attacks are limited to the perpetrator’s imagination, researchers and cybersecurity experts have picked up on some recurring social engineering techniques and ideas.

  • Urgent help: Your “friend” or contact is stuck in another country. They’ve either been robbed or injured in an accident and need financial help. People who respond might be asked to click malicious links or downloads, send money or Bitcoin, or could be guided to a fraudulent site where they’ll enter sensitive data the scammer can steal.
  • Request from boss or co-workers: A scammer could ask about invoices or company credit card details, upcoming projects, or anything connected to company business. Sometimes “bosses” will ask their workers to get gift cards that they can hand out as company perks.
  • Please donate to charity: A compromised email might ask you to donate to a charity that is helping with a timely topic or issue. Those with soft hearts might send money to a phony charity or click a malicious link, which will then subject them to malware or redirect them to a spoofed charity site.

2. Phishing emails from trusted sources

phishing-hool-with-passwordIn social engineering, scammers might impersonate representatives from banks, financial institutions, government entities, law firms, or popular sites like Amazon, Netflix, or PayPal. If a victim replies to one of these emails, the fraudster on the other end might dupe them into providing names, account numbers, addresses, or social security numbers.

Cybercriminals have become quite talented at recreating websites and can redirect targets to spoofed sites where they’ll enter these credentials.

Here are a few common phishing techniques:

  • Response to your inquiry: Fraudsters will pose as huge companies or services that millions of consumers use every day and “Respond to your question.” Since they’re casting such a wide net through phishing campaigns, some users who actually asked questions or have been having issues and want to jump on the opportunity might respond.
  • We need verification: Imposters from legitimate-looking sites may ask for account verification. You’ll be asked to provide information via email, or redirected to a spoofed form on a malicious website. Talented hackers can copy logos, banners and make a website look like the real deal, so victims may not hesitate to enter sensitive data.
  • Government and legal requests: Victims have reported receiving fake emails from real law firms or government entities, requiring their appearance in court. The email will request that the target click a link to confirm they received the notice. Scammers might also instill alarm by issuing unpaid or overdue taxes.
  • You’re a winner: Whether it’s the lottery, an inheritance from an unknown relative, or an accidental overpayment, victims come out a loser instead. One recent scam targets people that have ads for services or items up for sale. The scammer sends a check for too much money and asks the mark to send back the difference. Since the check is fraudulent, it bounces when cashed and the victim is out the difference.

Here’s a prime example of a phishing email from scammers pretending to be Amazon:

Screenshot of an Amazon Phishing Email

3. Vishing and “smishing” attacks (voice and SMS text phishing)

smartphone-with-telephone-iconSome phishing emails will request that you call or text customer support, tech support, or company department numbers. Fraudsters can create these false customer support phone numbers for banks or financial apps and go hunting for targets. Through spam emails and phishing attempts, they’ll try to bait victims with phony security alerts or customer service queries.

On the other end of the line is a bold, social engineering criminal looking to run a scam and steal your information.

But scammers can also call or text you. Outbound calls are especially dangerous because fraudsters can spoof real customer support numbers from legitimate companies and organizations. You might get a call or SMS from “your bank,” financial apps, or other services you use. Never provide any confidential information when a representative calls you by phone.

4. Spear phishing attack

These scams are much more personalized, making the target all the more likely to fall into the trap. In spear phishing attacks, the perpetrator hones in on one specific mark — likely someone who has a strong presence online — by thoroughly researching them on Google and sifting through their social media accounts.

Think about it like this: a person recently posted that they were at their mobile phone provider getting a new device upgrade. The phisher could use that information to craft a spear phishing email using the mobile provider’s logos, the device they purchased, and any other information they gathered.

Or they could call the target in a vishing attack and try to pull out credit card numbers or other account information. If a phisher goes after a high-profile target, like a celebrity, CEO, or higher-ups in a company, it’s called whale phishing.

Common Social Engineering Techniques

Since social engineering comes largely in the form of phishing, it’s important to be aware of the different techniques and nuances during attacks. Whatever ideas that hackers can come up with are the limits to the attacks.

Through emails, phone calls, text messages, and face-to-face communication, these crooks are able to pull out all kinds of information from unsuspecting victims using different methods.

Here are a few examples that experts and researchers have uncovered:

Baiting

Cybercriminals have been known to leave USBs loaded with malware around offices, coffee shops, and libraries or even hand them out at work conferences. While targets think they’re getting free storage drives, they could be unknowingly downloading remote access trojan (RAT) malware or ransomware onto their systems or devices.

This concept is known as baiting, and hackers usually prefer baiting because it’s so effective. In emails, calls, and texts, scammers try to bait targets to click malicious links or download virus-loaded files with offers of free gift cards, music, movies, or other enticing gifts. Baiting in this case is quite similar to phishing.

Sometimes they also use the baiting technique in reverse, by making it seem like you’re going to lose money if you don’t act. A good example of a reverse-baiting phishing email is this one:

Screenshot of a Norton360 Phishing Email

This email uses a trusted name (Norton) and believable yet fake invoice numbers. It also creates a sense of urgency by setting a deadline and stating that you have to act if you don’t want to lose money. The message even makes it seem valid by adding a phone number. However, the layout, spelling errors, and the fact that the recipient, in this case, didn’t order Norton 360 are clear signs that this is a fake phishing email.

Pretexting

This is when the scammer has created a story, or pretext, that they want the target to fall for.

Generally, victims are approached by someone posing as a person of power, such as law enforcement, company executives, or auditors — someone who has the authority to access login credentials or sensitive data. This illusion of power might make a victim feel obligated to hand over sensitive data.

Imagine you’re a new employee at a company and someone pretending to be the CEO or head of IT calls you up or emails you. You’re more likely to give up sensitive login information to the corporate network during a “credential check” from someone in authority.

Quid Pro Quo

This technique is used when targets actually need something. Once a phishing target has been successfully acquired — say the cybercriminal has been looking for a worker that actually needs tech support — they try to offer their service in exchange for sensitive data.

A hacker posing as IT support could be hunting for someone who’s been having a common problem, like logging into the company’s VPN. Once they’ve found their mark, the attacker could easily “take care of their technical problem” if they give them remote access to their computer, or provides their login credentials.

Piggybacking and Tailgating

These are social engineering techniques that occur in person or electronically. If a malicious actor wants access to a restricted area or to pass through security checkpoints, he or she comes along with someone who has the authorization.

They could do this by tricking a target into thinking they’re someone they’re not. A target might be more apt to let a security guard tag along into a secured area, or a cybersecurity official walk them through logins.

Tailgating is similar, but the authorized person isn’t aware they’re being followed. This could be something as simple as physically sticking their foot in a door before it’s closed, or complex as hacking and tracking the activity of an online user.

How to Protect Yourself Against Social Engineering Attacks

While social engineering and phishing attacks are widespread and can be devastating for individuals and companies, there are measures you can take to protect yourself and your company. Here are some tips:

  1. Relax and slow down: If you receive an email that needs you to act right at the moment, and you feel uncomfortable moving so fast, make sure to slow down and breathe. These cybercriminals need you to act without thinking so you make a mistake before you’ve had time to consider the situation. Take time to think over the scenario and see if it’s legitimate. Never rush into giving away information.
  2. Avoid suspicious links and downloads: Be wary of clicking links and downloads. When hackers copycat sites, they can change something very minor in the URL — like adding a zero instead of the letter “O” — which could redirect you to a spoofed site. Also, never download anything unless you know the sender and are expecting it.
  3. Double-check emails and support numbers: If you receive an email from a service, company, or institution that you use, do a quick Google check to make sure the numbers and emails match up. Some services, like PayPal, have a list of common scams and disclaimers saying they will never ask for sensitive information like passwords, logins, or credit card numbers.
  4. Type it yourself: To protect yourself, it’s a good idea to manually type the name of the website in question into your browser to ensure you get to the right one. This will also allow you to access the real site, where you can check if it’s a legitimate notification regarding your account.
  5. Hijacked emails and social media accounts are common: These days, it’s not rare to get emails or malicious messages from people you know and trust. Pay attention to the wording and spelling, and make sure it really sounds like the person it’s coming from. If they only send a link or download, it’s best not to click. You might get an email or message later saying their account had been compromised.
  6. Be wary of people you don’t know: Don’t take people at face value. If someone you don’t know injects themselves into your life or work and seems to be looking for personal information or sensitive data, wait until someone verifies who they are. Double-check with friends or coworkers to make sure they are who they say they are.

Technical tips for avoiding social engineering attacks

The best line of defense against social engineering attacks is to learn how to recognize and steer clear of them. But if you happen to run into any of these scam communications, there are other ways you can protect yourself. Here’s what you can do:

  1. Set your spam filters high: Scam emails that make their way into your primary inbox can be alarming and prompt you to act faster. Make sure your filter settings are on high. Then do regular checks in your spam folder to make sure legitimate emails didn’t end up there by mistake.
  2. Delete emails asking for private information: It’s best not to respond. If you get an email asking to provide a password, login information, or credit card number, the safest thing to do is delete it. Legitimate companies and organizations should never ask you to reply with that information by email.
  3. Delete emails offering help: If you didn’t specifically ask customer support for help, don’t reply.
  4. Delete emails asking for help: It’s always better to seek out your own charitable organizations and causes that you’d like to donate to. Scammers often use current events and causes to prey on kind-hearted individuals.
  5. Use available security tools: Firewalls, antivirus software, and anti-spyware software can offer an extra layer of protection against threats. If you wind up on a malicious page, good protective services won’t let you access the site and will block connections. Likewise, if you accidentally click a malicious link and start a malware download, solid antivirus software will quarantine and delete the threat.

What Information are Social Engineering Scams Looking For?

Con artists are constantly trying to think of ways to get you to respond in the heat of the moment. It’s a good idea to think like a crook and remember exactly what these scammers are after. In the end, the goal is often the same. They might want:

  • Your login info and passwords: Never give your login information or passwords for “verification” over the phone or in an email. These credentials should only be entered in secured parts of legitimate websites.
  • To send money or cryptocurrency: Whether it’s a “friend” stuck in a tough situation or a company representative asking for account verification, never make a transfer unless you know the person and have been planning to send them money.
  • Remote access: Cybercriminals often request remote access to your device to “fix an issue” you might have. You should never give anyone remote access to your device, especially not someone who contacted you out of nowhere.
  • Two-factor/multifactor authentication info: Fraudsters could be hunting for 2FA codes or passwords to access your account. Never give these up. They’re there to offer an extra wall of protection in case your passwords are compromised.
  • Your personal information: If a social engineer can’t get any of the above information, they’ll be more than happy to obtain all sorts of other information. Security questions for lost passwords are often things like children and pet names, schools you attended, or jobs you’ve worked at — all of which the cybercriminal can use against you. Scammers can also get information about a company to make themselves more believable when trying to breach a corporate network.

Even Bigger Companies are at Risk of Social Engineering Attacks

Twitter Logo SmartphoneEven companies with the highest level of cybersecurity training and technical know-how can fall victim to these kinds of tactics. When hackers breached Twitter in 2020 and ran an unprecedented Bitcoin scam on users, they used social engineering to infiltrate Twitter’s administrative network.

Instead of exploiting technical vulnerabilities, cybercriminals took it to a human level and, posing as Twitter IT support, offered to fix a common VPN issue that Twitter employees had been facing. Hackers directed a high-ranking employee to a fraudulent phishing site and persuaded them to enter their login credentials.

Simultaneously, the hackers entered the credentials into the real Twitter site. When prompted with two-factor authentication, the employee complied, and hackers had access to one of the largest social media platforms in the world. In today’s increasingly dangerous online world, it’s more important than ever to recognize threats and know how to protect yourself and your business.

What is Social Engineering and How Do You Prevent It? | Frequently Asked Questions

Do you have some questions about social engineering and how to prevent it from happening to you or your company? Click on one of our frequently asked questions below to find the answer.

Social engineering is a manipulation technique that cybercriminals use to get personal information from victims. They’re often looking for passwords, login data, credit cards, or account numbers. Cybercriminals can impersonate customer service or technical support representatives, or even pretend to be new employees and authority figures to obtain the data they’re looking for. Learn how to keep yourself safe from such attacks.

In social engineering phishing attacks, cybercriminals send out countless emails in hopes of baiting a victim. These are usually “responses” to customer service and tech support requests, or “security alerts.” Once a target falls for the email, the cybercriminal engages in communication, gains their trust, and tries to pry sensitive data from them. Luckily, you can recognize and prevent social engineering attacks.

Hackers using social engineering typically engage and communicate with victims and gain their trust. They impersonate individuals that targets are willing to share their personal data with, like tech support, customer service, or even friends, family, and co-workers. Hackers mainly try to gain access to financial accounts, like PayPal. However, it’s easy to secure your PayPal account.

There are several red flags for recognizing social engineering attacks. Here are a few:

  • They typically have a sense of urgency or try to instill some kind of strong emotion.
  • They pressure the reader to take action immediately, in the hopes the victim acts before they’ve had time to think.
  • They might pretend to be technical support or customer service, contacting you via calls or emails you didn’t request.

For a deep dive, read our full article on how to protect yourself from social engineering attacks.

Cybercriminals typically use baiting, pretexting, and quid pro quo as techniques in social engineering attacks.

  1. Baiting is dangling something enticing in front of a victim, like gift cards or free music, to get their account information.
  2. Pretexting is creating a story or background that tricks the victim into thinking the cybercriminal is someone they’re not.
  3. Quid pro quo means “something for something,” like when a hacker poses as tech support and can “fix a problem” if the victim provides remote access to their device.

These are also some of the most commonly used PayPal scams.

Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For VPNOverview.com he follows news and developments in online privacy, cybersecurity, and internet freedom.