It is a beautiful day and you have just come to the end of a brisk walk along the bayou. You sit down on a bench to check your email and are stunned to see an urgent message from your financial institution. The message says your account has been compromised and you need to reach out immediately to protect it. There is a phone number listed, so you call and speak to a representative who puts you at ease and assures you he will take care of you and help fix the problem. He then asks you to visit a website to download software that will allow him to assist you. He is convincing, professional, knowledgeable, and sympathetic. You comply. He then asks you to log into your account, which provides the scammer with your username and password.
It is a scenario that plays out every day, with billions lost every year – and it is called social engineering. Social engineering relies on personal interactions or errors to facilitate an attack and comes in many forms such as emails, phone calls, text messages, and more.
Types of social engineering
Phishing – Because it is so successful, phishing attempts using email and text messages are the most popular social engineering tactics criminals use. They typically begin with an urgent message designed to get you to act quickly before you have time to think through the authenticity of the sender or the message. The messages are often customized specifically for you to be even more convincing.
Spoofing – These are emails or messages that appear to be from a trusted source but originate elsewhere. And since you have a personal connection to the sender, you are less likely to be suspicious when a "friend" asks for help.
Baiting – It usually is bait when an offer is too good to be true. Baiting involves offering something you want, such as a prize or a great price on a product. It can also be something as simple as a flash drive left in a public space to tempt you to pick it up and plug it into your computer to see what is on it. Either way, the lure leads you to inadvertently install malicious software.
Pretexting – Pretexting involves inventing a scenario to target you. For example, you receive a fictional response to a question you never asked or an offer of assistance for a problem you never reported. This is a way to initiate an interaction with you and cause you to take action to uncover how your identity became associated with the inquiry – or perhaps the offer of help makes you realize you could benefit from the offer.
Protecting yourself from social engineering
Social engineering attacks are successful because they involve human emotions. For this reason, always keep the following tips in mind:
Think first and act later. Take the time to think through every message you receive, especially if it uses urgent language.
Do your research. Do some digging into the email sender and the company they supposedly represent. Remember, criminals can make messages appear to be from virtually anyone. Contact the organization directly using a phone number you can verify.
Do not click links. If you feel the need to investigate the content the message describes, try to find it on your own via a website you can verify. Do not download any software or open attachments if you are in doubt.
Be suspicious. Email accounts can be hacked, so even when the sender’s address is legitimate, it does not mean the sender is. View every message that asks for action with suspicion and caution. When visiting websites, look for the padlock symbol in the address bar, which indicates the site is safe, and be sure the website address is spelled correctly. Watch for poor grammar and spelling mistakes, as well. In other words, if anything seems off, question it.
Do not share personal information. Emails asking for personal information, such as an account number, username, or password, are almost always scams.
Use tech to your advantage. Employ spam filters, virus protection, firewalls, and malware protection – and keep your device's operating system and built-in security features up to date. Scan them regularly for any issues as well.
For more tips on staying safe online, visit our Security and Fraud Protection Center.