You receive an email from a website you regularly use asking you to click a link to change your password due to suspicious activity. You take a phone call from the IRS asking you to verify your bank account or social security number. You get a text saying a family member was in an accident and they need money for emergency room bills.
These requests appeal to your sense of trust and seem like legitimate things to ask of you, so there’s a good chance you’ll respond or comply. But beware; these are common social engineering scams, which are ploys to access your sensitive information or obtain money using psychological manipulation.
The best way to avoid being a victim of this type of attack is to recognize the signs and know how to protect yourself. Here are the most common social engineering scams:
Phishing, smishing, vishing. These words may sound like nonsense, but they’re all widely used ways to trick you into giving away your personal information. Phishing occurs when a scammer sends you an email with a seemingly legitimate link to click, such as an email requesting a password change. Once you click and enter your password, bank account number, or other sensitive information, scammers receive access—and you might not even realize it. Smishing is a similar scam via text, and vishing is via phone or voicemail.
Baiting or quid pro quo. As the term suggests, this method offers some form of bait to tempt you into divulging information or handing over money. It could be physical bait, such as a flash drive that seems legitimate, or digital bait, such as an enticing advertisement to click or a music download. In reality, these drives or links infect your computer with malware or direct you to unsecure websites.
Quid pro quo uses a similar tactic whereby the scammer offers a service or monetary incentive in exchange for your information.
Piggybacking or tailgating. To carry out this type of attack, the perpetrator will try to gain physical access to a restricted space or device by following an authorized person. Think about a delivery driver asking you to hold a door open so they can deliver a package to someone in the building or an innocent-seeming stranger at a coffee shop asking to borrow your phone or laptop to look up information. Once given access, the scammer can steal your private information in a short amount of time.
Scareware. Social engineering scams aim to make you act quickly based on emotion, and this form of attack does exactly that. You’re working on your laptop and suddenly see a pop-up warning you that your computer has multiple viruses. It instructs you to download software immediately to protect your personal information and files. This is how they put the scare in scareware. It’s natural to click as quickly as possible to prevent the issue from worsening; however, by doing so, you’ve exposed your computer to the malware you were trying to avoid.
Scammers are hoping you’ll panic and react quickly, but if you pause for a moment you’ll probably be able to spot an attack. Look for misspellings, lots of exclamation points, altered logos, or unprofessional words that a software company likely wouldn’t use. If you see one of these pop-ups, don’t click it—don’t even click the “X” button to close it. Instead, close your browser window and force quit through the task manager (Ctrl + Alt + Delete on Windows).
Recognize the Tactics
Overall, the best way to stay safe from social engineering scams is to recognize these tactics, verify information and sources before acting, and avoid clicking or acting quickly based on emotion. Remain calm, evaluate the originator of any request for money or information, and don’t comply until you’re sure the request is legitimate.