In this article:
Hackers might be able to break into computers, but well-trained attackers can trick you into willingly giving them information and money. These types of tricks are commonly called social engineering. When a person or company says they got hacked, there's usually an element of non-technical trickery involved.
Learning how to detect various types of social engineering can help protect you from the latest scams and most-common types of fraud. And as artificial intelligence (AI) tools become more mainstream, you'll have to be increasingly vigilant and aware of these types of threats.
What Is Social Engineering?
Scammers and fraudsters have used different types of psychological manipulation to con victims for hundreds of years. Today, social engineering is the broad term for the techniques that criminals use to gain your trust and trick you into taking an action for their benefit.
The term is most commonly used within cybersecurity when describing deception that takes place online or over the phone. For example, cybercriminals might use social engineering to try to get you to click on a link, give them your password, send them money or share your personal information.
How Does Social Engineering Work?
Social engineering often uses a combination of core techniques:
- Build trust: They do this either by interacting with you over time and slowly building a relationship or by imitating a person or organization that you already trust.
- Instill fear: This is often done by impersonating an authority, such as a police officer or the IRS, or by "warning" you about something bad that could happen.
- Rely on reciprocity: They might start by giving you a gift, or promise to give you something, so you feel like you owe them something in return.
- Create urgency: You might not take the time to think through the rational options if you rush to make a decision.
The resulting attacks can play out in different ways—and there are always new versions and angles. But there is a common four-step process to social engineering-based attacks.
- Research: The attackers might update their messaging or approach to include a topical subject, such as the pandemic or student loan forgiveness. Some more targeted attacks could involve heavily researching an individual to learn more about their business, job, life, family and friends.
- Contact: The initial contact might come from a call, text, email or message on social media. Alternatively, some start when the attackers place an ad for a product, service or job and wait for you to reach out.
- Interaction: Depending on the complexity of the attack, the interaction and request might take place within a few hours. With the common puppy scam, the "seller" might share a few details and ask you to quickly send them a deposit. But romance scams can play out for months or years as the scammer builds a trusting relationship and then asks you for financial help.
- Move on: Once the attacker gets what they want—perhaps access to your company's computer network or money from your bank account—they move on to the next victim.
3 Common Attacks and Scams Involving Social Engineering
Social engineering is often the component of a cyberattack or scam, but it's only part of the process. Many attackers also use technology to make their hoaxes more believable.
1. Phishing, Vishing and Smishing Attacks
These three types of attacks refer to the delivery method— phishing (email), vishing (phone call) or smishing (text).
Sometimes, these are delivered with mass emails, messages and robocalls using an untargeted approach in hopes of finding unsuspecting victims. But there are also more targeted attacks that rely on in-depth research. With spear phishing emails, the attackers might use the personal details they learn about someone to create a well-crafted and believable email.
Attackers often use email or call spoofing to make it look like the email, phone call or text is coming from someone else, such as a well-known company, government agency or family member. That's where social engineering comes in.
For example, you might ignore an email from an unknown sender asking you to click on a link. But if your best friend emails you and tells you to check out some pictures, you might click on the link without thinking.
If the spammer sent a spoofed email, the link might send you to a website that installs malware on your device that records everything you type.
2. Peer-to-Peer Payment Scams
Using peer-to-peer (P2P) payment services, such as Venmo and Zelle, can be convenient when you're sending money to friends and family. But scammers also use them to trick you into sending them money.
Some of these financial scams start with a smishing text that looks like it's coming from a bank or credit card issuer and warns you that your account was compromised. The scammers are building trust and creating a sense of urgency.
If you're asked to call them back and confirm your information, you're actually sharing your private information with a scammer. Or they might walk you through returning the funds, but you're actually sending money directly to their account.
3. Tricking Company Representatives
Rather than targeting victims directly, some attackers use stolen personal information to impersonate you and trick company representatives into giving them control of your accounts.
For example, they might trick a phone carrier representative into giving them control of your phone number. They can then receive the authentication codes that get sent to your phone and reset your passwords or break into your other accounts.
How to Protect Yourself From Social Engineering
Because social engineering relies on psychological manipulation, learning to detect and avoid these cons is the best way to stay safe. But it's not easy. Attackers make a full-time job out of deceiving people, and they sometimes even dupe cybersecurity and fraud experts.
Here are a few steps you can take to stop social engineering attacks, and technology that you can use to help keep yourself safe.
- Be extra cautious if you feel scared or pressured. Attackers often imitate authority figures to scare victims or offer a limited-time opportunity to create a sense of urgency. If you're feeling scared or pressured, take a deep breath and pause—consider calling a trusted family member or friend for a second opinion. The person might claim to work for your bank, the police or another government agency. But these scams are common enough that legitimate employees will understand if you want to hang up and call them back. Don't use the number they provide, though; look it up on your own.
- Don't trust the name on an email or caller ID. Attackers can spoof these names and turn them into almost anything. It's always safest to look up a person's or organization's contact information and reach out to them for clarification.
- Know that AI can mimic your friends and family. AI tools are enabling new twists on classic scams. For example, in the grandparent scam, the scammer calls and claims to be a grandchild (or other family member or friend) in distress. They ask you to be discreet and quickly send them money to help. The AI twist is that scammers can now use AI and a few minutes of recordings from social media posts to recreate someone's voice.
- AI tools can generate profile pictures and messages. Scammers can also use AI to create headshots, images and well-written messages or emails. Be skeptical of people who contact you and ask for something, even if they look and sound legitimate.
- Keep your devices updated. Regularly updating your computer and phone will install the latest security patches, which can help protect you from malware. You can also install and use antivirus software for extra protection.
- Don't immediately click on links. Even if it looks like a family member or friend emailed, texted or directly messaged you the link, don't click it right away. If you weren't expecting the message or haven't heard from the person in a long time, it's often best not to click it.
- Use unique passwords and multifactor authentication. If someone tricks you into sharing one of your passwords, you don't want them to use it to access all of your accounts. Creating unique passwords can help protect you, and you can do this easily with a password manager. Also, enable multifactor authentication (MFA), which can help keep someone out of your account even if they have your password.
- Don't send someone money if they insist on specific payment methods. Scammers tend to ask you to send money by gift card, wire transfer, cryptocurrency or P2P app because it can be difficult to reverse these transactions. If the person insists that you have to use a specific type of payment method, that could be a red flag that it's a scam.
Monitor Your Personal Information and Identity
You can also try to understand and limit how much personal information attackers can access. They can use this during their research phase to create more believable scenarios—so it's important to know what's out there.
You can get a free dark web scan and free privacy scan to see what information attackers may be able to buy or access online. If you're worried about identity theft, you could also look into identity protection programs, such as Experian Premium or Family memberships, that include access to regular monitoring tools and fraud resolution specialists.