Fraud

Social Engineering: How to Identify It and Protect Yourself

It’s more convenient than ever for all of us to work, communicate with friends and family, and do everyday tasks like depositing a check or buying groceries digitally. The tradeoff is the requirement to trust our sensitive personal information with different websites and apps to use them securely. Targeting this interaction through deception known as “Social Engineering” is where scammers may strike and what we want to prepare you to identify and react to.

What is Social Engineering?

Social engineering is the act of convincing an individual through deception to give up sensitive information or take actions that can lead to fraudulent activity. A social engineering scam targets our human nature rather than technical vulnerabilities.

What Are Some Common Types of Social Engineering Scams?

By recognizing possible warning signs and understanding the following social engineering techniques scammers often employ, you can strengthen your defenses to protect your personal information. These common techniques include:

  • Phishing: Scammers send fraudulent emails or messages to trick recipients into giving up sensitive information or executing malicious content. For example, an email that appears to be from your credit union but contains links that send you to a fake site of the credit union’s login screen to steal your username and password.
  • Vishing: A phone scam involving a scammer calling you and posing as a representative from a reputable organization (often a financial institution) and requesting your personal information. They often will attempt to create a sense of panic and urgency so you tell them your sensitive information without fully thinking it through.
  • Pretexting: A scammer creates a false scenario in which they need your “help” to obtain your information or gain access to your accounts. For instance, you receive a call from someone pretending to be your coworker in another department about to head into an urgent meeting and requesting sensitive data.
  • Baiting: They use a false promise or offer to lure people into a trap. This could come in the form of a USB drive with a false label reading “master password list” that’s left in a public area to tempt someone to insert the drive into the computer and accidentally install malware into their system.
  • Tailgating: An unauthorized person follows someone with authorization into a restricted area. This could be someone waiting by the entrance to your office waiting for you to swipe your keycard and slipping in behind you.

How Can You Identify Social Engineering Scams?

Here are a few questions you can ask yourself if you feel someone might be trying to trick you using a social engineering scam:

  • Is the tone of this interaction attempting to provoke fear or anxiety in me?
  • Am I expecting to hear from this person and is it someone who contacts me regularly?
  • Is every detail of the message and the sender’s signature error-free and written and styled like previous interactions with them?
  • When you hover over links, do they appear to direct you to legitimate pages from the actual URL of the company or institution the sender claims to be representing?
  • Are they asking for a response containing a password or other personal information that they should already have available?

Trust your instincts. If a message or situation seems suspicious then make sure to report it.

What Should You Do if You Encounter a Social Engineering Scam?

The first thing is to remember to stay calm and use your critical thinking. These scams rely on trying to make individuals take hasty actions amidst urgent, scary situations so do not act immediately. Real organizations will rarely use fear or threats in their communication with you. Do not click on any suspicious links and do not give up any personal information over the phone or email when the other person initiates the communication (i.e., they email or call you). If you’re concerned that a call from your financial institution may be a scam, hang up and contact them on a trusted number (e.g., the public number listed on their legitimate website).  Do not call a number they give you as a call-back number, because this could be part of the scam as well.

Next, you should report any suspicious activity to your IT security team at work and your financial institution or other business the scammers were impersonating.

Finally, make sure to change any passwords to accounts you think may be compromised.