search-icon

How to recognise and prevent social engineering attacks

05 February 2025

Internet
Mobile
Personal

Share this post:

Imagine this. You get a call from “tech support” claiming there’s a virus on your device. They sound convincing, they know your name, maybe even your employee ID. They ask for remote access to “fix” the issue. You panic. Nobody wants a virus after all. But wait… are they really who they say they are?

Welcome to the world of social engineering attacks, where cybercriminals don’t need to hack computers, they hack people. In fact, social engineering isn’t just about phishing emails, it’s a psychological game where attackers manipulate trust to steal sensitive information.

Let’s explore the most common and sneaky tactics and most importantly, how you can stay one step ahead.

What Is social engineering?

This is a type of cyberattack that relies on human manipulation rather than technical exploits, which means that instead of breaking through firewalls, attackers trick people into revealing passwords, sending money or granting access to secure systems.

Here is a list of key characteristics of social engineering attacks:

  • Exploiting emotions like fear, urgency, curiosity or trust
  • Masquerading as a trusted individual or organisation
  • Creating scenarios that pressure the victim into acting quickly
  • Using public information from places such as social media for instance to build credibility

Woman sitting typing on a laptop

Phishing: The classic con

Let’s start with the most well-known method – phishing. For those who are unfamiliar, this is when cybercriminals send fraudulent emails, messages or websites that appear legitimate, tricking victims into clicking malicious links, entering credentials or downloading malware. For instance back in 2020, attackers posed as IT staff convinced Twitter employees to reset their credentials. This resulted in high-profile accounts like Elon Musk’s and Barack Obama’s being hijacked.

How to avoid phishing

  • Always scrutinize emails and messages, especially those urging immediate action.
  • Check the sender’s email address for inconsistencies, particularly spelling mistakes.
  • Hover over links before clicking to see if they lead to legitimate sites and always ask yourself whether the URL matches the legitimate site.
  • Be skeptical of urgent requests for passwords or payments.
  • Use multi-factor authentication (MFA) to add an extra layer of security.

Pretexting

This involves creating a fabricated scenario or ‘pretext’ to manipulate victims into providing sensitive information. Unlike phishing, which relies on urgency, pretexting exploits trust by posing as a known entity, like a bank representative, a co-worker or even law enforcement. Also, unlike phishing which casts a wide net, pretexting is highly targeted. A real-life example could be someone calling your office claiming to be a potential client, trying to glean information about your company’s internal processes.

How to avoid pretexting:

  • Always verify unexpected requests for sensitive information through another communication channel.
  • Be skeptical of unsolicited requests for personal or financial data.
  • Don’t disclose personal information over the phone or email.
  • If someone asks for login details, assume it’s a scam.

Baiting

Baiting plays on human curiosity, offering something tempting like free software, USB drives or exclusive content that ultimately leads to malware infection. A classic case? Malicious USB drops. Attackers leave infected USB drives in office parking lots labeled “Confidential,” hoping an unsuspecting employee plugs it into their work computer. Think you wouldn’t fall for it? Not according to a study by the University of Illinois. When researchers left USB drives scattered around a campus, nearly half of the people who picked them up plugged them into their computers without hesitation.

How to avoid baiting:

  • Never plug in unknown USB drives into your computer. Report them to IT instead.
  • Avoid downloading software or media from unverified sources.
  • Use endpoint protection software to scan for malicious files.

Delivery person holding boxes

Tailgating

This is when an unauthorised person follows an authorised individual into a secure location, often exploiting politeness or social norms to gain access. Also called piggybacking, a plausible example of this would be an attacker in delivery uniform carrying a stack of boxes, looking overwhelmed. A well-meaning employee holds the door open for them, giving them access to a secure facility. In the digital world, this could be someone trying to access a restricted online forum by pretending to be a legitimate user.

How to avoid tailgating:

  • Always challenge unknown individuals attempting to enter secure areas.
  • Always ask for ID badges.
  • Report unfamiliar individuals in restricted spaces.

Quid Pro Quo

Quid Pro Quo, meaning ‘something for something,’ is a tactic where fraudsters offer a service or benefit in exchange for sensitive information or access. For instance, cybercriminals posing as IT staff, calling employees and offering free troubleshooting. Unsuspecting victims hand over their login credentials, giving hackers full access to the system.

How to avoid Quid Pro Quo:

  • Verify the identity of tech support personnel before sharing any information.
  • Never provide sensitive data to unsolicited callers, particularly passwords or sensitive data.
  • Encourage employees to report suspicious phone calls to IT security teams.
  • If it sounds too helpful, it might be a trick.

Scareware

Scareware tricks victims into believing their device is infected, prompting them to download malicious software disguised as an antivirus or security tool. Think of pop-up ads claiming ‘Your PC is infected! Click here to remove the virus’. These have been a staple of cyber scams for years.

How to avoid scareware:

  • Ignore alarming pop-ups urging immediate downloads.
  • Use trusted antivirus software from reputable sources.

Watering hole attacks

One of the most sophisticated social engineering attacks, in a watering hole attack, cybercriminals infect a legitimate website that their target group – the watering hole – frequently visits. Instead of attacking individuals directly, they wait for users to visit the compromised site, where malware is silently installed on their devices.

How to avoid watering hole attacks:

  • Regularly update browsers, operating systems and plugins to patch vulnerabilities.
  • Enable MFA so that even if credentials are stolen, it adds an extra layer of security.
  • Use a strong firewall and reputable antivirus software to help detect and block threats.
  • Be cautious on public Wi-Fi. Avoid logging into sensitive accounts on unsecured networks and use a VPN for added protection.

Discover everything there is to know about VPNs.

How to stay safe from social engineering attacks

Think before you click: always pause and analyse before clicking on links, opening attachments or downloading files. Hover over links to see the actual URL since it might be different from what is actually displayed.

Question everything: if something seems too good to be true, it probably is. Don’t blindly trust emails, phone calls or messages, even if they appear to be from a trusted source. If you’re unsure about an email’s legitimacy, contact the supposed sender directly through a known and trusted channel like their official phone number.

Protect your information: be mindful of what you share online, especially on social media. Don’t reveal sensitive information like your address, phone number or date of birth unless absolutely necessary.

Use strong passwords: a strong, unique password is your first line of defense. Use a combination of uppercase and lowercase letters, numbers and symbols. You may also want to consider using a password manager to help you keep track of them all.

Keep your software updated: regularly update your operating system, antivirus software and other applications to patch security vulnerabilities that attackers could exploit.

Educate yourself: stay informed about the latest social engineering tactics. Remember knowledge is power. The more you know, the better equipped you’ll be to spot and avoid these attacks.

Trust your gut: if something feels off, trust your instincts. It’s better to be safe than sorry.

Social engineering attacks prey on human psychology rather than technical vulnerabilities, making awareness and education the best defenses. By understanding these tactics and applying security best practices, you can significantly reduce the risk of falling victim to these manipulative schemes.

For more security-related topics take a look at how to avoid phone and email scams, how to secure your home network and how to secure your smartphone. If you’re into online shopping, here is how to avoid online shopping scams and here are some more advanced strategies. And for some tips and tricks on how to protect your kids online, take a look at these online security tips for kids.

Sources:
Half of People plug in USB drives they find in the parking lot