Social engineering is a popular tactic cybercriminals use to infiltrate servers, networks, and hardware or steal sensitive data and account information. It includes any approach that uses scare tactics and emotional manipulation to trick or threaten the victim.
Phishing, the top internet crime reported in 2020, is one example of social engineering. Others include emails from hacked accounts and non-email forms of phishing, like phone, voice, and text-based attempts.
Social engineering schemes take many forms. The criminal might pose as a senior manager offering a lucrative new position or a member of the human resources department requesting more information to process an upcoming payment.
It also occurs individually, such as receiving requests for money from a family member or a local charity seeking donations. Someone could receive a warning from their favorite streaming service that their account has been compromised and they need a new password.
Regardless of approach, the cybercriminal’s end goal is the same — for someone to knowingly or unknowingly perform an action that ultimately grants them unauthorized access to accounts, information, money, and more.
Knowing the warning signs of a social engineering attempt is critical to minimizing fallout and preventing future attacks — these seven tips can help.
1. Look for Signs of Manufactured Urgency
One of the telltale signs of an attempted social engineering attack is when the message’s request or demand is attached to a time limit. By creating a sense of urgency, cybercriminals hope to push recipients into taking immediate action without pausing to confirm or question details.
It plays on people’s desire to achieve goals quickly, whether for the sense of gratification or instant reward, to return to a normal routine after disruption, or to get out of an uncomfortable situation as soon as possible.
In phishing schemes, this can take the shape of “official” emails from companies about unauthorized purchases on an account or pending legal action due to missed payments. Cybercriminals might also pose as someone in authority, like a supervisor or government official, hoping to force quick compliance.
People should keep an eye out for phrases like “last chance,” ‘limited time,” and “act now,” as well as any countdowns or dates.
2. Be Suspicious of Attachments and Links
Google blocks over 100 million phishing emails daily — nearly 99% of all phishing, spam, and malware attempt sent over the Gmail server. However, the average account can still see dozens or hundreds of attempts throughout the year.
Recipients should never download an email file or click a link without pausing to confirm its legitimacy, and that’s especially true if someone doesn’t know or isn’t expecting a message from the sender.
People should closely examine file names, extensions, and link URLs and check for anything unusual or potentially harmful. When discussing the heightened risk of social engineering in today’s world, the National Credit Union Administration advised users to hover over hyperlinks to see if the URL matches its anchor text. They should also check web addresses for subtle changes like incorrect domains, extra words, or the letter O instead of a zero.
People should approach every link received via email or private message with the same level of suspicion by searching for the website in another browser window instead of clicking through the given URL.
People presented with an email attachment to download should check the file extension — typically a .doc, .pdf, .jpeg, or similar. They should not open it if it’s an unknown letter combination or a file type they haven’t seen before.
3. Note the Language, Spelling, and Grammar
Though some phishing attempts go as far as replicating company logos and using fake mailing addresses to gain trust, others are less exhaustive.
Misspellings, typos, grammatical errors, and unusual formatting or fonts are glaring red flags. Recipients should be especially critical of threats, requests to verify payment or personal information, or exciting offers. They should trust their instincts if something feels off or doesn’t seem quite right.
4. Consider What’s Known About the Sender
People should consider what they already know about the supposed sender when in doubt. An email from grandma probably wouldn’t start with a generic greeting like “Dear Sir,” and an urgent message from the bank isn’t going to address someone as “Dear.”
If the tone feels overly formal or informal for the sender and subject matter, it’s likely fake. People should look at all aspects of the email’s context, including the time it was sent. For example, someone wouldn’t typically expect an urgent request from their company’s HR at 3 a.m.
Those who receive requests or demands from people or companies they’ve communicated with before should compare different messages to highlight any red flags, keeping in mind that they could still be victims of a long-term scheme.
5. Do Some Internet Sleuthing
Sometimes the best approach is playing detective. Recipients should write down or save a screenshot of the suspicious message, including any names, addresses, phone numbers, web addresses, proper nouns, or affiliations.
People can perform their search for this information in a different browser window or incognito tab and compare it with what’s listed in the email. They should search any mailing addresses on Google Maps, note phone numbers and email addresses from the organization’s “About Us” or “Contact” page, and look up the names of the supposed correspondent.
Even one inconsistency is a reason to pause. People should contact the company or individual the sender claims to be and confirm the information received — they might even find they’re not the first to receive the phishing attempt. In most cases, companies have specific instructions for resetting or securing the individual’s legitimate existing account in case it’s at risk.
6. Stay Current on the Risks
Cybersecurity is an ever-growing industry and as threats become smarter, so do prevention and remediation techniques. People must arm themselves with current industry knowledge, including the basics of cybersecurity protection, emerging and trending cybercrimes, and any breaches that could affect them or their business.
People involved in specific businesses, such as those in the financial, medical, or manufacturing sectors, should subscribe to industry-leading newsletters and publications to stay informed about niche-specific threats and warning signs.
Social engineering efforts may be more effective when the recipient is already under stress and likely to make worse decisions, so stay extra vigilant during times of vulnerability. Cybercriminals are known to prey on existing worry or fear, which is why phishing activity often spikes during disasters or political events.
7. Embrace “Better Safe Than Sorry.”
Whether someone is protecting individual information or training a company team on safe cyber practices, they never approach social engineering as an “if” — only a “when.” They should prepare systems, technologies, and users for all types of cyberattacks and embrace “better safe than sorry” as their new cybersecurity mantra.
Someone who receives an email with a threat or urgent demands should take a step back and alert the proper authorities or management. This means initiating escalation plans to isolate the threat in a company setting.
If an account was supposedly compromised or a website sends an email requesting a password change, they should not click the email button or link. Instead, they should visit the website via an app or new browser window and contact support.
Someone who’s offered an exciting reward or invited to support a charity cause should reach out to the alleged sender or organization independently, preferably in person. They should adopt the same approach when contacted about a legitimate existing account, assignment, or pending delivery.
Don’t Fall Victim to Social Engineering Tactics
Social engineering schemes are so common because they’re effective. Cybercriminals become more powerful manipulators by taking advantage of natural fears, wants, and relationships.
People should stay informed, vigilant and suspicious — they’ll never regret being too careful when their identity, data, financial accounts, or intellectual properties are at stake.