5 Useful Tips to Protect Yourself From Social Engineering Attacks

Social engineering attacks have one goal—to trick you into divulging information. Most commonly, social engineering attacks land in your life through your email or phone. The senders and callers sound familiar as a way to gain your trust. But in the end, they're only interested in information you should never hand over, like your Social Security number, login information and other private data.

A keen eye for the telltale signs of these fraud attempts will help you protect yourself from an attack and keep your information secure.

Types of social engineering attacks

Here are some of the most common types of social engineering attacks you may encounter.

Baiting: When fraudsters want access to your sensitive data, they may try to bait you into helping them get it. Baiting schemes are a common social engineering tactic that often appear as official-looking letters sent through the mail. They can also be requests to download a fraudulent app or software that claims to help you fix something on your device. When you install the software provided, your computer becomes infected. This allows attackers to easily access information like usernames and passwords.

Phishing: The most popular of all social engineering attacks, phishing messages try to confuse you so you'll release sensitive login information. For example, they might tell you that there's an immediate need to change your password. When you enter your login information in response to one of these email or text messages, you're unknowingly giving fraudsters access to your accounts. They could also send a fraudulent link in an email or text. If you click the link, it could bring you to a website that infects your computer with malicious software.

Spear phishing: While most phishing attacks are relatively untargeted, spear phishing is a highly targeted attack on an individual or organization. With this tactic, scammers research their targets and use this information to make their emails appear legitimate. They may use social media or other public information so the email appears to be from a trusted co-worker, colleague or friend. Spear phishing is difficult to spot, so be cautious of messages from people you know that don't sound quite right. Also, never click a link in an email that's suspicious or that has a sense of urgency.

Passcode fraud: This type of fraud has become quite popular among scammers. They use a false passcode—a string of numbers typically sent via text message to the phone number associated with a customer's account to verify their identity—to gather personal information. To avoid getting scammed, read the text message accompanying the passcode carefully, and never share a passcode with someone who calls you directly. This is atypical behavior for businesses—and a red flag that someone may be attempting to access your information.

Pretexting: In this type of attack, fraudsters impersonate someone of authority, like a bank representative, police officer or IRS agent. These callers will typically have you answer a series of questions under the pretext of verifying your identity. These questions are designed to get you to reveal sensitive personal information like your Social Security number or bank account information.

Quid pro quo: These scams make you feel like there's an equal exchange—if you give the scammer X, they'll provide you with Y in return. The exchanges are often disguised as attempts to help you—perhaps by offering technical support or fixing a glitch, like a Social Security number missing from your account. The end goal here is primarily identity theft. When you hand over your Social Security number or install their software, your most private information becomes vulnerable.

CEO fraud: Attackers impersonate a senior leader from your organization in an email or text to trick you into doing something you shouldn't—like sharing sensitive information or transferring money. They use both the authority of the CEO or senior leader and a sense of urgency to get you to act quickly.

Scam phone calls: Also called vishing, these attacks take place when fraudsters call you pretending to be from an organization you know and trust. Be wary of any calls from people who sound suspicious or who ask you to take actions urgently, especially if it involves risky activities like giving sensitive information over the phone. Request proof that the caller is who they say they are before you comply.

5 tips to prevent social engineering attacks

Knowledge is power, and knowing how to respond to these attacks will help you keep your private data secure when scammers come calling.

1 Slow down

When you get a concerning call or email, it's natural to want to act fast. Fraudsters rely on your fear to get your information. When a communication puts you on high alert, take a deep breath and pause. You can call your bank or credit card company and ask them to confirm the request—financial institutions or the IRS won't ask you for your PIN or Social Security number over the phone. Alerts, freezes and locks are protections to help you prevent credit fraud.

2 Review the source

When you receive an email or other communication that puts you on alert, consider the source. Avoid clicking links, opening email attachments and entering passcodes from sources you don't fully trust. A good rule of thumb is to consider most communications asking you to perform a password change or identity verification task as suspicious. Also, double-check that you're downloading the official version of any bank or financial app because fraudsters sometimes create lookalike versions as a scam.

3 Lock your phone and laptop

While it adds an extra step when you want to use your device, locking your screen also adds a layer of protection between your unattended phone, tablet, or computer and a scammer.

4 Skip public Wi-Fi

It's a good habit to avoid using public Wi-Fi when you're out and about. Fraudsters often use unprotected Wi-Fi networks to hack into other devices connected to the network.

5 Consider antivirus software

While no software can protect you from every attack, antivirus software can help protect your computer from many threats. These programs can also help warn you when a website looks suspicious.

There are two key questions to ask yourself when evaluating whether you're the target of a social engineering attack: Who's asking for my information, and why do they need it? If there's any doubt in your mind about whether the request is legitimate, proceed as though you're looking at an attempted scam. When it comes to protecting your data, a little extra caution can only be a good thing.