Social engineering is a common hacking tactic involving psychological manipulation used in cybersecurity attacks(new window) to access or steal confidential information.
They then use this information to commit fraud, gain unauthorized access to systems, or, in some cases, steal your identity. Businesses in the US, for example, lost over $2.9 billion to business email compromise(new window) in 2023. Many of the attacks involved phishing, one of the most common social engineering scams.
By understanding the mechanics of common social engineering tricks and implementing strong cybersecurity defenses, you can better secure your most sensitive, valuable information.
This article digs into the different types of social engineering attacks and explores ways you can protect yourself and your business from falling victim to these deceptive practices.
How social engineering works
Rather than targeting weak code, social engineering leverages weaknesses in human psychology to gain access to buildings, systems, or data. Most often, social engineering exploits our natural human tendency to trust.
Cybercriminals are getting better and better at disguising themselves as well-meaning actors, using persuasive language to lure victims into divulging information they wish to keep private and secure.
For example, an attacker might send you an email that appears to come from a well-known company or service, asking you to confirm login credentials or personal information. This type of communication can create a sense of urgency or fear and make you think there’s a problem with your account that needs immediate attention. Many think they are responding to someone who has their best interests in mind and provide the information, such as login details or a one-time passcode — only to have that information used against them.
Social engineering attacks are not confined to email, though this is the most common vector. They can also happen over the phone, on social media, or in person.
Are there different types of social engineering attacks?
Cybercriminals have an extensive toolbox of social engineering tricks.
Phishing
Phishing(new window) involves sending legitimate-seeming emails or messages with the sole intention of extracting sensitive data, such as passwords or credit card information. These emails and messages can appear astonishingly real(new window), tricking you into believing they are from a trusted sender.
Fake invoicing
Attackers often use a legitimate domain, such as PayPal, to send fake invoices claiming you owe a balance and including a button to pay.
Baiting
This tactic dangles enticing offers, such as free software, to lure victims into traps that may lead them to unwittingly install ransomware(new window). The promise of a free movie download, for example, could trick you into downloading a file that compromises your computer.
Business Email Compromise (BEC)
In this scenario, an attacker can trick senior executives into transferring funds or revealing sensitive information(new window). Usually in the form of email, these attacks appear legitimate with urgent requests or malicious links, making them harder to detect.
Scareware
This involves sending false alarms and fictitious threats to coerce potential victims into downloading or installing software that is harmful. These threats, for example, may claim your system is infected with a virus that requires a special type of security software that is actually malicious.
Dumpster diving
This tactic, although more elaborate and involved, is another common social engineering move that involves sifting through your trash to find bills, bank statements, pre-approved credit cards, or other documents with sensitive information that can be used for fraudulent activities.
Tailgating
Also called “piggybacking(new window),” this brick-and-mortar tactic involves attackers gaining entry into secured areas by following closely behind authorized personnel. Tailgating exploits the common human instinct of holding doors open for others, especially in busy areas.
Money scams
You probably heard of the so-called Nigerian prince scam(new window), in which an attacker asks you to help transfer a large lump of money from abroad in return for a cut of the cash. Of course, you must first hand over your bank account details or pay a “processing fee” to get it.
Quid pro quo
Here, attackers offer services or benefits in exchange for information. A hacker, for example, might offer to fix a computer issue that requires you to download a remote access tool that ultimately gives the attacker control over your computer.
How can you protect yourself from social engineering attacks?
There are several strategies you can use to limit or prevent the risk of social engineering attacks:
Exercise caution with email attachments
Be wary of opening attachments or clicking links in emails from unfamiliar sources, as they may contain malware or point to phishing sites.
Be skeptical of too-good-to-be-true offers
If an offer seems too generous without any apparent catch, it’s likely a baiting tactic designed to exploit.
Limit online personal information sharing
The less information you share online, the harder it will be for attackers to target you with personalized scams.
Regularly update your software
Keeping your apps and operating system up to date ensures you have the latest protection against new threats.
Back up your data
Regular backups can help you quickly recover from an attack without significant loss of information.
Properly dispose of sensitive documents
Shredding or otherwise thoroughly destroying documents containing personal or sensitive information can prevent it from being discovered and used maliciously.
Avoid unfamiliar USB devices and disable device autorun features
Plugging in unknown USB devices can introduce malware to your system. Disabling autorun prevents the automatic installation of potential ransomware.
Use multi-factor authentication (MFA)
Adding an extra layer of security beyond just passwords can significantly enhance your defenses against unauthorized access.
Use strong passwords and 2FA
Use strong, unique passwords on all your online accounts. Proton recommends using an open-source password manager(new window) to help you create and remember strong passwords(new window). Additionally, enabling two-factor authentication (2FA)(new window) adds an extra layer of defense. If your usernames or passwords are ever compromised, scammers won’t be able to access your accounts.
Protect yourself with Proton
In the face of social engineering threats, Proton offers a comprehensive suite of products and features designed to safeguard your digital life.
Proton Mail
Proton Mailis built to recognize and isolate phishing emails, significantly reducing the risk of scam messages reaching your inbox. With end-to-end encryption at the heart of our services, we’ve designed Proton Mail with several layers of cybersecurity defenses:
- PhishGuard advanced phishing protection(new window) to flag potential phishing attacks
- Smart spam detection and custom filters to automatically filter spam
- Link confirmation to let you check links before opening them
- Domain authentication warnings to flag possible spoofed addresses(new window) and custom domain anti-spoofing to protect your domain from being spoofed
- Address verification to verify senders in end-to-end encrypted emails
- Aliases to hide your personal address from potential scammers
Our encryption extends to forwarded messages, file sharing, and all events organized in Proton Calendar, allowing you to maintain workflow and schedule meetings without compromising security.
Proton VPN
Proton VPN(new window) also masks your online activities and location from potential eavesdroppers, making it difficult for attackers to gather information about you that could be used in social engineering attacks. For companies, a Proton VPN for Business(new window) account grants access to an extensive server network spanning 85+ countries across six continents, guaranteeing you and your employees will always have access to a fast, secure VPN server — no matter where your operations or employees are located.
Proton Drive
Proton Drive protects your files from unauthorized access. All your files, file names, and folder names are fully encrypted at rest and in transit to your secure cloud. With a Proton for Business plan, each user in your organization gets 500 GB of storage, providing the space and security your business needs to operate without worry of cybersecurity threats.
Proton Pass
Proton Pass makes it easy to securely share logins and — if you’re a business owner — control who has access to sensitive logins. Administrators get additional access to tools to ensure their teams adopt cybersecurity best practices, including two-factor authentication(new window). A Proton Pass for Business account gives you access to 50 vaults, unlimited aliases, and our high-security Proton Sentinel program, which works for both Proton Mail and Proton Pass and has blocked thousands of account takeover attacks(new window) since it was launched in August 2023.
Making the switch is easy
Proton Mail also offers a simple-to-use feature called Easy Switch that allows you to seamlessly transition to your new Proton Mail inbox, back up data, and import messages, contacts, and calendars from other email services, such as Gmail. It’s easy to transfer your data to Drive and Pass as well.
When you create a Proton Mail account, you are both protecting your most valuable data from social engineering attacks and helping build a better internet where privacy is the default.
