What is social engineering and how can you protect yourself?

Social engineering is a common hacking tactic involving psychological manipulation used in cybersecurity attacks to access or steal confidential information.

They then use this information to commit fraud, gain unauthorized access to systems, or, in some cases, steal your identity. Businesses in the US, for example, lost over $2.9 billion to business email compromise(new window) in 2023. Many of the attacks involved phishing, one of the most common social engineering scams.

By understanding the mechanics of common social engineering tricks and implementing strong cybersecurity defenses, you can better secure your most sensitive, valuable information.

This article digs into the different types of social engineering attacks and explores ways you can protect yourself and your business from falling victim to these deceptive practices.

How social engineering works

Rather than targeting weak code, social engineering leverages weaknesses in human psychology to gain access to buildings, systems, or data. Most often, social engineering exploits our natural human tendency to trust. 

Cybercriminals are getting better and better at disguising themselves as well-meaning actors, using persuasive language to lure victims into divulging information they wish to keep private and secure. 

For example, an attacker might send you an email that appears to come from a well-known company or service, asking you to confirm login credentials or personal information. This type of communication can create a sense of urgency or fear and make you think there’s a problem with your account that needs immediate attention. Many think they are responding to someone who has their best interests in mind and provide the information, such as login details or a one-time passcode — only to have that information used against them.

Social engineering attacks are not confined to email, though this is the most common vector. They can also happen over the phone, on social media, or in person.

Are there different types of social engineering attacks? 

Cybercriminals have an extensive toolbox of social engineering tricks. 


Phishing involves sending legitimate-seeming emails or messages with the sole intention of extracting sensitive data, such as passwords or credit card information. These emails and messages can appear astonishingly real, tricking you into believing they are from a trusted sender.

Fake invoicing

Attackers often use a legitimate domain, such as PayPal, to send fake invoices claiming you owe a balance and including a button to pay. 


This tactic dangles enticing offers, such as free software, to lure victims into traps that may lead them to unwittingly install ransomware. The promise of a free movie download, for example, could trick you into downloading a file that compromises your computer.

Business Email Compromise (BEC) 

In this scenario, an attacker can trick senior executives into transferring funds or revealing sensitive information(new window). Usually in the form of email, these attacks appear legitimate with urgent requests or malicious links, making them harder to detect. 


This involves sending false alarms and fictitious threats to coerce potential victims into downloading or installing software that is harmful. These threats, for example, may claim your system is infected with a virus that requires a special type of security software that is actually malicious.

Dumpster diving

This tactic, although more elaborate and involved, is another common social engineering move that involves sifting through your trash to find bills, bank statements, pre-approved credit cards, or other documents with sensitive information that can be used for fraudulent activities.


Also called “piggybacking(new window),” this brick-and-mortar tactic involves attackers gaining entry into secured areas by following closely behind authorized personnel. Tailgating exploits the common human instinct of holding doors open for others, especially in busy areas.

Money scams

You probably heard of the so-called Nigerian prince scam(new window), in which an attacker asks you to help transfer a large lump of money from abroad in return for a cut of the cash. Of course, you must first hand over your bank account details or pay a “processing fee” to get it.

Quid pro quo

Here, attackers offer services or benefits in exchange for information. A hacker, for example, might offer to fix a computer issue that requires you to download a remote access tool that ultimately gives the attacker control over your computer.

How can you protect yourself from social engineering attacks?

There are several strategies you can use to limit or prevent the risk of social engineering attacks:

Exercise caution with email attachments

Be wary of opening attachments or clicking links in emails from unfamiliar sources, as they may contain malware or point to phishing sites.

Be skeptical of too-good-to-be-true offers

If an offer seems too generous without any apparent catch, it’s likely a baiting tactic designed to exploit.

Limit online personal information sharing

The less information you share online, the harder it will be for attackers to target you with personalized scams.

Regularly update your software

Keeping your apps and operating system up to date ensures you have the latest protection against new threats.

Back up your data

Regular backups can help you quickly recover from an attack without significant loss of information.

Properly dispose of sensitive documents

Shredding or otherwise thoroughly destroying documents containing personal or sensitive information can prevent it from being discovered and used maliciously.

Avoid unfamiliar USB devices and disable device autorun features

Plugging in unknown USB devices can introduce malware to your system. Disabling autorun prevents the automatic installation of potential ransomware.

Use multi-factor authentication (MFA)

Adding an extra layer of security beyond just passwords can significantly enhance your defenses against unauthorized access.

Use strong passwords and 2FA

Use strong, unique passwords on all your online accounts. Proton recommends using an open-source password manager to help you create and remember strong passwords. Additionally, enabling two-factor authentication (2FA) adds an extra layer of defense. If your usernames or passwords are ever compromised, scammers won’t be able to access your accounts.

Protect yourself with Proton

In the face of social engineering threats, Proton offers a comprehensive suite of products and features designed to safeguard your digital life. 

Proton Mail

Proton Mailis built to recognize and isolate phishing emails, significantly reducing the risk of scam messages reaching your inbox. With end-to-end encryption at the heart of our services, we’ve designed Proton Mail with several layers of cybersecurity defenses:

Our encryption extends to forwarded messages, file sharing, and all events organized in Proton Calendar, allowing you to maintain workflow and schedule meetings without compromising security.

Proton VPN

Proton VPN(new window) also masks your online activities and location from potential eavesdroppers, making it difficult for attackers to gather information about you that could be used in social engineering attacks. For companies, a Proton VPN for Business(new window) account grants access to an extensive server network spanning 85+ countries across six continents, guaranteeing you and your employees will always have access to a fast, secure VPN server — no matter where your operations or employees are located.

Proton Drive

Proton Drive protects your files from unauthorized access. All your files, file names, and folder names are fully encrypted at rest and in transit to your secure cloud. With a Proton for Business plan, each user in your organization gets 500 GB of storage, providing the space and security your business needs to operate without worry of cybersecurity threats. 

Proton Pass

Proton Pass makes it easy to securely share logins and — if you’re a business owner — control who has access to sensitive logins. Administrators get additional access to tools to ensure their teams adopt cybersecurity best practices, including two-factor authentication. A Proton Pass for Business account gives you access to 50 vaults, unlimited aliases, and our high-security Proton Sentinel program, which works for both Proton Mail and Proton Pass and has blocked thousands of account takeover attacks since it was launched in August 2023. 

Making the switch is easy 

Proton Mail also offers a simple-to-use feature called Easy Switch that allows you to seamlessly transition to your new Proton Mail inbox, back up data, and import messages, contacts, and calendars from other email services, such as Gmail. It’s easy to transfer your data to Drive and Pass as well.

When you create a Proton Mail account, you are both protecting your most valuable data from social engineering attacks and helping build a better internet where privacy is the default.

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.
Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su
what is a dictionary attack
Dictionary attacks are a common method hackers use to try to crack passwords and break into online accounts.  While these attacks may be effective against people with poor account security, it’s extremely easy to protect yourself against them by usi