We always tell our web design clients to reach out if a communication that they received seems at all fishy, and we are so glad that they do! Being a resource to clients experiencing (some for the first time) the dangers of having a business with an online presence, we receive a lot of questions about communications that come through. Most of the communications look pretty legit at first glance, but on a deeper look, they’re riddled with social engineering flags that a lot of people might not detect. It’s very possible that had we not warned folks, they may have fallen victim to a scam!
People are often the biggest vulnerability to security. It’s not anyone’s fault, it’s just human nature. Unlike security systems and software that have set rules to keep things securely stored away, human behavior can be easily manipulated. Cybercriminals exploit emotions like fear, trust, urgency, greed, curiosity or even sympathy and generosity to trick individuals into revealing sensitive information, clicking malicious links, or bypassing security protocols. Even with the best technology in place, a single mistake—like reusing passwords or falling for a phishing email—can open the door to a major breach. Ultimately, we can’t rely entirely on the security tools that we use because they often don’t do a very good job of protecting us from ourselves. Self awareness and training are just as critical as firewalls and encryption. Understanding the main strategies that social engineers use is the first step to avoid falling prey to them.
Here are some of the main ways that social engineers target people:
Phishing
One of the most well-known methods is phishing. This typically involves emails or messages that appear to come from sources you trust—like banks, government agencies, or even coworkers—asking the recipient to click a link or provide login credentials. These messages often create a sense of urgency, claiming something is wrong with your account or that you must act immediately. Perhaps they may play on greed instead – say, perhaps offering a reward for entering your login or other info into a form.
Pretexting
Another popular tactic is pretexting, where the attacker invents a convincing story or scenario to gain trust or elicit sympathy and generosity. They may pose as an IT support technician, a job recruiter, or even a delivery driver to extract information. The key to pretexting is building a believable backstory, which can make the request seem completely reasonable at the moment.
Baiting
Baiting involves offering something enticing, like a free download, a prize, or even a physical item like a USB drive left in a public place. Once the victim takes the bait—by downloading a file or plugging in the device—they unknowingly allow malware or spyware into their system. Baiting often plays on curiosity or greed, making it particularly effective.
Quid Pro Quo
Quid pro quo attacks involve offering a service or benefit in exchange for information. For example, an attacker might pretend to be a researcher or IT rep offering free troubleshooting in return for login credentials. Because it plays upon trust and feels like a comfortable mutual exchange, victims may not recognize the threat until it’s too late.
So what do we do if our emotions and personal tendencies are blinding us?
First thing we can do is to be aware that these tactics are out there and being used on us all of the time. Even marketing firms for legit businesses frequently employe these tactics on us to get us to buy their products and services. We’re used to it so we have a tendency to tune out the red flags.
When I did this article as a presentation, I said “Guard your heart. Pay attention to your feelings and your gut. Don’t make any quick decisions based on emotions.” If something makes you emote strongly. . . makes you angry, excited, sad, sympathetic, scared. . . question the authenticity of the communication. Do your due diligence before you take any action or make any kind of response.
Another thing I’ve heard again and again in security trainings is “If it sounds too good to be true, it probably is.”
Sadly, when it comes to the internet, take the distasteful-but-true tack of “guilty until proven innocent.” You should consider every communication that you see, read or hear online to be hogwash until you can prove that it isn’t. Do your research.
And always be extra skeptical of unsolicited messages—especially those that create urgency, request sensitive information, or contain suspicious links or attachments. Verifying requests through a second, trusted method (like calling a known number instead of replying to an email) can stop many attacks in their tracks. It’s also wise to avoid oversharing personal details online, as attackers often use this information to make their scams more convincing.
In addition to staying vigilant, using good cybersecurity hygiene is crucial. This includes enabling multi-factor authentication (MFA), using strong, unique passwords for each account, and regularly updating software to patch vulnerabilities. Using strong security practices and knowing oneself can go a long way to making someone the strongest line of defense instead of the weakest link.
