How To Protect Yourself From These 8 Social Engineering Attacks

Software can only get you so far. You can protect your passwords, install antivirus software, set up a firewall, but ultimately there is always a weak link.


A whole sector of hacking has developed around the human aspect of security known as Social Engineering. Using a combination of technical hacking and interpersonal skills, with a large dose of manipulation, the social engineer — who might also work as a hacker, or in tandem with one — hopes to extract private or confidential information from a target. People have manipulated and lied to others for many, many years but Social Engineering does this with a specific aim of creating an environment where people will expose personal information.

While these techniques are often performed in order to break into a company, it can be used on individuals, especially high profile ones. If you are being targeted – how would you know? What social engineering techniques would a hacker use and how would you protect yourself from them? Let’s take a look at some of the most common methods of attack.

1. Phishing describes phishing as “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.”


The most common examples of this are the infamous Nigerian bank account emails, along with “Urgent: You are entitled to a Tax Refund”.

How To Protect Yourself

  • Don’t click on links in emails. If you have any doubt about the safety of the email then do not click on any links — even if they look legitimate. It’s easier to hover over the link and see if it directs to the correct site on desktop than mobile but the best solution is to just manually navigate to the website itself and log in directly than using the provided URL.
  • Don’t download attachments. The easiest way to infect your device with malware is to download email attachments. Most web based mail clients will scan attachments to let you know if they are safe, but this isn’t foolproof. If you do download an attachment, make sure to scan it with an antivirus software before opening. If the file extension isn’t what you expected then do not open it as some malware can be disguised as “Document.pdf.exe”. To be on the safe side — never open (or download) “.exe” attachments.
  • Check the Sender’s address. On mobile this can be tricky to do, and attackers know this and are increasingly building this into their attacks. A common example is a sender listed as “Paypal” but the address may look like “” or “”. If it looks unusual, then don’t click on any links or download attachments.

2. Vishing

Vishing is phishing but performed over the phone. This can be very effective as talking to an actual human can put people in a sense of ease, as long as the right rapport is made.


A common example is a call from “tech support” who then ask you to verify your password or other confidential information.

How To Protect Yourself

  • Verify the caller’s ID. If someone claims to be calling from your bank, look out for their security checks, like mentioning certain things from your account. Get a full name, department and branch. Make sure you feel confident that they are who they say they are.
  • Get contact information. Ask them for their contact information, try to verify it online and say that you will call them back. This gives you time to authenticate them.
  • Be wary of personable callers. While some people are just nice and genuinely fun to talk to, this can also be part of the social engineer’s toolkit to make you feel at ease and more likely to disclose information. If the call has given you any reason to be suspicious then be skeptical of the caller.

3. Social Media

How often do you Google yourself? Go on — no, really — how often? And what comes up when you do? Probably your Twitter, LinkedIn, Facebook, Foursquare accounts. Switch the search to images and you’ll find that grainy picture from your old MySpace or Bebo profile.


Now, consider what information you get from those links — approximate (or detailed) location, places you visit, friends list, place of work and more. It can be pretty terrifying just how much information you post — even when you don’t mean to.

How To Protect Yourself

  • Think before you post. Are you posting something you didn’t mean to, like geotagging your photo, or is there sensitive or identifying information in the background of a photo?
  • Adjust those privacy settings. We all know that social networks love us to share everything with everyone – that’s why Facebook’s privacy settings are so complicated, but these settings are there for a reason. Make sure that you only post to people you want to see your post. Cull “friends” that you don’t know. This is really important on Facebook which is a network where you are actively encouraged to overshare.
  • Prevent Search Engine Indexing. If you want to stop your Pinterest account from showing up in search results alongside your LinkedIn, then head into the settings and disable Search Engine Indexing. Most of the major social networks have this option.
  • Go Private. Think about if you really need your Instagram and Twitter accounts to be public.
  • Think if you need to post. Just because the option to post is there, doesn’t mean you have to. This not only prevents you from over sharing publicly but can also help you create a better relationship with technology.

4. Dumpster Diving

An unfortunate truth is that even in our modern world we still get confidential information (medical records, bank statements) or spam in our (physical) mail boxes. And what about those documents you brought home from work to edit before the next big meeting? Did you just put them in the trash when you are done with them? This is a treasure chest to the budding social engineer.

In certain situations they may choose to “dumpster dive” where they rifle through rubbish to find information that they can use about you.

How To Protect Yourself

  • Shred all the things. Just like with social media, on an item by item basis it’s difficult to see what harm throwing away something like a receipt might be. But it’s when all this information is put together that it will expose a lot more about you than you intended. Best advice here is unless clearly innocuous, then shred it.
  • Move online (If you can). There are some insecure things on the internet but one thing it doesn’t do is generate paperwork for you. As smartphones and the internet generally have become more ubiquitous banks and other utilities have started moving online. If your provider allows for online statements, then turn these on.
  • Keep confidential information safe. It may seem old fashioned but if you need to keep paper copies of private or confidential information, keep them behind lock and key in a safe.

5. Baiting

Appealing to people’s curiosity (or sense of greed) is the reason this attack works. The attacker will leave an infected USB, CD, or other physical media and wait for someone to pick it up, insert it into their machine, and become infected.

How To Protect Yourself

  • Don’t pick up (or use) random USBs. I know you may be tempted to see what’s on it, to see if if you can help get it back to its rightful owner. But don’t. It just isn’t worth the risk. If you don’t know what it is, don’t put it in your machine.
  • Install an antivirus. Just in case you do decide to put an unknown device into your computer, make sure you have the best protection you can. Be aware though that some malware can evade, and even disable, antivirus software.

6. Tailgating

This attack is most often directed at companies, although not exclusively. This is when the attacker will gain entry to a physical space by following or tailgating in behind an authorized person.

How To Protect Yourself

  • Be aware of who is around you. A good attacker won’t stand out, but if someone you don’t recognize turns up one day, then keep your eye on them.
  • Don’t be afraid to question. Tailgating is most common at work, where an attacker is hoping to gain information about the company. Even outside of a work context you still shouldn’t feel afraid to question. If someone follows you into your apartment block then ask them where they are going, and if you can help them find their way. More often than not a Social Engineer will shy away from those questions and may even give up on their attack.

7. Typosquatting

It’s just too easy to misspell a website address. And that’s exactly what the social engineer wants. These attackers claim websites that are similar to popular destinations (think “Amozon” rather than “Amazon”) and then use these pages to either redirect users or capture login information for the real site. Some of the larger sites have already given you a helping hand with this and they redirect misspelt variations of their URL to the correct one.

How To Protect Yourself

  • Pay attention when typing website addresses. I know it can be tempting to rush, especially when you know the website, but always check before you hit enter.
  • Install a good antivirus. Some of the typosquatting sites are going to try and get you to download malware. A good antivirus software will pick up any malicious files — or even websites — before they cause you any harm.
  • Bookmark frequently visited sites. It’s what bookmarks are for. This means that you will always know that you are heading to the real website.

8. Clickjacking

Clickjacking is a technique used to trick a user into clicking on something different than they thought they were.


An example of this would be if a lolcat video was posted on Facebook that looked like a YouTube video. You click the play button but instead of watching some cats roll around, you end up on a page asking you to download software, or anything other than watching your lolcat video.

How To Protect Yourself

  • Install NoScript. NoScript is a Firefox addon that automatically blocks executable webscript like Flash, Java and Javascript. NoScript has a feature called “ClearClick” which is aimed at preventing clickjacking attacks.
  • Don’t Use In-App Browsers. On mobile it can be harder to perpetrate, and prevent clickjacking. One way of steering clear is to not use in-app web browsers as its the most likely attack point for clickjacking. Stick to your default web browser.

Protect Yourself — But Stay Calm

Although Social Engineering can seem terrifying — someone using human behavior to deceive you into giving away personal or confidential information — but the important thing is to keep a level head about. The risk may always be there, but it’s unlikely to ever happen.

As an individual you have what’s referred to as “privacy through obscurity”, so unless you are a celebrity or head of a large company, then you are unlikely to be specifically targeted. Make sure you keep these habits in mind, but don’t let them control your life. A life spent in a state of constant distrust would be extremely stressful, and a whole lot less enjoyable.

Do you use any of these tips to keep yourself protected? Did you know that there was such a thing as social engineering? Got any suggestions? Let us know in the comments below!

Image Credit: hacker working hard by ra2studio via Shutterstock, Andrey_Popov via, Image Credit: wk1003mike via, Image Credit: rvlsoft via

Leave a Reply

Your email address will not be published. Required fields are marked *