Malware is just one way hackers and scammers can get you. Another common tactic is social engineering—a collection of methods that exploit vulnerabilities in human behavior to steal sensitive info, takeover accounts, or otherwise infiltrate your life. Businesses and individuals alike can suffer big losses from successful campaigns.
But while antivirus software can block malware, including those that involve social engineering (e.g., scareware), it can’t stop all types of social engineering attacks. New variants continue to emerge, with no signs of stopping.
You must keep watch yourself—which is easier if you know the key signs to watch for. At the recent 2024 RSA cybersecurity conference in San Francisco, Microsoft broke down social engineering attacks into three distinctive pieces. Once you become familiar with them, they’re easy to spot.
A sense of urgency
Tech Advisor
In a social engineering attack, you could be contacted about a misdelivered package, fraudulent bank transaction, loved one stranded overseas, secret shopping deal, or any number of situations—all of them designed to leverage a sense of immediacy. Act quickly, or lose out.
That inherent sense of urgency is a key factor in social engineering attacks. We humans don’t think as clearly or thoroughly when rushed, and that’s exactly what bad actors are counting on.
What to do: No matter how serious the situation, take a moment for review. Financial issues? Look up the official phone number for the purported caller, be it your bank or the IRS, and use that instead. Friend stuck in a foreign country with no money? Message them directly over your usual mode of communication and get more details.
An appeal to your feelings
Alex Photo Stock / Shutterstock.com
Urgency is an effective part of social engineering attacks because it preys on emotion. It sparks fear, which often overrides better judgment.
But social engineering can get you through other emotions, with some of them actually positive in vibe. One example given by Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, was the receipt of an email about divorce paperwork for review. For a married person, this phony message could inspire panic and a click on a malware link—but even a single person could end up infected with dangerous software. Why? They clicked out of sheer curiosity.
What to do: Before running with any impulse, first ask yourself what (or who) could be on the other side of the email, message, or call, especially if the message has no relation to you. If it could be legit, initiate contact separately, using known channels. But if not, just ignore the communication.
A play on your habits
Tech Advisor
Habits can be obvious routines, like always checking your email. If you’re accustomed to email notifications about bank statements, you might automatically click on a link you think will take you to a statement. The habit takes over before your brain fully processes that the message looks a little off.
But they can also exploit habits you never formed consciously—like social norms programmed into you. Maybe you don’t hang up on an unknown caller because you think it would be rude. Or you don’t question your sibling asking you spot them some cash. At work, you share confidential details without hesitation, wanting to preserve the relationship with your colleague.
In each of those situations, you could end up caught up in a scam or hack attempt, because you’re already inclined to be cooperative.
What to do: Take an extra moment to consider the situation before acting, especially if your gut tells you something is off. Is this banking statement arriving at its usual time, and where does the link direct to? Does a stranger cold-calling you actually deserve more than a polite farewell and call disconnection? Can you verify with your sibling through another form of communication (that you initiate) that it’s them asking for that money?
Bonus tips
If you find it difficult to think through these steps on your own, you can always call in outside help. (Thinking with this much suspicion is hard, especially if your brain is preoccupied with stress and worry.)
In addition to this strategy, having secondary lines of defense are important, too—in case you have an off-moment and fall for the social engineering. You definitely want a good antivirus suite installed on your PC (and other devices you use extensively). If part of the attack involves malicious links or software, antivirus should catch those.
Should your antivirus software fail to block a shady website, using a password manager or passkeys for logging into your accounts can prevent the page from stealing your credentials. A credible password manager won’t autofill your sign-in details on phony sites. Similarly, passkeys are specifically tied to the website you generated them for.