Social engineering is the art of manipulating people into giving up confidential information. The goals are usually to gain access to restricted systems or data, but can also include tricking people into sending money or gifts. It relies on natural human tendencies to trust others and want to help. Social engineers can make even highly security-conscious people give away sensitive information or act against their own interests.
Defending against social engineering requires vigilance, skepticism, and security awareness. However, with the right knowledge and precautions, you can drastically reduce your chances of becoming a victim. Here are the important tips on how can you protect yourself from social engineering:
1. Be aware of common social engineering techniques
The first line of defense to protect yourself from social engineering is understanding the most common social engineering methods. Some of the top ones include:
- Phishing – Fraudulent emails, text messages, phone calls or websites impersonating trusted sources to trick users into sharing login credentials or sensitive data.
- Baiting – Leaving infected storage devices or gadgets in public places to lure users into plugging them into their computers and launching malware.
- Quid Pro Quo – Offering a gift or service in exchange for information or access to systems.
- Pretexting – Using a made-up cover story to trick people into revealing confidential details.
- Tailgating – Following an authorized person into a restricted building or area without proper access credentials.
Knowing these and common tactics makes you much better equipped to recognize and stop social engineering attempts.
2. Verify before trusting requests
A core social engineering strategy relies on urgency or pressure to make the target act quickly without thinking things through. Fight this by taking a step back from any suspicious requests to independently verify them before taking action.
For example, if you receive an urgent email from your manager demanding your password or directing you to wire funds, take a minute to directly call them and confirm they sent this. Don’t rely on the details in the questionable message alone.
This verification step can stop you from falling for fraudulent requests from scammers impersonating trusted contacts. It takes some extra time, but contacting the source directly is worth the minimal effort.
3. Guard personal information
Be extremely careful about sharing personal details with unsolicited contacts that could be used against you in social engineering ploys.
Information like your job title, employer, birthdate, phone number and home address can make it easier for scammers to build convincing cover stories and psychological profiles. The more they know about you personally, the easier it becomes for them to win your trust.
Also, avoid oversharing personal details publicly on social media sites where criminals can harvest that data. Be wary of questionnaires, surveys and forms requesting more information than seems necessary. Always find out how the details will be used to protect yourself from social engineering.
4. Use strong, unique passwords
If social engineers manage to deceive you into handing over your login credentials, the stronger your passwords are, the less access they’ll gain. Use long, complex passwords of at least 12 characters. Avoid dictionary words or personal details that could be uncovered with basic research.
Enable two-factor authentication (2FA) wherever possible as well, so access requires both your password and a one-time code generated by an authenticator app or sent your phone. 2FA significantly increases the difficulty for scammers if they do phish your password.
In addition, never reuse passwords between accounts. Separate, unique passwords limit the damage if any single one is compromised.
5. Keep software up-to-date
Hackers frequently rely on exploiting unpatched vulnerabilities in outdated software to infect systems with malware or gain backdoor access. By ensuring your operating system, browsers, apps and security tools are always updated with the latest security patches, you remove many of the weaknesses often leveraged in social engineering schemes.
Enable automatic updates wherever possible so you don’t have to check and remember to update regularly constantly. Make sure to test patches before widespread deployment in an enterprise setting, but prioritize deploying critical security updates quickly.
6. Install anti-malware tools
Malware is commonly used in social engineering to establish footholds on systems, create backdoors for remote access, steal data and spy on victims. Installing reputable anti-malware software helps detect and block known malware threats.
Use a combination of real-time scanners that constantly monitor systems for threats, as well as on-demand scanners to perform regular full system scans looking for malware. Keep these tools up-to-date as well to ensure they recognize new variants.
7. Don’t click suspicious links or attachments
Unverified links and attachments are prime vectors for injecting malware or redirecting to phishing sites to harvest login credentials. Avoid clicking on any hyperlinks, opening attachments or downloading files from unsolicited or untrusted sources.
Configure email clients to not automatically display externally hosted images, as these can be used to confirm email opens and target victims with malware. Be especially wary of compressed or executable file types sent unexpectedly from contacts. Social engineers routinely attempt to trick users into installing malware by disguising it as routine documents.
8. Turn on email sender verification
Email spoofing, in which adversaries forge emails that appear to come from trusted contacts or organizations, is a go-to tactic for most phishing campaigns. Enable email sender verification mechanisms like SPF, DKIM and DMARC to detect and block spoofed messages.
These protocols verify the origin of emails via embedded digital signatures and other data so that forged senders are rejected. While not foolproof, they do offer another layer of protection against phishing.
9. Beware requests for secrecy
Social engineers often insist that requests be kept secret from others and emphasize urgent action before some made-up deadline. This piles on psychological pressure while preventing you from seeking a second opinion.
Always treat any demand for secrecy as a warning sign of a scam. Violating organizational policies or procedures for security reasons should never be required. Push back on secrecy requests and run any suspicious behaviors by your security team.
10. Limit personal information online
Check your social media privacy settings to limit how much personal information is publicly viewable. Disable location tagging where possible.
Be wary of answering memes or surveys requesting personal details like schools attended, favorite foods, first car model, etc. These are commonly used questions in account security verification processes, and the answers can help attackers gain access to accounts.
Always verify any request for information already public online actually requires confirming those details before providing a response.
11. Disable macros in documents from untrusted senders
Malware is sometimes embedded in documents like Word files and spreadsheets using macros. Avoid enabling macros in documents that come from unverified or untrusted sources.
When receiving documents with crucial macros from trusted partners, only enable macros after verifying their legitimacy, scanning for malware, and isolating them first (i.e. opening on a non-networked air-gapped system).
12. Lock unattended devices
If stepping away from devices, even briefly, lock them to prevent unauthorized access. Social engineers and even casual passersby can quickly install malware or steal credentials from unattended, unlocked systems. Require strong passwords or biometrics to unlock.
For extra protection, configure devices to automatically lock after short periods of inactivity. This minimizes the chance sensitive systems are left unattended but unlocked.
13. Shield screens from shoulder surfing
Position monitors away from windows and passersby to make it harder for onlookers to shoulder surf and view sensitive info like usernames and passwords. Angle screens to limit visibility further and install screen filters if necessary.
Be cognizant of your surroundings when entering credentials in public and avoid logging into sensitive accounts on public networks where traffic can be intercepted.
14. Restrict account permissions and access
Limit the number of employees granted access privileges to confidential data or core infrastructure. Only authorize the minimum access needed to fulfill duties. This helps limit insider threats and the damage possible if accounts are compromised.
Immediately revoke access for terminated employees as part of offboarding procedures. Implementing the principle of least privilege reduces the number of potential targets for social engineers.
15. Turn off metadata embedding in documents
Microsoft Office by default, embeds metadata like author name, timestamps, and system data in files that can inadvertently reveal information to adversaries.
Disable this hidden metadata to limit the intelligence it provides and protect yourself from social engineering. Restrict permissions to confidential documents so only specific users can view or edit files.
16. Be wary of unsolicited offers
Offers of gifts, prizes or packages out of the blue from unknown contacts are common lures used to deliver malware or gather personal details from targets. Exercise skepticism of unprompted offers, even if they appear official or come from recognizable entities.
Verify the offer’s legitimacy directly with the company before providing any information or accepting items. If the gift is unexpected or unrealistic, it’s likely a scam.
17. Watch for impersonators
Impersonation via cloning email addresses, websites, phone numbers and documents is a core social engineering tactic. Stay vigilant for subtle differences that indicate impersonation rather than legitimate contacts.
Things like slightly altered spellings, addresses using different top-level domains and minor logo differences can betray spoofing efforts. Verbally confirm identities over the phone if anything seems off.
18. Steer clear of questionable links and ads
Links can be directed to phishing sites or download malicious payloads. Visit known, trusted sites by manually typing the URL instead of clicking on provided links. Be wary of posted links that use URL shorteners.
Avoid clicking questionable banner ads and pop-ups, especially from disreputable sites prone to adware. These frequently spread malware. Disable ads via browser extensions to reduce risk.
19. Never share credentials
The standard protocol should be never to share your system credentials with anyone, regardless of who they claim to be or represent. Legitimate tech support will use company-approved procedures for remote access rather than asking for your passwords.
Treat requests for credentials themselves as a giant red flag. Try to independently verify the identity of anyone making such requests before even considering compliance. When in doubt, lean toward non-compliance.
20. Install VPNs and use encryption
Encrypting traffic and connections via VPNs or protocols like HTTPS protects sensitive communications and transactions from interception that could expose details to criminals. Avoid public Wi-Fi without a VPN that tunnels and encrypts your browsing.
For extra protection, encrypt files directly using built-in operating system tools or third-party software. This helps defend data even if systems are compromised.
21. Verify phone numbers
Caller ID spoofing lets scammers mask the phone numbers that appear when they call you. Don’t trust an incoming number even if it looks legitimate or familiar.
Manually look up published numbers like on the company website rather than calling odd numbers left in voicemails. Verifying via separate contact channels helps avoid being tricked by spoofed communications.
22. Regularly back up and delete data
Routinely back up critical data both on-premises and to the cloud to enable restoring data that may be destroyed or held for ransom if systems are breached. Test restoration periodically.
Institute policies for regularly deleting old data that is no longer needed to reduce the cache of information that could be stolen or leaked. Keeping lots of unnecessary data just gives attackers more to take.
23. Disable unwanted browser extensions
Browser extensions and add-ons have high privileges that could enable malware to steal browsing data, inject ads or compromise systems if hijacked by criminals. Limit extensions to only those critical for duties and vet them thoroughly first.
Disable or remove unneeded extensions completely. Only download extensions from official app stores like Chrome Web Store or directly from the vendor site instead of third parties. Keep all extensions updated.
24. Educate employees on security best practices
Train employees extensively on social engineering red flags, critical security hygiene like patching and backup procedures, password policies and how to identify and report potential incidents. Run phishing simulation tests to reinforce lessons.
Emphasize the responsibility every employee shares in protecting the organization, systems and data. Ensure everyone understands policies, threats and their individual roles. Ongoing education significantly bolsters resilience.
25. Limit employee data access
Restrict access to sensitive systems and data to only the employees that absolutely must interact with it for their specific roles. This helps prevent unnecessary exposure of confidential information that could aid social engineering schemes.
Implement a least privilege model and enforce policies like disabling external storage devices to limit what data insiders can exfiltrate. Monitoring and logging employee access patterns can also help identify potential threats.
26. Control physical access
Require employees to display ID badges on premises and train staff to report unrecognized individuals not displaying badges in restricted areas. Institute card reader access controls on doors leading to sensitive locations.
Ensure servers containing critical data are physically secure in locked rooms or enclosures with strict access limitations. Security cameras can also help monitor for tailgaters or unauthorized access attempts.
27. Report suspicious activity
Promptly report to IT staff or management anything that seems amiss, like unknown files appearing on a system, odd visitation requests or unusual warnings about account lockouts unless credentials are verified.
Enterprises need to make clear how personnel should report red flags they notice. This could be via email, a dedicated hotline or a ticketing system. Speedy reporting of potential incidents helps stem attacks.
28. Use caller ID and voicemail screening
Use corporate directories rather than incoming numbers to verify callers. Avoid answering phone calls where caller ID appears blocked or matches numbers known to be fraudulent. Let unknown callers leave a message so their identity and reason for calling can be independently established first.
Scrutinize the messages left for any suspicious or urgent demands for personal information or account access. If you don’t recognize a caller or cannot confirm their identity, avoid calling back numbers left in messages.
29. Establish an insider threat program
Develop a formalized insider threat program incorporating monitoring for personnel behavioral patterns that could indicate increased risk. Look for unauthorized access attempts, downloading large amounts of data and unreported foreign contacts.
Conduct insider threat training and implement controls like system access monitoring, two-factor authentication, authorization limits and principles of least access privilege and separation of duties.
30. Test defenses via red team exercises
Contract external experts to simulate social engineering attacks against your organization and attempt to phish users, gain physical access to facilities and trick personnel into handing over data or access.
Analyze the results of red team tests to spotlight vulnerabilities and gaps in defenses. Use findings to educate staff further and strengthen controls before real criminals strike.
Social engineering presents substantial risks to enterprises and individuals, given human tendencies to inherently want to trust others and provide assistance when asked. By recognizing common manipulation tactics and being vigilant for suspicious activities, requests and communications, you can identify malicious attempts faster and exercise greater skepticism.
Protect yourself from social engineering comes from awareness, critical thinking, and deploying technological controls and prudent policies around access, passwords, education and reporting procedures. Amid the rapidly evolving trends in the development of mobile apps, organizations can cultivate resilience against emerging threats with proper precautions, preparation, and training, requiring everyone from employees to executives to acknowledge their role and responsibility in safeguarding against this menace.
Frequently Asked Questions
- What are some examples of social engineering attacks?
Some common social engineering attacks include phishing, pretexting, baiting, quid pro quo, and tailgating. Criminals use tactics like impersonation, urgency, and appeals to human psychology to manipulate targets into giving up information or access.
- What should you do if you suspect a social engineering attack?
If you suspect a social engineering attack, do not provide any information or comply with requests. Verify the identity and legitimacy of the request through separate channels, report the suspicious activity to IT/security teams, and avoid clicking links or opening attachments.
- How can companies defend against social engineering?
Companies should implement security awareness training, insider threat programs, role-based access controls, strong authentication methods, monitoring for suspicious access, and IT policies that limit data and permissions for users. Red team testing also helps strengthen defenses.
- Why do social engineering attacks work?
Social engineering attacks exploit natural human tendencies to trust others, comply with authority, and want to help people. By impersonating trusted entities and appealing to these psychological factors, criminals can convince even security-aware people to hand over data and access.
- What should you avoid posting on social media to limit social engineering risks?
Avoid posting details like phone numbers, home addresses, birthdates, employers, job titles, locations, vacation plans, schools attended, favorite foods, first car models, childhood pet names, etc. Criminals harvest this data to impersonate targets better and gain access to accounts.