Welcome back to our Cybersecurity Awareness Campaign! This is Part 7 of the series. Before heading into this new topic, check the previous articles on Part 5 and Part 6.
Understanding Social Engineering
Cybercriminals don’t always rely on technical hacking to break into systems. Instead, they often take advantage of human psychology—using deception, manipulation, and persuasion to trick people into giving away sensitive information. This is known as social engineering, and it’s one of the most effective ways attackers gain access to personal data, company systems, and even financial accounts.
Think of it as a digital con game, where criminals exploit trust, fear, or urgency to get what they want. Unlike traditional cyberattacks that involve breaking through firewalls or cracking passwords, social engineering relies on tricking people into handing over access willingly.
Let’s take a look at some of the most common social engineering tactics and real-world examples to help you stay alert.
1. Pretexting – The Art of Fabrication
What it is: The attacker creates a fake identity and a believable scenario to gain trust and extract confidential information.
Example: You receive a phone call from someone claiming to be from your bank’s fraud department. They tell you that suspicious transactions have been detected on your account and ask for your account details to “verify your identity.” In reality, they are stealing your information.
How to protect yourself:
- Always verify the identity of the person requesting sensitive information by calling the company directly.
- Be cautious if someone pressures you to act immediately.
2. Baiting – The Tempting Trap
What it is: Cybercriminals offer something enticing—like free software, gift cards, or exclusive downloads—to lure victims into revealing personal details or downloading malware.
Example: You come across a USB drive labeled “Employee Salaries 2024” in the parking lot of your office. Curious, you plug it into your computer, only to unknowingly install malware that grants the attacker access to your system.
How to protect yourself:
- Never plug in unknown USB devices or download files from untrusted sources.
- Be skeptical of “too-good-to-be-true” online offers.
3. Phishing – The Digital Deception
What it is: A form of scam where attackers send fake emails, texts, or messages that appear to be from trusted sources, tricking victims into clicking malicious links or sharing sensitive data.
Example: You receive an email that looks like it’s from PayPal, warning you of “unauthorized access” to your account. The email urges you to click a link and enter your login details. However, the link directs you to a fake website designed to steal your credentials.
How to protect yourself:
- Check email addresses carefully—phishers often use slight misspellings (e.g., paypall.com instead of paypal.com).
- Avoid clicking on links in unexpected emails. Instead, go directly to the company’s website by typing the address in your browser.
- Look for grammatical errors or unusual wording—these can be red flags.
4. Tailgating – The Physical Breach
What it is: An attacker physically follows an authorized person into a secure area without proper credentials.
Example: A person in a delivery uniform walks up to an office building and waits for an employee to enter. As the employee opens the door, the “delivery worker” politely asks them to hold it open. Without questioning, the employee complies, unknowingly letting a stranger into a restricted area.
How to protect yourself:
- Never hold the door open for strangers in secured locations.
- Always verify a person’s credentials before granting access.
How to Stay Safe from Social Engineering Attacks
Now that you know the common techniques, here are some proactive steps you can take to protect yourself and your organization:
- Be skeptical of unexpected requests – Whether it’s an email, a phone call, or a message, if someone asks for sensitive information or immediate action, take a moment to verify their legitimacy.
- Think before you click – Avoid clicking on links or downloading attachments from unknown sources. Always hover over links to see the actual URL before clicking.
- Verify identities – If you receive a suspicious request from your bank, employer, or service provider, contact them directly using official contact information rather than responding to the message.
- Use multi-factor authentication (MFA) – Even if your credentials are stolen, MFA can prevent unauthorized access to your accounts.
- Educate yourself and others – Social engineering is all about human error. By staying informed and spreading awareness, you help reduce the risk of falling for these tactics.
Written by Gabrielle Uy, based on research and text by Rafael Coimbra.
