What is social engineering?
Social engineering is a way cyber criminals trick people to access sensitive information. It’s used to access personal information, steal money and spread malware. Cyber criminals pretend to be people and organizations the victim is familiar with to try to trick them into offering up sensitive information or clicking on a malicious link . They use information they’ve found online to target their victims in a very personal way.
Different social engineering tactics use different techniques. But they often all have somethings in common. Social engineering scams usually:
- claim to be from someone you know or trust
- create a sense of fear or urgency
- use familiar details to seem credible
Here are some common social engineering tactics used by cyber criminals.
Phishing
Phishing involves tricking victims with a message that appears to be from a trusted source. Sometimes, these messages are designed to look like they’re from an organization you know, like a bank, a streaming service or a government agency. Other times, they pretend to be from a familiar person, like a friend, family member or coworker.
But phishing emails can also pretend to be from people you don’t know. If a long-lost relative, foreign lawyer or government agency reaches out with an offer or gift, it’s likely a scam.
Example of phishing: You get an email that looks like it’s from your bank saying there’s an error with your account and asks you to click on a link to resolve the issue. The link leads to a fake login page that looks similar to your bank’s. But instead of logging you in to your account, the username and password you entered will be sent to a cyber criminal who can now access your account.
Watch out for:
- emails from your "boss" asking you to reply urgently
- unexpected issues with online accounts
- requests for sensitive information, like passwords or credit card numbers
Smishing
Smishing is phishing through SMS or text messages. Cyber criminals send texts, pretending to be someone else, to steal your information. Because smishing messages have fewer clues to look for than traditional phishing messages, they can sometimes be harder to recognize. Some common smishing messages include fake delivery notifications, late payment warnings from service providers and government departments threatening legal action. Other smishing messages are written to sound like friends you haven’t heard from in a while or someone just reaching out to say hello.
Example of smishing: You receive a text claiming to be from a mail carrier. It says you need to take immediate action or your package won’t be delivered. It asks you to click a link to verify your address and tracking information. The link leads to a spoofed site and logging in on it will send your information to the cyber criminal hosting the scam.
Watch out for:
- texts from a family member or friend asking for money
- messages that ask you to click on a link
- warnings that require immediate action to avoid consequences
Vishing
Vishing, or voice phishing, is a phishing attack that happens over the phone. Cyber criminals, known as “vishers” when vishing, call you pretending to be someone they’re not. Government departments, like the Canada Revenue Agency are often impersonated with this tactic, threatening legal action if the recipient doesn’t send money. Vishers can use a spoofed phone number and voice cloning technology to disguise their identity or even impersonate someone the victim may know.
A common vishing tactic is known as the “grandparent scam.” Despite its name, this kind of scam can happen to people of any age, though older adults are most often targeted. In a grandparent scam, the visher pretends to be a grandchild or another close relative in an emergency, urgently requesting sensitive information or money to help them. This can be very convincing since the visher can use personal information stolen from social media to back up their story.
Example of vishing: You get a call from someone claiming to be your internet provider. They say your online payments haven’t been going through and ask you to pay by credit card over the phone. By offering up your credit card information to the caller, the visher now has your financial information, as well as any other credentials confirmed during the call, to use for their own personal gain.
Watch out for:
- calls from a familiar individual or organization asking for personal or financial details
- phone calls that create a sense of urgency
- sudden demands for payment
Conclusion
Social engineering messages can’t always be avoided — but falling for them can be. Verify the sender’s identity before responding and avoid clicking on suspicious links. Always be cautious with unsolicited messages and report any suspicious texts to 7726. Never share personal information over email, phone or text.
Staying aware and informed can protect you from these common scams. Check out this infographic to learn more about social engineering.