7 Social Engineering Scams and How to Avoid Them

Social engineering threats are widespread, affecting even the most savvy IT professionals. While there’s no guaranteed way to defend against them, half the battle is recognizing the methods they use.

Here are seven ways social engineers may pilfer your money and data, plus tips to protect yourself against them.

One tried-and-true trick is “accidentally” dropping a flash drive in a company’s parking lot and hoping that a curious employee picks it up and plugs it into a company computer — thus launching the malware payload. While hardly new, this tactic is known to have a high rate of success.

Though Microsoft has long disabled automatic app launches from portable storage drives, an enticing file name is usually enough to coerce employees to open the malware. Companies could, of course, disable USB ports altogether, though a more reasonable approach would be mandatory computer security training.

While the majority of phishing email messages are poorly formatted and written in broken English, there is no shortage of believable schemes that purportedly come from credit card companies, insurance companies or even the human resources departments. Just one mistake from a distracted employee could place the local network or company in jeopardy.

To defend against phishing emails, you need to understand that they are typically designed to persuade you to click on a link or submit personal information. As such, be wary of divulging any information based on an email, and never click on a URL. Always type out the URL in the browser bar instead.

Similar to generic phishing, spear phishing–or directed emails to a select user or group of users–is as old as scams get. However, the popularity of social media platforms makes it easier than ever for hackers to gain access to information that could be used to trick users. Examples include a fake salary spreadsheet with the name of the company, or an attachment that appears to be from a high school classmate.

The bottom line is that users should be wary of all e-mail attachments, while attack vectors such as the use of malicious file attachments should be blocked directly at the email server.

It’s surprising what a hacker with the gift of gab can get away with: Hackers may use phone calls to either collect more personal information about you or validate what they already know as part of a larger, more elaborate attack.

One of the best ways to defend against such phone calls is to take down the phone number and offer to call them right back. Alternatively, test the caller by asking them information that they should already know about you. Finally, never divulge information such as passwords over the phone.

Email accounts are always attractive targets to hackersgiven how they can be used to initiate password resets and gain access to a wealth of current and historical data. On this front, hackers have been known to gain access by exploiting guessable password reset questions based on publicly available information, or by successfully tricking an email provider.

There may not be much that most small businesses can do about social engineering attempts made on email providers, though be sure to select a provider with a good security track record.

White hat security researchers have been known to gain almost unfettered access to large organizations by wearing a shirt emblazoned with the company’s logo or by tailgating employees who return from the smoking area. The risks of physical access cannot be overstated and include hackers circumventing the corporate firewall to plant malicious software on workstations from the inside.

Unless you operate a small business in which everyone knows everyone, it makes sense for employees to wear a security tag with photo identification. Of course, employees should also be trained to look out for fake badges and be aware of the dangers of tailgating.

The widely documented fake support calls from Windows Technical Support continue to defraud users. Essentially, scammers call their victims pretending to be from Microsoft to investigate a malware attack and try to persuade users to grant them remote desktop access. Once in, they pretend to discover a serious case of malware infestation–typically by installing scrareware—and then proceed to extort a fee to resolve the problem.

The solution is relatively simple: Just let users know that Microsoft simply does not call end users about possible malware infestation.