Social Engineering Tactics. How to Recognize and Avoid

Social Engineering Tactics. How to Recognize and Avoid

Social engineering isn’t the first thing that comes to mind when most people think about cyberattacks. Yet, social engineering is consistently the most widely used avenue for breaking through an organization’s cyber defenses. Even when hackers use technical means to break through a system, there will often be some social engineering involved to obtain login credentials, extract useful tips and access confidential information. 

It could occur through any channel including email, text, live chat, social media, phone call and face-to-face. When deployed by a seasoned cyber criminal, social engineering makes stealing sensitive information a much quicker job than conventional hacking. Given the dangers it poses, recognizing the warning signs is essential to avoiding falling victim. Check out these social engineering tactics and tips to avoid them.


According to the FBI’s 2021 IC3 report, phishing was by far the most common type of cyber attack contributing to just under 40 percent of victims. Phishing occurs through an email, text (smishing) or voice call (vishing) from what seems to be a trusted party requesting for information. There’ll be a degree of urgency to the request which is one of the primary distinctions between phishing and pretexting.

Phishing contributed to nearly 40 percent of victims in the FBI’s 2021 IC3 report

For instance, you may receive an email claiming to be from your bank asking you to confirm card details or Internet banking login credentials if you don’t want your account closed. 

Spear phishing is a form of phishing that is highly targeted and based on extensive research about the target. For example, an email sent to you purporting to come from your immediate supervisor asking you to share certain confidential information.

Prevention: Do not open emails and/or attachments from senders you do not recognize, nor should you click on any links they contain. Report, then immediately delete any suspicious email or text.


Pretexting typically starts off with a genuine context to gain your attention and trust. It may be a series of messages from the perpetrator who poses as a co-worker, law enforcement officer, tax official, banker or major customer. Once trust is established, they’ll request for sensitive information such as bank and customer details.

This tactic is not limited to online channels and phone calls alone. For instance, a fraudster could find their way into your offices then pose as an IT auditor or helpdesk technician to earn your trust and gain access to your computer.

Urgency is one of the primary distinctions between phishing and pretexting

Prevention: Do not respond to calls or emails from unknown sources. Call or email colleagues, customers, bankers, law enforcement or other parties the scammer poses as, directly using their officially listed phone numbers and email addresses. This helps confirm an information request is indeed from them before you disclose any sensitive data.


Baiting rides on the target’s greed or curiosity by making false promises or presenting fake opportunities. Once the target has latched onto the bait, the attacker would access their personal data and/or infect their computer with malware. 

A classic baiting technique is to use physical media such as a flash drive to disperse malware. Bad actors will place the drive in a conspicuous location such as an elevator or bathroom. They’ll make it appear interesting or authentic — like labeling it ‘payroll list’. Many people would want to see what the rest of their colleagues earn. When they plug in the flash drive, the malware would be installed.

Baiting also occurs online through ads with lucrative messaging that eventually lead the user to a malware-infected site or deceives them into downloading a virus-laced application.

Prevention: If you can avoid plugging any flash drive to your computer, the better. If you must use one, make sure you own it or have received it directly from a credible source such as your IT department. Do not click any links on strange popup windows or emails. Keep your antivirus up to date. 


A popup window or a new browser tab claiming to have found dangerous malware on your computer. This is the modus operandi of scareware. Also known as fraudware or deception software, the idea is to cause panic by alleging the presence of non-existent threats.

The popup will propose an instant solution — install some magical software that makes the problem disappear. Except in this case, you’ll have installed actual malware instead. Scareware is also propagated through email containing fake warnings or offers to procure premium services.

Prevention: Do not click any links on strange popup windows or emails. Keep your antivirus up to date.

Wrapping Up

Social engineering is founded on human manipulation. Bad actors use your fear, greed or passion to get you to disclose information or provide access you otherwise wouldn’t if approached directly. Having your wits about you is crucial to defeating social engineering attacks.

Bad actors use your fear, greed or passion to get you to disclose information or provide access

If an email, text, call or enquiry sounds too good or too alarming to be true, it probably is. A healthy dose of skepticism will save you. Suspect you could be the target of a social engineering attack? 

C Solutions can help your Orlando area business reduce risk and improve your cybersecurity resilience.

Schedule a free consultation today! Call 407-536-8381 or reach us online.