At its core, social engineering is not a cyber-attack. Instead, it’s a technique that relies on human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams lure vulnerable users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in person, and over the phone/text. The aim is to gain the trust of targets and then encourage them to take unsafe actions such as divulging personal information or clicking on web links, or opening attachments that may be malicious.

How does social engineering work?

In a typical social engineering attack, a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows. If the scam works (the victim believes the attacker is who they say they are), the attacker will encourage the victim to take further action, which could be giving away sensitive information such as passwords, date of birth, or bank account details. 

Why is social engineering so dangerous?

Social engineering is especially dangerous because it relies on human error rather than vulnerabilities in software and operating systems. The most common type is Phishing, where the scammers pose as legitimate sources to obtain sensitive information.

Social engineering phishing techniques

Voice phishing (vishing) phone calls may be automated message systems recording all your inputs. Sometimes, a live person might speak with you to increase trust and urgency.

SMS phishing (smishing) texts or mobile app messages might include a web link or a prompt to follow up via a fraudulent email or phone number. Common examples are texts from large suppliers such as Amazon or FedEx saying you’ve received a shipping update, or that delivery failed, or even a billing invoice, all accompanied by a malicious link.

Email phishing is the most traditional means of phishing, using an email urging you to reply or follow up by other means such as web links, phone numbers, or malware attachments.

Angler phishing occurs on social media, where an attacker imitates a trusted company’s customer service team. They intercept your communications with a brand to hijack and divert your conversation into private messages, where they then advance the attack.

Search engine phishing attempts place links to fake websites at the top of search results. Scammers may have paid for ads or even use legitimate optimization methods to manipulate search rankings.

How to spot social engineering attacks

Defending against social engineering requires you to practice self-awareness. Always slow down and think before doing anything or responding.

If you suspect an attack, here are some questions to ask yourself:

Are my emotions heightened? If you find yourself curious or excited about an opportunity, you’re less likely to evaluate the legitimacy of the situation presented to you. 

Did this message come from a legitimate source? Be suspicious of any unsolicited messages. Inspect email addresses, social media profiles, and if using a desktop, hover over the link to see where the link is actually directing you. 

Did my friend or coworker really send this to me? Whether it was a coworker or another person in your life, ask them in person or via a phone call if possible. They may be hacked and not know, or someone may be impersonating their accounts, especially on social media.

Does this offer sound too good to be true? The rule of thumb is, “If an offer sounds too good to be true, it probably is!” You should consider why someone is offering you something of value for little gain on their end. 

If you receive an email, text, or phone call from someone claiming to be from Members 1st, remember we will never ask for your personal information, such as your credit card number, social security number, card PIN, temporary access code, or online banking password. 

If someone claiming to be from Members 1st asks for this information, do not respond. When in doubt, call us immediately using the number on the back of your card.