• ESET Editor

How Not to Fall Victim to Social Engineering



Social engineering tactics are getting increasingly sophisticated. How not to become their victim?


Humans are emotional beings, and social engineering is a very effective way to take advantage of that. What’s more, social engineering attacks don’t usually require highly specific technical skills on the side of the attacker. Forcing thousands of users to give up sensitive information or perform harmful actions has so far proven to be rather easy! Don’t be fooled – even when your business is small, you might still become a target.


You have probably heard about spam or phishing – two examples of how emotional reactions of users might be misused. Spam is mostly sent in emails, but it can also be delivered via instant messages, SMS and social media. Spam itself is not a method of social engineering in the true sense of the word, but it might include phishing, spear phishing, vishing as well as smishing methods, or spreading malicious attachments or links.



Phishing is one of the most frequently used forms of social engineering. In this case, the attacker pretends to be a trustworthy entity, requesting sensitive information from the victim. But there is much more to watch out for. The world of social engineering is fairly varied – let’s take a look at other types of attacks.

  1. Spear Phishing: A targeted form of phishing toward a specific individual, organisation or business. Typical phishing campaigns don't target victims individually – they are sent to hundreds or thousands of recipients.

  2. Vishing: Method similar to phishing but using fraudulent phone calls instead of emails. The cybercriminal often disguises themselves as a bank or insurance company representative.

  3. Smishing: Social engineering attempt via SMS text messages. Most often, smishing attempts aim to redirect recipients to a website where their data is harvested. However, there could also be campaigns in which the victims are asked to send sensitive data in a direct SMS reply.

  4. Scareware: Software that uses various anxiety-inducing techniques to force victims into installing further malicious code on their devices. For example, fake antivirus products trick users into installing specific software to ‘remove the problem’, but this programme is usually harmful.

  5. Impersonation: The technique of impersonation is the same as in the physical world. Cybercriminals contact employees, typically posing as their CEO, trying to manipulate the victims into taking action – ordering and approving fraudulent transactions, for example.

  6. Technical Support Scams: Attackers strive to sell fake services and remove non-existent problems, or install a remote access solution into victims’ devices and gain unauthorised access to their data –⁠ this practice is much more common since the pandemic began.⁠

  7. Sextortion: Sextortion is a long-running email scam scheme trying to blackmail victims using baseless claims and accusations.

  8. Cyber scams: Cyber scams are combinations of various previously mentioned techniques.

The COVID-19 pandemic has been a high season for phishing attacks. Learn how to recognise them before they cause any harm.

How to protect your business from social engineering

Now that you know the techniques of social engineering, how can you recognise them? There are a few signals that could help. Does the text contain mistakes, incorrect grammar and a sense of urgency? Is there something odd about the sender's address? Is someone you don’t know asking for your personal information or a password? Do you feel that the message is trying to prompt you into acting unquestioningly? Does the offer in the email sound too good to be true? Because it probably is. Remember, any request for sensitive data is suspicious.

Anyway, you can do more to protect your business from social engineering. Here are several tips on how to stay one step ahead of attackers.

1. Train your employees

Since social engineering techniques rely on the low cybersecurity awareness of their targets, regular cybersecurity trainings are important for the whole company – whether for top management, IT, or other departments. During the training, try to include real-life scenarios. Only then will your employees be able to imagine particular situations and learn from them. Your employees should be aware of an understandable security policy and know what steps to take when they come into contact with social engineering.



2. Have your passwords under control

A strong password policy is a must-have. Scan for weak passwords that could potentially be misused by attackers. Also, consider using another layer of security by implementing multifactor authentication.

3. Use appropriate security solutions

Another way to improve your security could be by implementing technical solutions to tackle scam communications. Then spams or phishing messages could be detected, quarantined, neutralised and deleted. Enhance your protection by using tools that allow IT admins full visibility and the ability to detect and mitigate potential threats in the network.

Keep in mind that the more you know about cyber risks, the more aware you will be of the necessary prevention. Thanks to that, your data will be protected – and so will your business.