How to Avoid Social-Engineering Attacks

How to Avoid Social-Engineering Attacks
Anne Johnson

Social-engineering attacks use psychology to manipulate their targets into revealing financial information. Techniques use human emotions and instincts to drive people to act against their best interests.

Social-engineering attacks pose as trusted brands government agencies or induce fear and a sense of urgency. But what is social engineering, and how can you avoid its attacks on your finances?

How Social Engineering Works

A social-engineering attack starts with a hacker convincing one under-informed, stressed, or trusting person to do what they say. They identify targets who have confidential information, money or credentials.
Scammers learn as much about the target as possible and find potential entry points. Entry points include:
  • email address
  • phone number
  • social media account
They’ll use any avenue to open the door for an attack.

Once a scammer has information, they offer a “hook” to interest you. When the hook attracts you, the thief executes the social engineering attack.

For example, you could click on a link for a give-a-way or a job interview, and the scammer secretly installs malware on your device. Your computer is infected, and confidential information is stolen.

The scammers then disappear, leaving little evidence behind.

This is only one example of social engineering; there are others.

Scammers Use Phishing, Vishing, and Smishing

Phishing attacks use malicious websites or emails to gather personal information by posing as a trustworthy source.

They may send an email from a credit card company you do business with requesting information to verify your account. When the victim responds, the scammers gain access to their accounts.

Vishing leverages voice communication. It is combined with other social engineering to convince a target to call a number. The criminal then tries to convince the victim to send money for a family member’s emergency or share financial information by posing as a trusted business.

Smishing exploits by text messaging. These texts contain links to such things as:
  • webpages
  • email addresses
  • phone numbers
When clicked, they open a browser, dial a number or email messages. This integration increases the likelihood that the user will fall victim to illegal activity.

Common Indicators of Phishing

There are several signs to look for that indicate phishing. First, check the suspicious sender’s email address. It may look like a reputable company, but you may notice it’s been slightly altered. For example, a few characters may be changed or omitted.

A trusted organization will write a personalized greeting. But a phishing email will be a generic such as “Dear Valued Customer.”

Poor grammar or misspellings are an indicator. A reputable company will have cleanly written emails.

An email may use a sense of urgency or importance to open an attachment. When you open it, it delivers malware.

Watch out for spoofed hyperlinks and websites. Although a website may look identical to a legitimate one, there might be some variations in the spelling of the uniform resource locator (URL); instead of, it might read

Avoid Social Engineering Like Phishing

Be very suspicious of unsolicited phone calls. If an unknown person calls you and can’t verify themselves, hang up and verify the caller with the company. Call the number you have or look it up. Don’t use a number the caller gives you.

To avoid clicking on a spoofed hyperlink or website, hover over the URL with the cursor. Look to see if the text matches the URL (website address). If it doesn’t match, it’s spoofed. Better yet, don’t open any links in emails you’re unsure about.

Never reveal any personal information online. If you think the company is legitimate, verify it by contacting it directly. Go to the company’s website or call them. Don’t click through the link on the email, look the website up separately. Also, don’t call the number on the email; look it up.

Check a website’s security before you use it for purchases. A secure website will have “https” in front of its URL. It will also have a small lock icon. If it has “http” without the “S” it is not secure and should be suspect.

Baiting and Water-Holing Jeopardize Finances

The difference between baiting and phishing is the source. Baiting poses as a legitimate company to convince the victim to turn over personal information.

Baiting is like dangling a lucrative carrot in front of the victim. The goal is to have the victim take action. Something could be the free download of a movie or a free offer from your favorite store. Once acted on, the victim’s computer is infected. Personal information is then stolen.

Baiting could also be a website set up to look legitimate. It will offer something discounted to gain access to your credit card information.

Water-holing takes advantage of people who regularly visit and trust a website. The criminal will gather information on a targeted group of individuals to determine the favored websites.

Then, the scammer will test the website for vulnerabilities. Over time, the victim’s computer will be infected, and the attacker will gain access.

Avoid Baiting and Water-Holing

One way to avoid baiting is never to follow links. Be skeptical about any emailed offers. Always use antivirus and anti-malware software.

A watering hole attack takes advantage of any vulnerabilities in your device’s software. So make sure your software is always up to date.

A virtual private network (VPN) disguises online activity from external sources. This makes it difficult for an attacker to profile you.

Protect Against Social Engineering Attacks

Ninety-eight percent of all cyberattacks are social engineering. It’s vital to be vigilant and just use good common sense. Make a habit of suspecting any unsolicited email or phone call received.

Verify the identity of everyone who contacts you. And don’t use their email address or phone number; look up the legitimate one.

It might be cliché, but if something seems too good to be true, it is.

The Epoch Times copyright © 2023. The views and opinions expressed are those of the authors. They are meant for general informational purposes only and should not be construed or interpreted as a recommendation or solicitation. The Epoch Times does not provide investment, tax, legal, financial planning, estate planning, or any other personal finance advice. The Epoch Times holds no liability for the accuracy or timeliness of the information provided.
Anne Johnson was a commercial property & casualty insurance agent for nine years. She was also licensed in health and life insurance. Anne went on to own an advertising agency where she worked with businesses. She has been writing about personal finance for ten years.