How to defend yourself against social engineering attacks
First off, let’s define social engineering. Social engineering is a psychological manipulation technique used by cybercriminals to trick individuals into giving up confidential information or performing actions that compromise security.
Listen to the podcast
How to defend yourself against social engineering attacks
In this podcast, Kevin Hogan, head of Fraud Risk for Investec (SA), explores the dangerous world of social engineering. He explains how cybercriminals exploit human psychology to trick individuals into compromising their security.
Subscribe to get Investec Focus insights delivered straight to your inbox
So, instead of directly targeting software or hardware, these fraudsters exploit human emotions. They will use emotions like trust, fear, urgency or curiosity to manipulate people into revealing sensitive details, such as passwords or personal data.
Stay calm and don’t react in panic. Fraudsters want you to act quickly, but it’s important not to do something you will regret later. Take a step back and think about the situation rationally. If in doubt, contact a trusted source (your banker, broker, family member) using a known number. It’s better to be cautious than to risk falling for a scam.
What are social engineering attacks?
Social engineering attacks refer to the specific strategies and tactics employed by cybercriminals to manipulate individuals into giving up sensitive information, credentials or access.
By understanding how people react to authority, fear, trust and urgency, these scammers create scenarios that prompt unsuspecting victims to act against their best interests.
Imagine you’re listening to your favourite podcast on your morning commute when you receive an email claiming there has been suspicious activity on your account and link that reads, ‘Verify your account here’. Without thinking, you click the link and go back to your podcast.
What you don’t know is that the link has taken you to a fake site and once you’ve submitted your information, the fraudster will capture it and use it to enter your real bank account.
Kevin Hogan, head of Fraud Risk for Investec (South Africa), says: ‘Social engineering is not about hacking into systems; it's about hacking the human mind. Social engineering manipulates through familiarity and trust. Fraudsters might pose as your bank or a familiar service provider. This manipulation is often executed through phone calls, emails or even SMS - making you believe you're dealing with a trusted entity. In most cases, you receive a message that looks legitimate, urging you to act quickly perhaps to update your account or confirm a transaction. Each click, each shared detail, can lead to significant losses. It’s not just about being careful … it’s about being aware.’
Social engineering is not about hacking into systems; it's about hacking the human mind.
Social engineering examples
Here are three of the most common social engineering attack types and examples of how they could be used:
• Phishing
The fraudsters send fake messages (emails, texts etc) pretending to be from a legitimate source. The goal is to get you to share confidential information or unknowingly download malware. If phishing attacks take the form of voice calls, it is known as ‘vishing’ (voice phishing). If phishing is done via SMS, it is known as ‘smishing’.
Imagine getting an email from a well-known payment service warning you that your account will be locked unless you ‘confirm’ your payment details. The email looks real and even includes the company logo. You click the link and end up on a fake page designed to steal your login information. You are then advised that a member of that organisation will call you
Often phishing, vishing and smishing work hand-in-hand.
- Pretexting
Pretexting involves creating a believable story or scenario to convince you to share information. Fraudsters usually pretend to be someone in authority or someone you trust.
Imagine getting a call from someone who says they’re from your bank. They tell you there’s a technical issue and they need your username and password to fix it. The caller uses all the right jargon and sounds legit - so you hand over your credentials without questioning it.
- Spear phishing
Spear phishing is a more personalised version of phishing. Here, fraudsters target specific individuals using information they’ve gathered to make the messages more convincing.
Imagine you get an email that appears to be from your boss, referencing a recent team meeting and asking you to urgently share your login credentials for a shared document. It feels authentic because it references something only your team would know.
How to avoid social engineering attacks
As social engineering attacks become more sophisticated, it's essential that you know how to protect yourself. Here are some tips to help you stay safe and avoid falling victim to these deceptive tactics:
- Be suspicious of unexpected communications (very suspicious)
Whether it’s an email, SMS or phone call, always question unsolicited requests for sensitive information. Verify the sender’s identity before taking any action. If it’s an email, look for signs of phishing, such as poor grammar or suspicious links. (As AI continues to evolve, telling the difference between genuine and fraud communications is becoming increasingly challenging.
If an email or call seems suspicious, take a moment to reach out directly to the institution involved using a verified contact number or email (don’t use the number on the email or document).
Recognising these scams is your first line of defence in protecting your personal information and your money.
- Avoid using apps that misrepresent caller ID:
Be cautious of using apps that can display misleading caller information. Always verify unknown or suspicious numbers through direct, trusted channels.
Some caller ID or call-blocking apps may collect not only your cellphone number but also other sensitive personal information. Even if you haven’t subscribed to these services, they might still have your number and information on their databases.
- Manually type in URLs
Instead of clicking on links in emails or texts, get into the habit of manually typing the website address into your browser.
This ensures you’re visiting the legitimate site rather than a fake one designed to steal your information.
- Use two-factor authentication (2FA)
Enable two-factor authentication on your accounts whenever possible. This adds an extra layer of security, making it more difficult for attackers to gain access even if they acquire your password.
Two-factor authentication works because it means you need two discrete things: something you know (like a password) and something you have (like a mobile device).
- Be cautious on social media
Limit the amount of personal information you share on social media platforms. Fraudsters often use this information to write convincing messages or to impersonate you.
- Stay alert about common tactics
Understanding the tactics used in social engineering can prepare you to better handle suspicious interactions. Awareness and education are key in recognising and preventing these types of fraud.
Don't miss new episodes: Subscribe to Investec Focus Radio SA
Browse further in