How can I avoid social engineering attacks?

Updated:July 2016

How can I avoid social engineering attacks?

Many of the most effective hacking methods don't rely that much on technology, but instead focus on people themselves.

Human beings are often more easily hackable than the technology they use. Many hacking attempts start with a phone call, instant message, email, friend request or even during a chat in person. The best defence is also not that technical - being aware of the potential. This page is aimed at helping you recognise a potential attack, and take steps to shut it down.


  1. What social engineering is
  2. How to recognise it
  3. How to protect yourself

What social engineering is

Social engineering doesn't require sophisticated software, programming knowledge or a lot of time spent guessing your passwords. It does require the attacker to have a bit of confidence, and some background information on the victim is also helpful.

This form of attack happens through social interaction.The attacker tries to trick their victim into revealing enough information that allows them to later hack their victim's accounts, or use that information to attack someone else. It can happen online, over the telephone or in person. You could meet someone at a party who claims to know you from somewhere else, or who cites someone you know as a common friend, and uses that as a stepping stone into a more personal conversation. Or, you may receive a flitratious text message via Skype or some other route, where the person seems to know a bit about you, and is trying to engage you in a conversation, offering a link or a download here and there as the chat progresses.

Social Engineering attacks are usually aimed at the following outcomes:
  • Getting you to divulge passwords or discrete information that could allow the attacker to hack into your accounts
  • Getting you to click on a link that could then give them access to an account or your computer or mobile.
  • Getting you to download a file that is actually malware and gives the attacker control over your device.
Once an attacker can get into one account, the goal will be to break into more, which will grow easier upon each additional success. Sometimes you may not even be the end-result target. For example, they may want to break into your Facebook account in order to trick one of your contacts into a conversation and target them more effectively. The reasons are varied, but the common attibute in all attacks are the same: relying on common human characteristics, flaws and foibles.

How to recognise it

There are countless methods of social engineering, and it's constantly evolving. Wikipedia's page on the topic has a list and description of the main ones. The key to identifying that one of these attacks may be underway actually involves a freelancer to use their journalistic training and experience. Just like when you are approached by a potential source, ask yourself: "Who is this, and why are they talking to me?"

Keep yourself a little (not overly) paranoid about those contacting you via the internet or phone, or people trying to soclicit information about your activities in person. Why do they want or need this information? Why are you suddenly getting a file from this person to download? Communication from a stranger, or unusual or unexpected contact from someone you may know, should sound a little alarm in your head.

How to protect yourself

The best way to protect yourself is — conveniently — by recognising that it is or might be taking place. Think about what you're being asked to say or do. When in doubt, then don't.

THINK OF INFORMATION LIKE A SET OF KEYS. The more you give out, the easier it will be to unlock your online accounts, computers, etc. Avoid handing over usernames, passowords, private ID numbers, credit card or bank details, your schedule, key information about sensative data or contacts you may have, technical information about your computer's system, or details on how you do things like backing up to a cloud server. Details are attack methods.

BE WARY OF PEOPLE WHO SEEM TO KNOW MORE ABOUT YOU THAN YOU DO ABOUT THEM. They've likely looked it up in advance, or are particulary confident in making general assumptions about you. Someone may start with "we met at..." or "... introduced us, remember?" Being socially awkward is okay here. It can help shut things down by responding with, "no, I don't remember you." Likewise, someone may try to use their status or authority (imagined or real)  to intimidate you into into divulging more information, saying something to the effect of, "do you know who I am?" Just remember, you don't know them, and they don't need this information.

YOU DON'T KNOW WHO THIS IS ON THE TELEPHONE: There is no such thing as a bank, internet service provider or anyone else doing legitimate business with you that will ring up and ask for your account details in order to do some piece of work. A potential journalistic contact won't need detailed information about your private accounts, or know how you acces your data in order to send you something. Shut the conversation down. Either just hang up, or say you'll need to call them back and ask for contact details. If you do the latter, then research what they've claimed before deciding whether to call back. A person can pretend to be nearly anyone on a phone call.

YOU REALLY DON'T KNOW WHO THIS IS ON THE INTERNET: "On the Internet, nobody knows you're a dog" is now a popular online meme. It was first used by Peter Steiner as a cartoon caption in The New Yorker, in August 1993, and it's still relevent. Technically speaking, whenever you get an email, instant message, tweet or "friend" request, you don't know who actually sent it. You can often correctly assume who it's from. But a social engineering attack is aimed at using those assumptions against you. Similar to an in-person interaction (discussed above) it could be somoene who's jut befriended you, or they may claim to have heard of you through someone else, or say they've met you before, but try to convince you that you've forgotten.

But there's also another possibility that can't really happen in person: the attacker could be pretending to be someone you actually do know, either by creating a fake account using someone else's name and details, or (often) hacking that person's actual account in order to contact others. In this attack method, the aversary usually either wants you to send him or her personal details (which can then be used against you or someone else), or may try to get you to download a file that will install a program on your computer giving them access to it. Here are some ways to counter this method of attack:
  • If it's from someone you really don't know or remember, shut the conversation down. Go offline, block them, or report them to the service provider.
  • If it's from someone you do know, look at the message, and ask yourself whether this how they usually write? Is it likely they would ask for this kind of information?
  • Pose personal questions that only the actual person would know. Make sure the answer is specific enough that guessing would be difficult, but something they would really know.
  • While talking to this person, try to contact them through another channel, but don't tell them you're doing it. Video chat is best, since you get both face and voice. Phone would be next best, since you've got their number and would recognise their voice. If they don't answer these, either shut the conversation down, or tell them you want to get on a video chat or. If they can't do it, tell them to get back in touch when they can. Contact the actual person through other means and tell them what happened and see what they say.
  • Don't give away details that could comprimise any of your accounts or computers or mobiles. You should avoid this no matter what. Even if the conversation is legitimate, you don't know what will happen with the information once it's been shared online.
  • Be extremely cautious about — or just avoid — accepting downloadable files from someone over the internet if you haven't confirmed who they are.
  • Be careful about links as well. Not all malware or spyware looks like download file. An attacker could send a URL that could disguise the download. They may send link, claiming it goes to a website. When you click on it, you may even actually see the website while something else is happening as well. 

Set up 2-factor authentication on your accounts. Even if someone gets your password, they'll need a secondary code when they first try to use it, and that will be sent to your mobile (which they hopefully don't possess). This helps keep them out, and sends you an alert about the attempt. A number of services also keep logs of login-attempts, and you can check these, and block devices you don't recognise.

Use strong, difficult-to-guess passwords for your accounts. Often times, a social engineering attacker will try to use a lot of personal information to guess your password. This will help keep them guessing.

Keep your privacy settings up-dated. Make sure the online services and social networks you use have the privacy settings you need. Make it more difficult for people to know if you're online, or to be able to see your profiles or details without your consent.

Check website links and download files sent to you before opening them. Links can often be disguised using URL shorteners. Copy it and use Unfurlr to see where it goes before clicking. can check a variety of blacklists, malicious code tricks and hacking attempts before you visit the site. VirusTotal is a useful online tool for checking files for malicious code. If you have already downloaded a file, you can upload it to VirusTotal to check it out. Note: You can often right-click on a file to only download it without opening it, but this should still be done with extreme caution. (VirusTotal also checks links and websites.)

Be careful what you throw out. Shred or destroy any printed documents that someone could gain confidential details if they found it in the bin.
Image: graphic incorporates photography by Benjamin Ellis of Redcatco.


Created: August 2015

Help us be a better resource!

Give us feedback about this page. What was helpful here, or what could be included to make it more useful?

Create a comment
Create a Comment
  • Security code

This website uses cookies. For more information about these please click here.
By continuing to browse you consent to the use of cookies