Social Engineering: Are You a Victim of People Hacking?

Have you ever received an “Important Message Alert!” or “Warning: Your Computer is at Risk” pop-up while on a random website? Or, have you ever fallen prey to the “IRS is coming to arrest you” phone calls? Most people detect these scams before they can wreak major harm, but they exist because some people fall for them. You might not know that these nasty scams have their own hacking category: it’s called social engineering , sometimes known as “people hacking.” There are so many forms of hacking that each has earned its own moniker. From “evil twins” to downloading malware scams, the floodgates of online and telephone hackers have opened, and anyone can fall prey if they’re not aware. Social engineering is a stealthy and malicious way to “people hack” by baiting unsuspecting victims with links or messages — and, sometimes, through direct contact. Let’s take a look at what’s considered social engineering, ways a social engineering hack can attack people, and what to do if you’ve been the victim of an attack. Social engineering differs from other types of hack attacks as it requires human interactions to be successful. Whereas most hackers find a way to corrupt, expose, or sell your data via malware, these hackers will try to form a connection with you (on some level) before they do their dirty work. When you fall victim to a social engineering hacker, you may feel a sense of betrayal and violation. Typically, these hackers will use psychological tricks to manipulate people and lure them into giving away personal data. A hacker may stalk you to expose your security system’s weakest points through your own actions. Then, they may reach out with a personal message or warning to obtain access to your information. Social engineering hackers will also play on your fears of online security breaches in order to, ironically, breach your computer’s security measures. If you’ve fallen victim to a social engineering attack, you’re not alone. Part of what makes these hacks so insidious is that many intelligent, educated people have found themselves targeted — and large corporations with almost impenetrable computer security protocols have been attacked as well. Human error enables social engineering hackers to access secure accounts and commit massive fraud. Some notorious examples of social engineering attacks include: And, per the journal Medical Economics , the healthcare industry is especially vulnerable to social engineering hackers. The federal government has even issued a warning to healthcare workers to guard themselves against attacks. Among professional sectors, the industry has incurred the greatest costs due to data breaches, losing more than $10 million in 2022. Social engineering can impact anyone, anywhere. It’s vital to know how to identify and how to avoid an attack. Social engineering hack attacks can take on a multitude of forms and utilize a variety of methods. So how can you possibly know what to look for or how to avoid these attacks? We’re here to help and to breakdown what an attack might look like: Phishing is one of the more popular methods to“people hack” via social engineering hacks. This type of hack may come to you through email or even text. A phishing campaign will prey on your fears and demand action from you. Phishers may masquerade as companies you hold accounts with and tell you your account has expired or that there are issues with your online account. Per Verizon , phishing accounts for 93% of online security and data breaches. For example, you may receive an email purporting to be from Amazon Prime that mimics Amazon’s logo. If you click on the link included in the email, phishers may link to malicious websites or trigger a malware download to your computer. A currently popular phishing text claims a recipient has a valuable package that wasn’t deliverable and must click on a link to rectify the issue. If you were expecting a package, and you don’t notice any red flags (such as spelling or grammar issues) in the text, you may instinctively click. You’ve just been hit with a social engineering attack. If you receive any emails or texts with calls to action, verify the sender’s address before clicking on any links. It’s also important to remember that companies will not ask you to resubmit your personal information via an email or a text. If you believe you’re receiving a credible message, go to the official website and sign into your account before taking action. As its name implies, spearfishing is far more targeted and personal than phishing alone. Spearfishing employs some of the same social engineering methods as phishing, but spearfishers will tailor their attacks to fit specific victims or corporations. Spearfishers take the time to “get to know” their victims before carrying out an attack. These hackers will send you messages that appear individualized and are tailor-made to fit your contacts, personality, and profession. Spearfishing messages often seem legitimate and may appear to come from someone in your contact list. For example, you receive an email impersonating your company’s CEO which asks you to purchase multiple gift cards for your co-workers. Your boss has asked you to help with incentivizing employees in the past, so you don’t think to question the message. You complete the request and are told to log the gift cards into a linked site. Burning with shame, you realize the email wasn’t legit. The spearfishers now have your credentials, access to company contacts, and the gift cards. If you receive a message from a known contact that seems out of character, contact them directly via a new thread to ensure the legitimacy of the message. Don’t act on any requests until you’ve verified their credibility. And never follow an uncertain link or enter personal, sensitive information before you’re 100% confident that you know who’s requesting your data. The fishing analogies of social engineering are vast, yet they totally make sense. Baiters are some of the most egregious people hackers operating today. When working online or via telephone, these hackers target you with false promises: “Earn $10,000 a day for sleeping!” or “Invest $50 now and see a $50,000 return by next month!” If you click on these links, you may inadvertently download malware or give away your most sensitive personal data. Baiters also physically target their victims. They may leave an unattended flash drive sitting on a coffee shop or library table, hoping to pique your curiosity. If you’re curious enough, you may take the flash drive and insert it into your computer. Baiters might label the flash drives with information to appeal to passersby (e.g., sensitive documents or payroll data). The hackers load physical media with malware. As soon as you insert it into a computer, the malware automatically downloads and infects your computer. Vishing (“voice phishing”) is, perhaps, the most common social engineering hack. Vishers don’t even need an online presence to snag you. These hackers call people and leave threatening messages that claim urgent attention is required. Vishers often target the elderly, but their call databases include people from all walks of life. A visher may call you multiple times in one day. They typically leave a vague message warning of dire consequences if you don’t call them back. Vishers will ask you to verify account information over the phone and may impersonate government or law enforcement officials. Vishers may also mirror a known phone number, but will demand payment or other personal information. Know that the companies they’re impersonating would never ask for this in a person-to-person phone call. In some cases, vishers may say they’re calling on behalf of your loved one who was just in a tragic accident or is in jail. Then they demand money. A good way to protect yourself against these vicious vishers is to utilize caller ID to screen your phone calls. If you don’t recognize a number, don’t answer your phone. If a voicemail asks you to call a number, verify the number and the company it’s associated with first. No one wants to be hacked, but the “people-hack” of social engineering attacks feels personal. These few easy steps can help you protect yourself: For more information, check out our podcast episodes “ Social Engineering Snares Smart People and” “ Social Engineering and Pick Pocketing .” Also check out our explainer “ The New Name for Online Con-Artist Tricks .”