How To Protect Yourself From Social Engineering Attacks

Social engineering attacks might impersonate friends, family, or even government officials to trick you into sharing personal info. Here’s what to know to avoid these types of scams.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Social engineering is a type of cyberattack that takes advantage of your relationships with friends, companies, or even coworkers. Hackers using social engineering might pose as an IT employee, bank representative, or even your boss to try and gather sensitive information like credit card numbers, login credentials, or financial information.

Cybercriminals might also use social engineering scams to open a door for future hacking against you or the organization you work for.

Social engineering attacks come in many different forms, such as baiting, phishing, and quid pro quo. Here’s what you should know about each form of social engineering to protect yourself and your personal data.

In this article
What is social engineering?
12 types of social engineering attacks
1. Baiting
2. Email hacking
3. Pharming
4. Honeytraps and romance scams
5. Phishing
6. Piggybacking or tailgating
7. Pretexting
8. Quid pro quo
9. Scareware or fraudware
10. Smishing
11. Vishing
12. Watering hole attack
How to spot a social engineering attack
How can you protect yourself from social engineering?
Social engineering FAQs
Bottom line

What is social engineering?

Social engineering's end goal is to gain your trust long enough to gather confidential information or access to your accounts. Hackers might use well-crafted email scams, voice mail, and SMS text messages to launch a cyberattack and trick you into sharing sensitive data.

12 types of social engineering attacks

There are several ways hackers use social engineering to try to build trust, trick you into thinking they’re someone else, or even threaten or scare you into sharing personal data.

1. Baiting

In this type of social engineering attack, you might find a new USB stick sitting on your desk or receive an email with an attachment.

Naturally, you might be curious about what’s on the flash drive and plug it into your computer, or you might click on the email attachment. But chances are this USB or attachment is loaded with malware, such as a keylogger, that steals your information.

Baiting attacks can also take the form of enticing pop-up ads that lead to a malicious site or download.

2. Email hacking

Email hacking is a popular method many scammers use. The hacker impersonates the victim by accessing the victim's email account.

Once they’ve gained access, the hacker uses the email account to message the victim’s contact list with phishing scams, malicious attachments, or links leading to malware downloads.

Email hacking is one of the main reasons why you should be skeptical of emails even if they come from a trusted source. If it looks suspicious, don’t click.

3. Pharming

This kind of cyberattack redirects your internet traffic to a fake website. Also called a spoofed site, this fake web page might try to install malware on your device or collect your personally identifiable information (PII).

The PII targeted by spoofed websites could include the following:

  • Bank account information
  • Login information
  • Your Social Security number
  • Your phone number
  • Answers to your security questions

4. Honeytraps and romance scams

Honeytraps and romance scams play off our desire to be liked, which can make them extra effective. In the case of a honeytrap, the scammer will befriend or even pretend to fall in love with their target and form a (fake) online relationship with them. The scammer then uses this relationship to gather personal information.

Most often, honeytraps lead to a financial scam. For example, consider the popular Netflix show “The Tinder Swindler.” The scammer, Simon Leviev, sent his victims text messages that might say something similar to, "My love, I want to see you more than ever. I am a little short this week. We can be together sooner if you send me some money via Western Union!"

5. Phishing

One of the most common types of social engineering is phishing. Phishing can happen via emails or even text messages and comes in many flavors: spear phishing, whaling, and clone phishing.

The goal of a phishing email or text is to get you to click on a link that leads to a malicious site or download.

Spear phishing

This type of phishing attack targets a certain person or organization. Spear phishing messages tend to be very personalized, down to details like your job title or even company contracts or projects you’re involved in.


Whaling, also known as executive phishing, is a very specific type of spear phishing attack that typically targets high-level employees, such as CEOs. Whaling attacks are often used to steal confidential or financial information or gain access to a company’s computer system.

Clone phishing

When scammers use clone phishing, they copy emails from a legitimate company in order to establish some sense of credibility with the victim. These fake emails may look exactly like the official messages you get from the actual company, and the hacker may try to fool you even further by saying the fake email is an updated version of a real email you just received.

6. Piggybacking or tailgating

Some social engineering attacks aren’t all that sophisticated and piggybacking or tailgating are two examples. This type of scam involves in-person contact where the hacker will follow you in order to gain access to the secured location without having a key card or access code.

Piggybacking is the main reason why your IT department warns you against holding the office door open for other people behind you.

7. Pretexting

Like phishing attacks, pretexting often starts with a friendly message that seems harmless. It could be a request to take a survey or fill out a form. But once you agree to fill out the survey or form, the scammer starts to ask for personal data, like your bank account info, to supposedly confirm your identity.

8. Quid pro quo

Quid pro quo attacks continue to impact many of us, but most quid pro quo scammers target the elderly. In this type of attack, hackers try to convince the victims they’ll receive something in exchange for providing personal information.

9. Scareware or fraudware

When using scareware tactics, hackers try to create a sense of urgency to scare you into taking action.

Some scareware messages could start with a friendly reminder and eventually become harsh and intimidating. Others might show up in a pop-up ad with a fake message that your device has a virus and you need to click the ad to get rid of it.

10. Smishing

Email isn’t the only means hackers use to phish for sensitive information. SMS text messaging is another very common method, and when hackers use texts to target their next victim, it’s called smishing.

Smishing attacks can come in the form of a text message that seems to be from a legitimate source. For example, a smishing text might ask you to verify a charge to your credit card by clicking on a link. Another type of smishing attack pretends to offer you a deal from your cell phone provider, but you need to click the malicious link to activate it.

11. Vishing

Vishing is a type of phishing attack that uses a voice call to try and manipulate you into giving up personal data. Cybercriminals may call and pretend to be a bank representative who needs to verify your account information.

Other scammers might pretend to be from Medicare, the Social Security Administration, or even the IRS. If you ever receive a call and the person on the other end asks you for personal info, don’t share anything. Instead, hang up, find the official phone number online, and call the company or organization directly to verify that it’s a legitimate request.

12. Watering hole attack

Watering hole attacks target a group of victims, usually by infecting a website or forum the group uses often.

For example, hackers might infiltrate public forums, including chat rooms, blogs, and community groups. Once they’ve gained access, the scammer usually tries to get members of the targeted group to click a link that leads to a malicious site or malware download.

How to spot a social engineering attack

Social engineering attacks use many different methods, including email, chat, SMS, group messaging, and even baiting to plug in a USB. But most attacks have a few common characteristics to look out for, and learning how to spot social engineering will help protect your data and devices.

Suspicious sender address

Before opening any emails, take a moment to check the sender’s email address. Many impersonation emails or lookalike messages will look like they came from an official sender. But if you look closely, many fraudulent emails include typos or misspelled company names.

For example, let’s say you received an email from It might seem legit at first glance, but would FedEx really email you from a “” domain? Probably not.

Generic greetings

Another clever email phishing method focuses on simple, impersonal greetings such as:

  • Dear valued customer
  • Sir/ma’am
  • I know you are busy. Did you see my message?

These are often accompanied by a lack of contact info or a signature.

Most trusted companies will address you by name and include contact information as well as a signature in their emails. If you receive a message with a basic greeting and no contact info, it’s safer not to click.

Poor spelling and grammar

One of the easiest ways to spot a phishing or spam email is the prevalence of typos. These messages may look like someone rushed to type them out, or they may use improper grammar. Another common theme to phishing emails is inconsistent formatting.

Typos do happen, but legitimate companies often hire someone to create and proofread any emails that are sent out to customers.

Commonly used email subject lines

Hackers often use similar email subject lines to capture your attention. Some of the most-clicked phishing email subject lines, according to KnowBe4, included:

  • HR: New requirements tracking Covid vaccinations
  • Password Check Required Immediately
  • HR: Vacation Policy Update
  • Acknowledge Your Appraisal
  • Someone special sent you a Valentine’s Day ecard
  • Starbucks: Happy Holidays! Have a drink on us
  • Dropbox: Updates about your account

These commonly used subject lines are designed to be friendly or urgent in order to get you to click on the email.

Incorrect links

It’s a good idea to always check any hyperlinks sent in emails before you click them. You can easily do this by hovering your mouse cursor over the link. You want to make sure the link in the text of the email matches the link that appears at the bottom of your browser window when you hover over it.

Keep an eye out for misspelled words or different domains (such as .com or .net) in the links.

Suspicious attachments

It’s fairly normal to receive email attachments, such as a receipt for a purchase, bank statements, or even loan documents. But if you receive an unsolicited email that asks you to open an attachment, it could be a phishing attack.

Some antivirus software includes email attachment scans that can verify whether or not the file is safe to open. But if you don’t have a way to scan the file, it’s safest to not open it.

How can you protect yourself from social engineering?

Ultimately, protecting yourself from identity theft and social engineering starts with awareness. The goal of most hackers and cybercriminals is to steal your information. With that in mind, you can be on the lookout for social engineering attacks.

Verify identity

With every suspicious message or email, call, or text, take a moment to verify the person contacting you.

The best way to do this is to avoid clicking on any links in an email or text message and hang up if someone calls and asks for your info. Then, find the official site of the company that’s supposedly contacting you and call or email them directly using the contact info on the site.

Turn on your email spam filter

Google, Microsoft, and other email providers all offer email filters designed to keep most phishing attacks at bay. Spam filters consider multiple characteristics of each email before deciding whether it belongs in your inbox or in the trash. Most email filters check:

  • The sender’s email address
  • Whether any links in the email match a database of malicious links
  • Whether the email or subject line contains suspicious words

You can also go into your email provider’s spam filter settings to customize it and automatically block emails from certain senders or messages that contain certain phrases.

Consider the circumstances

When you receive an email you believe is fraudulent, chances are it is. Trust your gut and don’t panic. Any message with a threatening tone is most likely false, and it’s safer to not click any links or open any attachments.

Update your antivirus software

Like enabling anti-spam protection from your email service provider, you should enable and update your antivirus software.

Keeping your antivirus up to date is important because new malware is released every day. When you update your antivirus, it replaces the old list of malware files to check for with the most recent version. This ensures your antivirus can spot even the newest types of malware.

Many antivirus programs, like TotalAV and AVG, offer phishing protection that helps spot and block social engineering attacks.

Update your operating system

Antivirus software, spam filtering, and anti-malware software all help protect you and your systems. Updating your operating systems on all devices also will help prevent attacks.

Operating system updates often include security patches that remove newly discovered vulnerabilities that hackers might otherwise exploit.

Use strong passwords

The stronger the password, the more difficult it is to hack. Understandably, you may avoid using strong passwords because they’re hard to remember. This is where a password manager and multi-factor authentication can help.

You should always set up multi-factor authentication (also called two-factor authentication, 2FA, or MFA) on your accounts. MFA ensures that, even if a hacker gets a hold of your password, they still can’t access your account without access to a secondary device or account.

Many websites are also beginning to offer passwordless solutions to help with secure authentication, including:

  • Magic links: This involves sending you a link to your email to authenticate yourself.
  • Touch ID and Face ID: Both Apple and Android devices support biometric logon by scanning your fingerprint or face.

Don’t overshare online

Social networks constantly invite us to share updates about our lives, but posting about our latest trip or even telling friends how our mom is doing could be dangerous.

Hackers can sometimes gather this information and use it to guess your passwords or answers to your security questions. It’s better to keep this private information quiet and not post it online where anyone could find it — even if they haven’t sent you a friend request.

Social engineering FAQs


What is the best defense against social engineering attacks?

The best defense against social engineering attacks is to understand how these types of cyberattacks work. Knowing how to spot a phishing email or smishing attack can help you avoid clicking on malicious links or sharing personal data with scammers.

The next best defense against a social engineering attack is a good antivirus program that includes phishing protection.


Why do hackers use social engineering?

Hackers often use social engineering as a way to gain access to information because it’s usually easier than finding and exploiting vulnerabilities.


What are the four types of phishing attacks?

The four most common types of phishing attacks include:

  1. Spear phishing: Targets a specific person or small group of people with personalized emails including information about their jobs or families.
  2. Whaling: Targets high-profile people like company executives, celebrities, or government officials.
  3. Vishing: Uses voice calls to trick targets into sharing sensitive info.
  4. Email phishing: Uses emails that pose as legitimate companies or senders to get victims to click a malicious link or download malware through an attachment.

Bottom line

Social engineering happens daily through email, SMS, phone calls, and even in-person contact. Hackers use social engineering skills to befriend you, gain your trust, and gather sensitive information.

To avoid social engineering attacks, you should first learn how to spot them and protect yourself against phishing emails and other similar, socially engineered threats. Avoid giving out information, even in social media posts.

Protecting yourself with information is the best way to stop hackers and cybercriminals. You should also use online security measures like enabling your firewall and using a quality antivirus for an extra layer of protection.

Online Protection With VPN Access and Identity Monitoring
Editorial Rating
Learn More
On McAfee's website
Save $90 on a 2-year plan
  • Inclusive antivirus, scam, and web protection with the added privacy of a VPN, identity monitoring, and secure password manager
  • Get a real-time Protection Score that measures your online safety and offers guidance to improve security
  • Added peace of mind with 24/7 expert online support and McAfee’s Virus Protection Pledge
  • Multiple pop-ups for text notifications can be annoying

Author Details
John Gormally is a seasoned global cybersecurity expert, freelance writer, and blogger. With a mix of 25 years in technology sales, marketing, and content creating, John enjoys sharing his experiences with the business community through his various writing projects.