How to keep yourself safe from social engineering attacks

social engineering

By Kiki Schirr, {grow} Contributing Columnist

Your Facebook “About” page says where you were born. LinkedIn states where you work. Your Twitter profile reveals your collegiate team. And that old OKCupid profile you forgot to delete–well, you were a little too open, perhaps.

There’s likely a ton of data about you online, especially if you’re crafting a big social media presence. Being found is great in business, but are you sharing too much private information?

Today I’ll examine the nefarious practice of social engineering and what you can do to combat it.

Keeping yourself safe from social engineering

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.

Let’s start with the basics. What private information is already out there that could be clues for hackers? In order to fully protect your privacy, you should know what you should be guarding. At the least, protect:

  • your personal or home phone number
  • home address
  • your personal email
  • state-issued ID numbers
  • any information that would hint to a password

If you have a child, or other special considerations, keep even more information secure.

Common types of information-gathering attacks

You might have heard that your “hacker name” is the name of your first pet followed by the your mother’s maiden name. Don’t post the results online, because that quiz is a common social engineering attack. Both pieces of information are common answers to identity-proving questions.

There are plenty of other social engineering tactics. You might be familiar with phishing attacks — those are the emails you receive daily in your spam folder, from businesses that look real, asking you to verify private information. A good rule of thumb to combat these attacks is to NEVER click a link in an email, even from your mother. Just type in the root of the URL and search for the content she sent.

Other attacks are more straightforward. They might reward you with some small prize like a song download in exchange for some private information. Both the information you willingly grant them, and the download itself could be malicious.

Also be wary of people offering to fix issues for you. If someone says they can stop the deluge of spam emails your business is getting, it’s quite likely that they are directing the emails in the first place. It’s modern-day protection money.

Tools and tips to protect your private information

Anytime you transfer information via the Internet there’s an opportunity for that conversation to be overheard. Try to only send personal information over websites whose URL begins with “https.”

Also be aware that you don’t necessarily need to hit the send button for a website to read what you’re typing into a form. In 2013, people became aware that Facebook was saving what they’d typed (and deleted!) on the site.

To protect your email, have several accounts and use each one for a purpose. Have a work email, a consulting email, an email for spam, and one for personal contacts. When you don’t trust a site, use your spam email, or create a burner email through tools like Throttle.

If a site or someone that you don’t trusts asks for your phone number, consider using an alternate phone number, such as a Google Voice account, or phone number apps like Ring4.

In the same manner, if someone wants to mail you something, use a post office box.

Never sign in to your bank accounts or give people your information when you’re using a public wifi hotspot. Wait until you get home or on to your company’s secured network.

Best practices for protecting private information

  • Don’t save your passwords to your browser in case a device is stolen. Have your device automatically lock after a period of inactivity and set up the remote wipe feature now
  • Use complex passwords and do not use one password for multiple locations
  • Shop on trusted sites, like Amazon
  • Have an extra email address for spam
  • Only trust the cloud so much, do not automatically upload sensitive images
  • Prevaricate: use an address slightly down the street when getting directions to or from your home and if someone asks where you’re from, don’t name the county where you got your birth certificate
  • Porn, pills, and pop stars: searching for adult content, medical supplies, or celebrity gossip can land you on suspicious sites. If you do search in these three categories, use Chrome and be careful where you click
  • Remember that while you can forget your password if you need to, you cannot forget your fingerprint. If something is highly sensitive, do not make it accessible through your fingerprint alone

I hope these tips are useful to you. Have fun on the web, but be careful out there!

KikiSchirrKiki Schirr is a freelance marketer. She is currently building a video platform called WeKiki and draws Tech Doodles. Kiki can be reached easily through Twitter.

All posts

  • How safe is it to entrust your voice data to Amazon Alexa? The ‘always listening’ future seems to be ripening us for a new sort of attack.

    For strong passwords and good password management, I recommend 1Password.

  • I knew there was a good reason I wasn’t doing those quizzes and such (though I thought it was an alien abduction selection process. haha) Thanks for a great post. 🙂

  • Or Google Home, Cortana or Siri or any other kind of voice driven assistant.

  • This is a great post with very worthwhile advice, Kiki. The shame of it all is that we in the industry kind of understand all of this but what about the other 95+% of internet users? They have no clue.
    Furthermore, as you so well identified, we in the industry use the exact same “social engineering” and bot practices to further our business interests so it becomes increasingly difficult for people to know who to trust. And more importantly, when to trust them (or what may appear to be “them”).

    Some argue that we are increasingly under some degree of threat by those we trust and those we don’t. People are naturally “trusting” and this is clearly being used against them.

    A simple example is giving up data like mother’s maiden name, pet names, city of birth etc are obvious things to avoid. However, if we all know that, why are these the standard “password reset secret” questions most companies use by default, thus leading uneducated consumers to believe giving up this kind of data is OK?

    Educating consumers is only going to get us so far. Mark wrote an interesting blog not too long ago about the next big business value will be the protection of the consumer and those companies who don’t will not survive the long haul. I personally have always agreed with this thinking. We cannot expect users to protect themselves. They have no idea how to and the “instant gratification” basis of the internet business model encourages them not to learn. IMO, therein lies the fundamental root cause.

  • Kiki Schirr

    Oh man, yeah… it’s better to not get me started on devices that listen! 🙂

The Marketing Companion Podcast

Why not tune into the world’s most entertaining marketing podcast that I co-host with Tom Webster.

View details

Let's plot a strategy together

Want to solve big marketing problems for a little bit of money? Sign up for an hour of Mark’s time and put your business on the fast-track.

View details


Send this to a friend