What is social engineering? How to protect yourself from online fraud

Social engineering is a key component of various types of fraud. By coming up with convincing lies, criminals exploit their victims through a series of social interactions, with the intent to steal money or to commit other white-collar crimes. As social engineers generally attempt to catch people off-guard, the best form of prevention is vigilance.

Fortunately, this article has you covered, so get ready to learn everything you need to know to defend yourself—both on and offline.

Social engineering is a way for criminals to steal sensitive information without hacking complex security systems. They use an array of manipulation techniques to build trust and deceive unsuspecting individuals. These techniques exploit aspects of human psychology to “engineer” the decision-making process and pressure victims into freely handing over their information—all without realizing that they’re in danger.

First, social engineers develop a convincing storyline to create a false sense of security for their victims. They may impersonate a person of authority, like a policeman or government official. Before the days of the internet, social engineering was mostly conducted through face-to-face interactions—think of Hollywood movies where con-artists gained access to high security buildings thanks to their charm and wit. It’s important to note, however, that social engineers won’t always be pleasant. Many of them choose to adopt forceful, sometimes threatening approaches, which can be highly effective in putting pressure on their victims to act.

In modern times, social engineering has become a serious threat online. It’s easier to send an official-looking email or entice someone to click on a link than it is to dress in an official uniform or try to gain access to a privileged area. Plus, the risks associated with asserting a physical presence are much higher than those for carrying out an attack online.

In any case, regardless of the technique(s) used, the goal of social engineering is to attain unsolicited access to someone for financial gain.

Security at N26

Your security is our priority. Arm yourself with our tips to protect yourself online.

Check N26 Guide to Secure Online Banking

So, how do they do it? Below, you’ll find the most common types of attacks to watch out for online.

Social engineers use this tactic to coerce potential victims into sharing sensitive personal information. To achieve this, they may create a sense of urgency that compels their victims to comply with their demands within a certain time frame. Some, on the other hand, won’t request information from their victims immediately—skilled social engineers often bide their time in order to build trust before attacking.

Unfortunately, there’s no way to anticipate this type of social engineering. The most important thing to remember is that you’re always within your rights to question the identity of individuals claiming to represent organizations of any kind.

Baiting uses the false promise of an irresistible offer to lure people into a trap. Online baiting often takes the form of enticing adverts or ‘too-good-to-be-true’ offers. Imagine a link to download the latest Hollywood blockbuster for free—or a bright, flashy pop-up claiming you’ve won a cash prize.

Phishing is one of the most prevalent fraud types faced by individuals online today. That’s because, following the initial collection of data, successful attempts are often heavily reliant on social engineering practices. Phishing can be preceded or followed by a series of trust-building interactions or ominous threats.

With a quid pro quo, criminals trick victims into handing over sensitive information with a promise of an exchange of some kind. A common approach is that someone contacts you saying they work in a tech support department and claiming they have been asked to fix a problem. When criminals strike it lucky and find someone experiencing actual technical problems, they strike—access the person’s computer, and steal personal information.

What better way to exploit social interaction than communication which appears to be sent from a close friend? Unsurprisingly, this is also a popular choice for fraudsters, who hack email accounts and then spam the person’s contact list. Messages generally contain an eye-catching subject line, such as “Check out this cool website!”—or perhaps they will “link” to popular social media platforms. 

Because they believe that the email was sent from a friend, the recipient may eagerly follow the link. Rather than discovering a funny meme, however, the victim is redirected to a fraudulent website, where they’ll be in danger of downloading malicious software or having their personal information stolen.

The specifics of social engineering techniques vary widely, and hackers can get quite creative. That’s why we’ve put together some real-life examples to give you a clear idea of what to look out for:

• Baiting. Local and state government agencies in the U.S. were baited in 2018. They were sent old-fashioned envelopes, postmarked from China, containing a letter and a CD-rom. The disc contained malicious code hidden alongside innocent looking documents.
• Pretexting. A 2019 report from Verizon found criminals often pose as co-workers to deceive victims by imitating a company’s HR or financial department.
• Phishing. In 2020, a phishing campaign sent mass emails claiming to be from the World Health Organization (WHO). The message contained fake information on how to prevent the spread of the coronavirus. After attempting to download the document attached, victims were redirected to a fraudulent website.
• Quid pro quo. Numerous studies into Social Engineering found people were significantly more likely to share their password when given a small gift. This technique is quite effective, as it exploits reciprocity—the psychological term for the obligation humans feel to return favors. So effective, in fact, that participants were enticed into sharing information when given a piece of chocolate!

Fortunately, although social engineering techniques vary, the countermeasures to fight it are essentially the same. Vigilance is key, as is treating any forms of contact from unknown senders with suspicion. Other ways to protect yourself include:

• Always question the source of emails that request something from you. Pay especially close attention to the sender’s details, and to any URLs that look suspicious.
• If correspondence appears urgent, take your time and don’t let yourself be pressured into taking immediate action. This is one of the most common ways social engineers force people to act first and think later.
• If an offer—online or offline—appears too good to be true, it probably is.
• Protect your devices by using genuine, well-respected antivirus or firewall protection.
• Use multi-factor-authentication (also known as 2-Factor Authentication or 2FA), which uses your smartphone, or another device, along with your password to access your accounts.
• Always double check links sent in emails and, if in doubt, visit the website in question directly by typing the address into your browser, rather than clicking on the link in the email.
• Don’t download files, share personal information, or follow links from unknown senders.

As we mentioned in the beginning of the article, awareness is the best defense against social engineering. Criminals rely on catching their victims off-guard, but armed with this knowledge, you’ll be one step ahead!

The bank account that gives you more control

Spend and save with confidence, and discover a better way to manage your money

Get bank account (new tab)

At N26, we use 2-Factor Authentication—this means that, in addition to entering your password, you’ll need to confirm login attempts on your paired smartphone. To make your account even more secure, choose a strong password or passphrase, and don’t use this password for any other accounts.

Here are some other things to keep in mind:

• We’ll never contact you and threaten to close your account if you don’t respond within a specified timeframe.
• We’ll never ask you to disclose your login credentials via email, phone, or SMS.
• We’ll never ask you to log in into an account that has been created on your behalf.
• We’ll never contact you via WhatsApp, or any other private messages services.

If you’ve received any such emails claiming to be from us, please report them to our Customer Support team as soon as possible. You can get in touch with them directly through the N26 app, or by sending an email to support@n26.com.