How to Stay Safe Against Phishing & Social Engineering Attacks?

ByHisan Kidwai
phishing attacks

Every year, millions fall victim to phishing scams and lose their valuable data – or, in the worst cases, their hard-earned money. Even if you consider yourself tech-savvy and unlikely to fall for such traps, threat actors are not fools, either. These people regularly develop new schemes; sometimes, it can be nearly impossible to tell whether an email or message is legitimate or part of a scam. In this article, we will go through the latest tactics attackers use and how you can stay safe.

Understanding Phishing and Social Engineering

For the uninitiated, phishing is the digital equivalent of a con artist’s trickery, designed to urge you into revealing personal information. In the past, these attacks were simple and mainly distributed through emails containing malicious links to fake websites.

However, as giants like Google implemented better security measures and public awareness grew, threat actors devised a new tactic: social engineering. This technique capitalizes on human psychology, with scammers often posing as loved ones, IT professionals, or trusted contacts to extract sensitive information or money.

New Phishing and Social Engineering tactics

Social Media Phishing

As mentioned, hackers regularly leverage new tactics to prey on innocent people, and thanks to AI tools becoming readily available, catching these scams is getting harder by the day. Nevertheless, being aware of their tactics can be of great help. These include:

1. Emotional Appeal Scams

In such attacks, hackers may gather personal information from a user’s social media accounts, such as Instagram and X, to create highly targeted phishing emails that appear legitimate. These messages often invoke urgency or emotional triggers – such as fake emergency requests from friends or warnings about compromised accounts – to manipulate users into clicking on malicious links and divulging sensitive information.

2. Vishing

Vishing attacks have surged in recent years thanks to AI-powered voice-generation models. Cybercriminals use these tools to convincingly mimic the voices of loved ones, workplace leadership, and other close contacts to call victims and fabricate urgent situations – such as being in legal trouble or needing emergency funds.

In most cases, scammers pressure victims into sending money quickly, exploiting situational emotions. Detecting these scams can be difficult, as AI-generated voices sound highly realistic, making it crucial to verify unexpected requests through alternate means before taking action.

3. Social Media Exploitation

Threat actors create fake social media accounts on Telegram or X to establish trust with potential victims, often targeting vulnerable or isolated individuals. For example, some romance scams see bad actors investing weeks into building relationships with victims before introducing fraudulent investment opportunities or requests for funds, frequently involving cryptocurrency

By showcasing fabricated success stories and enticing victims with promises of quick returns, they persuade them to invest, only for the funds to disappear. Recognizing and avoiding unsolicited financial advice or investment schemes is key to preventing such scams.

4. Clone Phishing

Instead of creating entirely new scam emails, threat actors replicate legitimate messages from trusted organizations, copying formatting, logos, and content to make them nearly indistinguishable from the original. They then send these fraudulent emails to victims, often subtly modified, such as replacing a legitimate link with a malicious one. Attackers may also use email addresses that closely resemble the original sender’s domain to deceive recipients into thinking the email is authentic.

5. Quishing (QR Code Phishing)

As more users become wary of clicking suspicious links in emails, attackers have turned to QR codes to bypass traditional phishing defenses. These scams, known as “quishing,” trick users into scanning QR codes that direct them to malicious websites designed to steal login credentials or install malware.

Compounding the risk, most email security filters do not automatically scan QR codes for malicious links, making this attack vector harder to detect. To stay safe, users should avoid scanning QR codes from untrusted sources and verify the legitimacy of any QR-based request before engaging.

How to Stay Safe?

Image of a person using a laptop

Considering the hundreds of ways threat actors try to gain unauthorized access to user accounts, staying safe seems difficult, and it is. A phishing email could be in your inbox right now, waiting to strike. While we cannot account for every situation, there are a few things you should keep in mind.

First and foremost, never open links from unknown emails, and always check the sender’s email address for potential discrepancies. Enable two-factor/multi-factor authentication (2FA/MFA) through your browser, a password manager, or a standalone authentication app. It’s the easiest way to safeguard your account even if threat actors manage to access your credentials. To set up MFA in Google, for example:

  1. Head to your account settings in Google.
  2. Search for 2-Step Verification.
    Two factor authentication screenshot in Google
  3. Follow the on-screen instructions to enable it.

A password manager is another great way to strengthen security posture. Most of us use similar passwords on multiple sites so that we don’t forget. However, password reuse can enable threat actors to hack into other accounts if they manage to get access to just one of your credentials.

A password manager like Bitwarden helps you securely store and manage all your passwords. It can also generate strong, unique passwords that are nearly impossible for hackers to crack.

Use Passkeys

While storing passwords in a secure password manager is a significant step, we need to move towards a passwordless future to reduce phishing attacks. This is where passkeys come into play.

A passkey is a cryptographic key used for online verification. It eliminates the need for users to remember or type passwords by using biometric authentication (like fingerprints or facial recognition) or device-based verification to confirm their identity. When you create a passkey for a website, two asymmetric keys are generated — one is stored securely on your device, and the other on the website’s server.

Since passkeys only work on a specific domain and you need both keys to log in, they are phishing-resistant. Despite the apparent advantages, their adoption has been pretty slow due to the lack of user familiarity and the slow implementation from giants like Microsoft, which recently rolled out passkey support.

Also, device-linked passkeys don’t sync between devices, meaning users must re-enroll each time they switch devices. However, synced passkeys, stored in a secure password manager like Apple Keychain, Google Password Manager, or open-source alternatives like Bitwarden, enable users to access their credentials across different devices.

Conclusion

Phishing and social engineering aren’t going anywhere, and you will probably receive such scam emails for years to come. But with the right awareness and precautions — like enabling MFA, using a password manager, and adopting passkeys — you can bolster your security and prevent these threat actors from accessing your private information.

Typical tech nerd, who loves playing with all the latest tech. Besides, I'm a big F1, Cricket, and Star Wars fan.

Similar Posts