Carnegie Mellon University

How to outsmart a social engineer

December 14, 2020

5 Ways to Outsmart a Social Engineer

“Social engineering” is a newer term for an age-old pursuit: tricking people. Whether you use the modern-day terminology or opt for longer-standing classifications (like conning, hustling, and swindling), the end result is the same. Scammers aren’t afraid to tell lies— and they often get what they want just by asking for it. Social engineers take advantage of human tendencies to be open and trusting. All successful social engineering attacks have one thing in common: Someone believed something they shouldn’t have. But there is good news: If you are targeted, you are always in control. Don’t fall for the trap and the attack falls flat. Use these five tips to stay one step ahead of social engineers.

#1 Don’t Take Things at Face Value

This piece of advice can serve you in many ways, including the identification of social engineering traps. Social engineers need to win your trust, and they try to lure you in by creating a false sense of security:

  • Phishing emails, smishing (SMS phishing), texts, lookalike websites, phony letters, and other communications might include names and logos of well-known brands to appear believable, Scammers know these visual cues can work to their advantage.
  • Sender addresses and caller ID numbers can be spoofed—that is, disguised to look like an email or call is coming from a trusted contact. In some cases, incoming calls can even appear to be coming from your own phone number.
  • Attackers sometimes pose as service technicians, prospective customers, and even law enforcement officers. Uniforms, badges, and business cards are easy to fake—and these simple efforts often pave the way for unauthorized access.

Remember: Surface clues are not enough to prove legitimacy. You must dig deeper.

#2 Ask Questions

Social engineering is often about finding the right motivation—and getting people to act in hurry. It’s important to pause and think before you give information or grant access to someone you don’t know. You should ask potential imposters questions to verify their identities, but you should also question yourself:

  • Am I being pressured to act in haste?
  • Am I certain this person is who he/she claims to be?
  • What are the potential ramifications if this is a social engineering attack and I fall for it?

Above all, you should feel comfortable and confident before acting on a request.

#3 Do Your Own Due Diligence

Let's be perfectly clear. The most successful social engineers are savvy, persistent, and prepared. And they do their homework before perpetrating an attack. But if you are ready and willing to do your own digging, you can beat them at their own game. Here are some examples:

  • Before interacting with an email, text, or social media message, go to the source. Visit a known website or call a trusted phone number to confirm an offer or request for information. Contact friends or colleagues to verify any out-of-character messages or social posts.
  • Disconnect from any unsolicited call before providing sensitive data (like credit card numbers or details about customers and colleagues). Use a verified number to confirm an offer or request.
  • Before granting unknown service providers or visitors access to your home or business, confirm they are who they say they are by contacting the organization they claim to work for.

#4 Don't Be Afraid to Say 'No'

Social engineers know that most people are non-confrontational with strangers. They know it’s in people’s nature to be accommodating and avoid awkward conversations. That’s why techniques like the following work so well:

  • Eavesdropping on private conversations.
  • Shoulder surfing, which is peering over someone’s shoulder to spy on private PINs or other actions.
  • Tailgating or “piggybacking” behind someone through a secure entrance

Fight against that nature when the need arises. If someone you don’t know wants you to hold open a secure door, ask to see their access credentials. If you catch someone snooping as you’re entering confidential information into a computer or financial terminal, report them to security (and, if needed, change your password). Coming out of your comfort zone could protect you and your organization from a social engineering attack.

#5 Allow Yourself to Be a Little Paranoid

You don't need to distrust everyone and everything, but it doesn't hurt to allow yourself to be a little paranoid when dealing with people you don’t really know. This is particularly true for faceless communications, like email, text messaging, phone calls, and social media posts. Yes, many social engineers are at the top of their game. But a healthy dose of skepticism can help you stay alert to even the most sophisticated tricks and traps.

This article is brought to you by the Proofpoint Cyber Security Awareness resource materials. To learn more about the Proofpoint Security Education Platform and enroll in cyber security training, please visit