What is social engineering?

Online criminals can use sophisticated technology to try to gain access to your computer, or they can use something simpler and more insidious: social engineering.

Social engineering is a way for criminals to gain access to your computer. The purpose of social engineering is usually to secretly install spyware or other malicious software or to trick you into handing over your passwords or other sensitive financial or personal information.

Some online criminals find it easier to exploit human nature than to exploit holes in your software.

Types of social engineering
There are several types of social engineering you should be aware of:

Do not reveal any personal information in e-mail or online unless you know who you are dealing with and why. Additionally, make sure you are in a secure environment: that’s the key to help you avoid any type of attack.

Phishing: Fraudulent e-mail messages and Web sites
The most common form of social engineering is the phishing scam. Phishing scams employ fraudulent e-mail messages or Web sites that try to fool you into divulging personal information.

For example, you might receive an e-mail message that appears to come from your bank or other financial institution that asks you to update your account information. The e-mail message provides a link that appears to go to a legitimate site, but really takes you to a spoofed or fake Web site.

If you enter your login, password, or other sensitive information, a criminal could use it to steal your identity.

Phishing e-mail messages often include misspellings, poor use of grammar, threats, and exaggerations. For more information about phishing, see Recognize phishing scams and fraudulent e-mails.

If you think you might already be a victim, see What to do if you've responded to a phishing scam.
To help protect yourself against phishing, try the Microsoft Phishing Filter.

Spear phishing: Focused attacks that seem to come from people you know
Spear phishing is any highly targeted e-mail scam; but they usually are employed in a business environment.

Spear phishers send e-mail messages that appears genuine to all the employees or members within a certain company, government agency, organization, or group.
 

The message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or IT. It might include requests for user names or passwords or might contain malicious software, like a trojan or a virus.
 

Spear phishing is a more sophisticated type of social engineering than phishing, but the techniques you can use to avoid being fooled are the same.
 

For more information, see Spear phishing: Highly targeted e-mail scams. To help avoid trojans and viruses, use antivirus software such as Windows Live OneCare.

E-mail hoaxes: Look out for easy money promises
E-mail hoaxes come in many different forms, ranging from a scam that requests your help getting money out of a foreign country (often Nigeria) to a promise that you've won a lottery.

The common element is that you're usually promised a large sum of money for little or no effort on your part.

The scammer tries to get you to send money or reveal financial information that they can use to steal your money or your identity, or both.

For more information, see Spot and avoid advanced fee fraud and You have not won the Microsoft Lottery.

You might also receive scams sent through an Instant Message (IM). To read more, see 10 tips for safer Instant Messaging.

How technology can help

Your first level of defense should be to secure your computer. For more information, see Protect your computer in 4 steps.

Learning how to spot social engineering techniques is the next step and the new Windows Vista operating system makes that easier to do:

Top of page