Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Deceptive and manipulative: social engineering techniques

March 2020

Social engineering is the practice of manipulating people in order to obtain confidential or sensitive data.

Social engineers are students of human nature who understand how to exploit people’s tendencies to be helpful or to trust people in positions of authority, such as a CEO or an expert.

On this page

Social engineering vs. phishing

Phishing involves using emails purporting to be from trusted companies to trick people into sharing sensitive information such as passwords and account numbers.

Similar to phishing, social engineering attacks attempt to get information from you through human deception rather than technical means.

However, unlike phishing, social engineering involves a great deal of premeditation and planning, such as background research and developing relationships before executing an attack.

Social engineers may reference social media profiles to tailor their attacks with information that is familiar to their target.

The goal of social engineering is to gain access to information—whether it be corporate information such as intellectual property or in the case of an individual, personal information.

Common schemes

Some common social engineering schemes that target individuals include:

  • a phone call from someone who claims to be from your bank, asking for the password to your online banking account to fix an urgent problem
  • a phone call from someone claiming to be a computer expert, saying there are problems with your computer and asking for your password to fix them
  • contact with a person claiming to be from your credit card company, who needs to verify your account and asks for your credit card number and expiration date
  • contact with a person claiming to be a new staff member who says they’ve forgotten their password and asks for yours to get into the system

Spam

Social engineers tend to use no tech or low tech approaches to gain access to personal information. However, some types of spam use social engineering techniques to craft electronic messages that manipulate the recipient into sharing sensitive information. For more information see: Be diligent when dealing with spam.

Protect yourself

Never give out any confidential information—or even seemingly non-confidential information about yourself. Whether it's over the phone or in person, you must first verify the identity of the person asking and confirm that the person needs to have your information.

If you get a call from your credit card company saying your card has been compromised, say you’ll call back, but call the number on your credit card rather than speaking to whoever called you.

Always remember that legitimate companies and other organizations will never ask for your password or other confidential information over the phone. Before providing any information, make sure that the person is:

  • who they claim to be
  • authorized to make requests

You can verify these things by calling the organization that the person claims to represent, using the organization’s official number and not the number given to you by the person who has contacted you. If you can verify that this information is true, you’re probably not dealing with a social engineer.

Report fraud

If you believe you have been a victim of a scam, contact your local police and report it to the Canadian Anti-Fraud Centre.

Date modified: