Phishing and other online scams rely on social engineering—a timeless set of tactics that technology can leverage in new ways.

Social engineering usually involves building and abusing trust, exploiting our innate good will, or playing to greed and other impulses.

Online and offline cons alike can be extremely elaborate or relatively simple. They may seek money, information, or passwords/credentials. They can deceive even the savviest targets.

Social engineering tactics

Social-engineering scams play to some of our best and worst instincts. Look out for these common tactics:

False identity claims: Scammers frequently claim to be someone they’re not. They might pose as police or government authorities, representatives from banks or businesses you deal with, potential romantic partners, or even people you know. They can spoof email addresses and phone numbers or provide personal details that seem convincing.

Urgent pleas for help: Scammers often manufacture phony crises—a stranded friend, a looming deadline, etc.—to throw you off guard.

Warnings of danger: Along similar lines, scammers can threaten dire consequences if you don’t act right away. Purported “dangers” range from a missed delivery or mistaken charge to a hefty fine, an arrest, or worse.

Promises of payoff: Some scammers insist there’s something in it for you, promising money or other rewards in exchange for your help.

Flattery and comradery: Scammers might target your ego, praising your professional standing or personal appeal. They might suggest that only you can help them, diligently working to build a relationship.

Common kinds of scams

Crooks leverage the above tactics in a variety of scams:

Email phishing: Still one of the most common—and, often, easiest to spot—online ploys. Iowa’s security systems prevent most phishing attacks from reaching university in-boxes, but some still slip through. Phishers might target your other email accounts as well. Learn more about preventing phishing attacks.

Spear-phishing: These targeted attacks can come via email, direct message, or other channels. They might be addressed specifically to you, purport to come from someone you know, or include personal details. Learn how to identify and prevent spear-phishing.

Phone-based scams: Spear-phishing attacks can come in the form of phone calls, too. They can start with small requests and build to serious security breaches. Learn more about phone-based scams.

Baiting: Some scams come in the form of software or content offers. They might point you to shady websites that harvest your personal info or entice you to install malicious software.

Scareware: Other scams start by falsely claiming that your systems are already compromised. They scare you into installing software that cedes control to crooks, steals files or data, or opens you up to additional attacks.

Phony invoices: Phishing scams, especially, may come in the form of “invoices” for purchases you haven’t made. Ignore them.

Fake deliveries: Messages claiming to come from the post office or shipping services can point you to malicious websites. If you’re expecting a delivery, don’t click links in these messages. Instead, go straight to the shipper’s site to resolve any issues.

Gift-card and transfer scams: Scammers may ask you to purchase and send gift cards or make cash transfers using platforms like Zelle or Venmo, payments that are hard to track and void. Treat them as red flags.

How to avoid getting scammed

These precautionary steps can help you avoid all kinds of scams:

Reach out directly to verify identities: Don’t reply to emails, messages, or calls that could be faked. Instead, confirm messages by reaching out organizations or individuals directly using contact info from their official websites, authoritative directories, or your own records.

Take care with people you don’t know: Think twice about accepting connection requests or messages from strangers. If you choose to connect, go slow in establishing relationships or, especially, responding to requests.

Use trusted systems and sources: Avoid clicking links in potential scam messages. Instead, navigate directly to authoritative websites. Only install software from official app stores or verified manufacturer’s websites.

Never share credentials and use multifactor authentication: Never provide your logins and passwords—legitimate organizations won’t ask for them. Use Two-Step Login/Duo or other multifactor authentication systems whenever they’re available.

Refuse requests that don’t make sense: Be especially alert for convoluted gift-card and cash-app transfer requests.

Trust your instincts: If something feels wrong, it probably is. There’s virtually zero risk in ignoring any emails, messages, texts, or calls that may be scams.

October is Cybersecurity Awareness Month, a government-industry partnership that aims to raise awareness and empower everyone to protect their personal data against digital crimes. Look for other cybersecurity tips throughout the month.