A guide to help make sure your curiosity isn’t used against you online.​

Best practices to identify and avoid social engineering scams.

During a busy holiday shopping season, a large retail corporation’s payment system was breached through the use of a malicious phishing email, compromising the personal information of nearly 70 million customers. Since that incident, the frequency of cybercrime attacks, particularly those involving social engineering schemes, has continued to grow and has created a serious risk management concern for individuals and businesses alike.

Virtually anyone who spends time online — whether on social media, shopping, paying bills, or simply accessing email — can be a potential victim of a cybercrime attack. Cybercriminals are using increasingly sophisticated scams designed to manipulate individuals into divulging personal and confidential information.

These scams include posting fraudulent links to well-known websites or sending emails from known individuals or companies that have fraudulent links or attachments that contain malicious software known as malware. The intent is for you to fall for these scams by divulging your personal information that the cybercriminals can then use to access your computer and accounts for their own benefit and financial gain.

When it comes to social engineering scams, basic awareness of the tactics used can go a long way in keeping your personal information secure.

Even the most security-savvy computer users can be vulnerable to social engineering scams, so it’s important to keep apprised of the types of threats that are prevalent today, and the extra measures you can take to avoid becoming a victim.

Protect yourself from the common social engineering scams.


This tactic involves using a fraudulent email to trick the recipient into opening a malicious attachment or visiting a malicious website. Phishing has been around for many years and remains a common scam for hackers because it continues to work.

Cybercriminals may act as representatives of familiar, trusted organizations — such as government agencies, financial institutions, or popular social media applications or file sharing sites — to gain your confidence and encourage you to follow the email’s directives, such as divulging sensitive information.

This particular attack has continued to evolve through the use of “spearphishing,” which personalizes an email so that it appears to come from a known person or organization. Additional tactics include “whaling,” which is a spearphishing attack that targets corporate leaders and high-profile individuals.

The majority of most phishing schemes aim to have the recipient reveal sensitive information, ranging from passwords to bank account numbers or even corporate data.

Protect Yourself

  • Don’t respond to emails requesting personal information, and always delete emails before opening them if you do not recognize the sender
  • Never click on embedded hyperlinks or open attachments in emails that you believe to be fraudulent or suspicious
  • If an email appears to be from a company that you do business with, contact them directly to discuss or report the message
  • Never share passwords, login credentials, or any authentication information
  • Always use a SPAM filter, anti-virus software, and a personal firewall


This type of social engineering attack lures you with the promise of something fabulous. Offers for gift cards, free smartphones, or even a share of a lottery winner’s profits — are popular baiting techniques.

The most adept hackers will use information gleaned from social networking sites, corporate websites, job search sites, and online newsletters to tailor baits that may be very specific to you. This technique relies on your curiosity, hoping you will be attracted enough to an offer to surrender your login credentials to a certain site.

Also, beware of suspicious, unverifiable phone calls claiming to be from a bank or other organization. When in doubt, call them back at a known, published phone number.

Baiting techniques also include the use of phone calls and texting in addition to Internet scams.

Protect Yourself

  • When it comes to cybersecurity, verify first, trust second
  • Don’t believe everything you read —even if it is on a friend’s web page. If it sounds too good to be true, it almost certainly is

Social Media

Hackers use social media not only to gain information about victims but as a way to spread malware and entice users into making mistakes.

On social media, cybercriminals may also create fake videos and websites tailored to trending topics and current events, or send messages with shortened, unverifiable URLs to spread malware intended to collect information from computers and other devices.

Protect Yourself

  • Review your settings on social networking sites regularly to ensure that privacy settings are set to the highest level that you are comfortable with
  • Be careful what you click on and what you say
  • Do not share confidential information that may be the answer to your security question, such as your mother’s maiden name or your date of birth
  • Never click on a hyperlink within a post if it appears suspicious, even it appears to come from a friend — your friend’s account may have been hacked
  • Don’t accept connection requests from unfamiliar individuals, they may be looking to find out when you are on vacation or away for an extended period of time

Educate Yourself

Cybercriminals seek to turn your own online presence into a weapon against you and others. Always be vigilant of social engineering tactics in order to decrease the chances of becoming a victim of a cyberattack. Knowledge is power—educate yourself, your friends, and your loved ones. Depriving cybercriminals of their next success will be a victory for us all.

To learn more, contact your local M&T Bank Relationship Manager or visit our Banking Security Center.​​



This article is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.


Share this page

If you are interested in sending this page to a friend or relative, please enter the following:

* Indicates required fields
+ Add another

No personal information (including e-mail addresses) about you or your friend will be collected from this e-mail notification feature offered by M&T Bank.

Please Note:

By clicking "ok" below, you will leave mtb.com and enter a Third-Party Website.

Tenga en cuenta que:

Al hacer clic en “Aceptar”, abandonará mtb.com e ingresará en el sitio web de un tercero.

Please note that:

  • The Third-Party Website is governed by a different set of terms and conditions and privacy policy than mtb.com and you should review those terms, conditions and privacy policy prior to reviewing the content of the Third-Party Website
  • M&T is providing a link to the Third-Party Website as a convenience and does not necessarily control the content of, or endorse, the Third-Party Website, it's owner/operator or any information, products or services that are made available on or through it
  • M&T makes no representations or warranties regarding the information, products or services provided through the Third-Party Website

Such Third-Party Website's owner/operator may be regulated by governmental entities and laws that are different than those that regulate M&T.

Tenga en cuenta que:

  • El sitio web de un tercero está regido por un conjunto de términos y condiciones y una política de privacidad diferentes que mtb.com, por lo tanto, deberá revisar esos términos y condiciones y la política de privacidad antes de evaluar el contenido del sitio web de un tercero
  • M&T le proporciona un enlace al sitio web de un tercero para su comodidad y no necesariamente tiene control sobre el contenido, o se adhiere, al sitio web del tercero, su propietario/operador o ni a ninguna parte de la información, producto o servicio que se ofrezca a través de él
  • M&T no ofrece declaraciones ni garantías respecto de la información, productos o servicios prestados a través del sitio web de un tercero

El propietario/operador de ese sitio web de un tercero podría estar regulado por entidades gubernamentales o leyes que son diferentes a aquellos por los que está regulado M&T.