Social Engineering: The Digital Decoys Enticing Kids to Click


You may have heard warnings about “social engineering.” While the term is simply a fancy way of describing fooling people into giving away their personal info online, the repercussions are quite serious.  

Examples of social engineering include phishing, which occurs when a scammer sends people fake emails, or smishing, when the same tricks are deployed via text messaging. Anyone – old, young or somewhere in between – can fall for identity-based scams. However, the facts on the most frequently victimized may surprise you. 

As it turns out, the number of online scam victims under 21 – aka, the internet-savvy set – increased 156% between 2017 and 2020. Why? This may be due to the tendency of young minds to admire openness and abdicate privacy. Add on the open-sharing influence of social media, and personal security risks rise exponentially. 

Awareness is job No. 1 

Parents can help lessen the danger. Being aware of common (and not-so-common) snares is a parent’s best shot at keeping kids out of them. The idea is to empower children with warning signs vs. scare them with horror stories.  

Take talent traps, for example. Attackers steal emails and cell numbers from organizations like local youth sports clubs and child modeling agencies. Scammers then send fake invites to showcases, auditions and tryouts to trick teens and parents into “registering” online with vital information, including Social Security numbers. 

Another highly scalable scam begins with the theft of school district databases. A text about a child marked as late, a COVID exposure or weather advisory entices recipients to click a link, which downloads data-stealing malware onto victims’ phones. 

A third highly profitable (for the criminals) scheme is to message young gamers with offers of in-game goods, such as skins, characters or unlocked levels in popular games. Engaging with messages like this can lead to theft of credit card and other financial information and may even expose children to virtual, and even in-person, exchanges with predators. 

Crooks can do a lot with a child’s stolen data

Once criminals have stolen personal information, there is no shortage of tricks they can pull. Most of those tricks end up costing victimized families money and time, not to mention stress. The two main categories of data exploitation are:

  1. One-off cries, such as using a single victim’s stolen data to take out a student loan in the victim’s name or open a digital payment account with a similar looking username. 
  2. Selling the data of multiple victims in bulk to dark web warehouses that advertise databases of personal information on the digital black market. 

Four parental best practices for the social engineering age 

One effective way to prevent a child’s data from getting wrapped up in one of these scams is to monitor their credit. It’s easy to find out if they have a credit score and if their identity is being used for transactions. TransUnion, for instance, offers a child identity theft inquiry form online. Parents can be even more proactive by initiating a sensitive-person credit freeze, to lock down a minor’s credit until the age of 18. 

Another parental best practice is to regularly run antivirus or antispyware scans on the phones of minors in the household… and their own phones while they’re at it. Most phones and antivirus software allow users to opt for automatic scans at regular intervals. This may be easier for busy parents (which, last time I checked, describes all parents). 

Third, parents can instill a healthy sense of skepticism in their kids by exposing them to real-life threats in a safe environment. Kids should get to see age-appropriate examples of phishing texts and social engineering attempts. By seeing for themselves the kind of malicious “content” that is floating around disguised as legitimate, they develop their own scam radars. Telling them stories of people who have had the wool pulled over their eyes, followed by discussions of what they would have done differently in a similar circumstance can also exercise common-sense muscles. 

Most importantly, parents should model smart online behavior. If something seems odd to them, parents should take the time to explain what looks out of place. Then, let children witness them doing things like calling a friend to verify the authenticity of a message or navigating to a website on their own rather than clicking a link. 

Take advantage of rinse and repeat strategies 

The success of most social engineering comes down to timing. Attackers have gotten good at knowing when we’re at our most gullible, whether that’s during a global crisis or just later in the day. By using mass-scale assaults, they learn just like the rest of us do – through trial and error. When a scam works, rinse and repeat. 

You and your child can take advantage of this greedy replication, however. Scammers are showing their cards by running the same or similar schemes on repeat. Stay up on the news, talk about it often and have regular check-ins on best practices. It may not be your child’s favorite conversation, but protecting their identity is worth every eyeroll you earn. 

By day, Scottsdale father Eduard Goodman is chief privacy officer for intelligent identity security firm Sontiq, a TransUnion company. By night, he is head of the Goodman family IT department. For more information on the above and similar topics, visit