It is almost summertime, and while the livin\u2019 supposedly gets a bit easier, it remains risky. As the vacation season approaches and everybody is planning travel, socializing with friends and family and relaxing, people in the \u201calways connected\u201d world should add one more item to their list: Don\u2019t relax when it comes to online security.\n\nSocial engineering scams are more ubiquitous and sophisticated than ever. And they can do a lot more than ruin a vacation. As experts consistently point out, a successful scammer can steal, destroy or hold your files hostage, install malware on your computer, steal your identity and other personal information, steal your money, break into your house and ruin your reputation.\n\nThere are dozens to hundreds of such scams, but with the help of several experts, CSO has selected a somewhat arbitrary \u201cTop Five\u201d that represent the most common social engineering threats that target individuals and organizations, concluding with some general advice on how to detect and avoid them.\n\n[Related: Four of the newest (and lowest) social engineering scams]\n\n 1. You've won a free ticket to the World Cup! \n\nNo, you haven\u2019t. But Christopher Hadnagy, CEO of Social-Engineer Inc., said the breathless email that potential victims receive is hard to detect and resist.\n\n\u201cThis one is particularly evil,\u201d he said, \u201csince they have a valid SSL (secure sockets layer) certificate. This means that everything really looks legit. It would take extra work to look into the URL and who owns it.\u201d\n\nOf course, if targeted victims clicks on a link that promises to print the ticket, they are instead loaded with a Trojan and then hacked \u2013 the goal is to plunder personal banking details.\n\nHadnagy said he doesn\u2019t know where the scam originates. \u201cWithout being able to analyze the malware it would be hard to say,\u201d he said. \u201cBut we do know they are using a database breach, as they have a lot of data on their clients. And they are most likely going after banking info from their targets.\u201d\n\nHe added that he also doesn\u2019t know how many victims have been ensnared by the scam, \u201cbut in Brazil alone there are a reported 50-60 new phishing links reported every day.\u201d\n\nSecurity vendor McAfee calls a similar scam related to the World Cup the \u201cRed Card Club,\u201d according to Robert Siciliano, CEO of IDTheftSecurity and also a blogger for McAfee.\n\n\u201cIt involves 11 footballers whose names appear on web sites that contain the biggest threats of malware infection to fans who visit,\u201d he said. \u201cCristiano Ronaldo and Lionel Messi lead the pack, followed by other footballers like Karim Ziani and Iker Cassillas.\n\nHe said the scam appears to have originated in South America and Europe, and the goal is to, \u201ctrick fans into giving up personal information so that the thieves can steal an identity or get credit card information and max out the fan\u2019s cards. The sites most likely to be risky are those offering videos showing the athlete\u2019s skills, and screensaver downloads,\u201d Siciliano said.\n\nThe best way to avoid such scams, he said, is to, \u201cbeware of the \u2018free download\u2019 offer. If a site wants personal information like your email address or credit card before letting you see an \u2018exclusive\u2019 story, run for the hills,\u201d he said. \n\n 2. We can help you avoid Cryptolocker!\n\nThis pitch offers victims a chance to download a security patch to, \u201cprotect against new malware circulating over the net,\u2019 allegedly from security vendors,\u201d according to a blog post\u00a0by John Zorabedian, of security vendor Sophos.\n\nZorabedian quotes fellow blogger Paul Ducklin, noting that, \u201cthe email doesn\u2019t explicitly mention the\u00a0Cryptolocker ransomware\u00a0that locks your files and tries to sell them back you.\u00a0But there is little doubt that many recipients, having heard of the\u00a0ongoing saga of Cryptolocker, will be more inclined than usual to read on.\n\nInstead of a security patch, victims download Zbot, which cybercriminals use to load other malware onto an infected computer. The most important thing for the targets of such scams to remember is that legitimate security vendors never deliver patches in an email.\n\n 3. Please send me money, grandma! And don't tell my parents!\n\nThis scam is not new, but it remains popular for a good reason \u2013 it still works. Attackers are much better at it, in part because people post so much personal information about themselves on social media sites, making it much easier to provide credible information to a potential victim \u2013 often an elderly relative like a grandparent.\n\n\u201cThe attacker poses either as a friend or family member in trouble in another country and in need of money,\u201d said Michele Fincher, chief influencing agent at Social-Engineer, Inc. \u201cThe request for help is usually combined with a plea for silence out of embarrassment or not wanting to worry other friends or family members.\u201d\n\nLiz Phillips, a freelance journalist, wrote in The Guardian\u00a0last fall about clicking on a link she thought was from her internet provider, BT, asking her to confirm her email address with a code. Instead, hackers got her entire address book of more than 1,000 contacts, and she started getting calls from friends the next morning saying they had received an email purportedly from her, saying she was stranded in Ukraine, \u201chaving lost my passport and cell phone, and urgently needed \u00a32,100 to settle my hotel bill and get home.\u201d\n\nFortunately, none of her friends or family fell for it, and after spending a morning on the phone with BT and waiting 48 hours for her addresses to be restored, she had learned a hard lesson. \u201cI have learned never to click on a link in an email message, no matter how genuine it appears,\u201d she wrote. \u201cIn future I will close the browser, reopen it and type the address directly into the address bar.\u201d\n\nShe is not alone, of course. The FBI has issued an advisory\u00a0on the grandparent scam, and CBS News did an interview\u00a0in mid-April\u00a0with a jailed con man who said those who know how to do the scam well can make $10,000 in a day.\n\n4. Hi, this is Jim from accounting ... \n\nA multi-stage scam that Hadnagy calls \u201cMulti-stage SE,\u201d is aimed at planting malware on the networks of enterprises. It uses both email and phone, hoping to snare careless or unwary employees.\n\n\u201cA typical attack goes like this,\u201d he said.\n\nStage 1: An email is sent with an attachment that looks like it\u2019s from someone internal.\n\nStage 2: Moments later, a call is placed from a spoofed number. \u201cHi, this is Jim from accounting. I just sent you a report that I need your comments on ASAP. Can you open it please?\u201d\n\n\u201cJim I see it, let me\u2026\u201d as clicking occurs. \u201cUh, Jim, it just crashes, not sure what is going on\u2026\u201d\n\n"Dang it, I probably sent you the wrong version. It is end of the day, can you give me till the morning and I will send you an updated one?\u201d\n\n"Sure no problem.\u201d\n\nStage 3: Now malware is planted and the network is hacked.\n\nHadnagy said that, as is often the case, the scam works because people don\u2019t, \u201cstop and look. Most of the time there are \u2018tells\u2019 in the email, as the URL is wrong. Do I know Jim from accounting? Why is he sending me this report? There are a lot of things that can throw red flags, but one needs to think critically to understand that and catch the hacker.\u201d\n\n5. We're here to help ... ourselves to your files, your money, your identity \n\nThe \u201ctech support\u201d scam is another well-established attack that remains popular because it is so effective \u2013 cybercriminals calling or emailing, claiming to represent tech support or the \u201cHelpdesk\u201d of enterprises ranging from Microsoft, PayPal, Verizon, Netflix and others.\n\nTheresa Payton, president and CEO of Fortalice and a former White House CIO, said scammers sometimes, \u201coffer support and service for a low monthly price that really don't provide any support at all, or worse, takes enough information from you to commit ID theft.\u201d\n\nOr, they try to get victims to click on a link to download security updates and bug fixes, \u201cthat allow the cybercriminals to place spyware or malware on your computer,\u201d Payton said.\n\nFincher cites a report\u00a0from Ars Technica\u00a0estimating that tech support scams have made tens of millions of dollars.\n\nThe Verizon scam\u00a0is similar, Fincher said. \u201cThe scammers call cell phones and direct customers to navigate to a special website to get a rebate, but instead, collect credentials.\n\nMicrosoft has issued a bulletin\u00a0outlining how scammers will call impersonating the company\u2019s tech support. \u201cThey claim to know you have a virus on your computer and step you through downloading a solution, which is typically Team Viewer, giving them full access to your machine,\u201d Fincher said.\n\nThe simplest way to spot the scam, Payton said, is to remember some simple advice from Microsoft: Neither the company nor its partners make unsolicited phone calls.\n\nIn general \u2026\n\nThe most dangerous thing about social engineering scams is that the scammers have become so much better. \u201cIt is easy to do and hard to protect against,\u201d Hadnagy said. \u201cThe days of phishers being lame have passed. Now they use Spellcheck and they know what is enticing us.\u201d\n\nJames Lyne, global head of security research at Sophos, made a similar observation in a recent interview\u00a0with SCMagazineUK. \u201cScam messages don\u2019t always have bad English, poor copies of logos or really obviously dodgy links. Sometimes they look practically identical to legitimate messages,\u201d he said.\n\nDavid Britton, vice president of industry solutions, 41st Parameter (part of the credit monitoring firm Experian), agreed, adding that, \u201cattackers can now actually use the \u201csocial\u201d part of social engineering, to create communications that appear to come from \u201ctrusted\u201d acquaintances.\u201d\n\nThis, he said, means criminals can, \u201ccross-reference stolen consumer data to create very sophisticated scams, which could ultimately result in millions of dollars in losses if businesses cannot tell the difference between friend and foe, customer and attacker.\u201d\n\nHow can people avoid them? Christopher Martincavage, senior sales engineer at SilverSky, suggests that for enterprises, \u201ca good internal education training program is always a great start, especially since most attacks are longlined. Also, good security countermeasures such as email protection and zero-day detection can reduce the chances of this reaching an end user.\u201d\n\nHe and others also say it is crucial never to download patches or updates from an email. \u201cAlways patch from the app or go to the site manually,\u201d he said.\n\nHadnagy agrees that it is important to, \u201cstay educated about the current scams. Learn to use critical thinking \u2013 if something sounds too good to be true it probably is and therefore requires some checking into it before you start giving over data.\u201d\n\nIn short, don\u2019t trust unsolicited offers for tech support, updates, patches or free stuff. Payton said there are reputable companies that offer IT support. \u201cGo someplace like the\u00a0bbb.org\u00a0to find a BBB Accredited Business, ask friends, or research places on Angie's List to find someone you can trust,\u201d she said.