So-called “social engineering” is the tactic du jour of hackers — rather than find ways around organizations’ technology-based security screens, they trick employees into opening the doors.

A recent story on CSO Online outlines four ways today’s cybercriminals are exploiting users to get access to sensitive information:

1. Changing communication methods

By now, many folks know not to trust every e-mail they receive. So social engineering attacks are often conducted by contacting the victim in other ways.

Some examples: paper fliers that direct people malicious websites, voice mails asking folks to call back and leave sensitive financial info, and free USB drives that contain viruses.

2. Making it personally relevant

One criminals have had success getting victims to open e-mails: crafting messages that connect on a personal level.

That’s been a popular ruse for some time, but lately hackers have gone so far as figuring out where a victim is located so they can, for example, send e-mails claiming to report on breaking local news. The messages, of course, link to malicious websites.

3. Using their friends

As Facebook’s become a big hit with users, it’s gotten pretty popular with criminals as well. The latest round of attacks spreads malware by sending users a link via a Facebook message. When users click on it, their accounts are hijacked and the message is sent to everyone on their friends list.

Attacks like this work because the messages look like they’re from a friend. Many users don’t yet understand that’s not always the case.

4. Using their security fears

If folks are more alert about data security threats, then hackers can use that to their advantage.

Lately, so-called “scareware” attacks have been making the rounds, in which a user will get a message that their anti-virus software is out of date. When they click the click to install the new software, a virus is downloaded.

Software’s not enough

The solution? Experts warn data security pros that technical security solutions aren’t enough these days.

Those tools must be combined with user training that helps everyone in the organization recognize and avoid threats.

Scareware.

Victims of the scam see a phony pop-up ad that tells them their computer is infected with a virus and they need to buy an anti-virus program. Those that fall for the ruse shell out money for the software, which turns out to be malware that steals personal information.

McAfee says its seen a 660% increase in scareware scams over the last two years, along with a 400% increase in reported incidents over the last 12 months. Scammers make an estimated $300 million wordlwide with scareware hoaxes, PCWorld reports.

Alert users in your company to the scam, letting them know the legitimate anti-virus software already installed on your network is more trustworthy than a random pop-up ad.

We’ve all seen it. A dialog box pops up, informing us in urgent words that a virus has been found on our hard disk, and that by clicking OK, we can run a protection program to disinfect the disk. As we freak out, the temptation to click OK is almost irresistible.

According to a recent white paper “Report on Rogue Security Software,” from [legitimate] security firm Symantec, that’s the doing of a new set of cyber-criminals. These companies peddle bogus security software to unsuspecting end users by scaring them into a knee-jerk response. The programs have such legitimate sounding names as SpywareGuard, AntiVirus 2009, and SpywareSecure.

To download the program, the end user submits a credit card number for payments up to $100. The actual program may be utterly useless, or it might be harmful, allowing hackers access to your computer for data theft or malicious destruction.

The Symantec report says that the company has found some 250 separate fake programs being sold through almost 200,000 web sites.

Maybe you are too sophisticated to be fooled, but there are people in your organization (and among your family and friends) that might not be quite so wary.

Here are a few pointers in keeping them from being ripped off –- or worse:

1. Stick with legitimate, well-regarded security software from well-known and reviewed companies like Symantec, McAfee, Sophos, Trend Micro and others (check online for reviews from PC Magazine or PC World). One of these programs should be bought through legitimate channels (like a well-known online store of a major electronics/computer chain) or installed by the manufacturer.
2. Be aware what software is installed and make sure that updates are regularly downloaded. In larger companies, this will be monitored by the IT department.
3. If you see a pop-up box warning against a virus, calm down. Run or let IT run the legitimate virus software already installed if you have real reason to be worried about a virus.
4. In general, stay away from marginal websites. Be every careful when an email links to unknown websites. Google is pretty reliable about confirming the legitimacy of Web sites when you search.
5. Be careful about viewing, opening and especially running email attachments unless you are 100% sure they’re legitimate and come from a known source.
6. If you are asked to download any software, stop and think. Make sure you understand exactly what you’re downloading, and if you have any doubt, click Cancel.
7. Don’t use a credit card to download security software interactively unless you 100% sure it is legit.