Your Guide to Identifying and Dodging Social Engineering Scams

From shopping and banking to how we communicate, technology has made our daily lives infinitely easier and more connected. While security continues to advance, making our digital world safer than ever, criminals persistently seek out vulnerabilities. The one they exploit most effectively? Human emotion.

The scale of this issue is staggering. In the United States alone, consumers lost over $12.5 billion to fraud in 2024, a 25% jump from the previous year, according to a recent Federal Trade Commission report. Investor scams accounted for the largest financial losses at $5.7 billion, while imposter scams were the most frequently reported type of fraud. Email remains the top method scammers use to contact their targets, followed by phone calls and text messages.

fraud/frôd/ • noun

1. deceit, trickery
2. A person who is not what they pretend to be

“Cybercriminals often rely on human emotion like fear, curiosity, sympathy, or pride to trick their victims into falling for a con,” explains Donna Mattingly, principal of corporate security education and awareness for Mastercard. These social engineering scams can be designed to steal money, install malicious software (malware), or even access corporate networks for insider information. The complexity of these schemes can make it difficult to recognize the swindlers’ true intentions.

These scams have also become alarmingly convincing. Cybercriminals build sophisticated fake websites and create detailed false identities to fool their victims. They are now harnessing generative AI to produce deceptive emails, phone calls that can mimic the voices of your loved ones, and incredibly realistic images and videos, known as deepfakes.

Even those trained to be vigilant can be deceived. A recent incident in Hong Kong serves as a stark warning: a multinational financial firm lost $25.6 million after an employee was duped into transferring funds by a deepfake video conference. The employee interacted with what appeared to be the company’s CFO and other colleagues, but they were, in fact, computer-generated impostors.

To protect yourself, it’s crucial to understand the types of scams out there so you can learn to spot and avoid them.

What is Social Engineering?

Social engineering is the art of using deception and emotional manipulation to influence someone’s behavior. In the digital realm, cybercriminals use these tactics to trick individuals into revealing confidential information or taking actions that could harm them or their employers financially.

These scams can involve convincing people to hand over cash or make electronic money transfers. Scammers also use them to obtain personal data like social security numbers, credit card details, or login credentials to commit fraud, steal money, or sell the information to other criminals. Their goals can also include accessing your personal computer or a corporate network to steal data, install viruses, or deploy ransomware that locks up files until a fee is paid. In some cases, these attacks can aim to sway elections or manipulate financial markets by spreading fake news or misleading financial reports.

The Many Faces of Social Engineering

Why are there so many kinds of social engineering scams? Because criminals constantly adapt, following potential victims to new platforms and devising schemes that prey on our emotional vulnerabilities in those spaces.

Phishing: This tactic uses fraudulent emails to lure recipients into sending money or revealing sensitive information. We might now chuckle at the “Nigerian prince” emails from the 1990s, but this early, widespread scam was a foundational form of phishing.

• Warning Signs: Be wary of emails that create a sense of fear, panic, or urgency. They often contain threats or push for immediate action, citing emergencies like “unusual account activity” or unpaid invoices. The goal is to make you act before you can think. Many of these emails will urge you to click a link or download an attachment, which could lead to a malicious website or trigger a virus.
• What to Do If You Click a Phishing Link: Immediately disconnect your device from the internet to interrupt any malicious downloads. Run a scan with trusted security software. If you entered a username and password on a fake site, go to the legitimate website and change your credentials right away. If you believe your financial information is at risk, contact your bank. It’s also wise to contact the major credit bureaus to monitor your file for suspicious activity or to freeze your credit. Finally, report the scam to the proper authorities and warn others.

Spear Phishing: This is a more personalized and targeted form of phishing. Scammers research their targets beforehand, using names and details gleaned from social media to make their messages more convincing. Consider adjusting your social media privacy settings to limit what strangers can see.

Whaling: A highly targeted phishing attack aimed at senior executives or other high-ranking individuals within an organization—the “big fish” or “whales.”

Vishing: This is voice phishing. Instead of email, criminals use phone calls or voicemail messages to execute their scams.

Smishing: A type of phishing that uses SMS (text) messages to target potential victims.

Quishing: This scam uses QR codes to deceive people. Scanning a fake QR code can lead you to a malicious website designed to steal your information or download harmful software.

Zishing: A modern phishing technique that occurs on video conferencing platforms. It often uses deepfake technology to impersonate trusted individuals. The “z” is for Zoom, but it can happen on any video call service.

Angler Phishing: This scam targets social media users who have posted a complaint about a business. Fraudsters create fake customer service profiles and reach out to “help,” tricking the user into providing personal information.

Email Spoofing: Scammers disguise their email address or display name to make their message appear to come from a known or trusted source. The fraudulent email address might differ by only a single, easily missed letter.

Business Email Compromise (BEC): In a BEC attack, criminals hack into a corporate email system. They then send emails that appear to be from a company leader, instructing employees to transfer money to fraudulent accounts or reveal sensitive financial information.

Scareware: This type of attack uses fear to trick users into installing malicious software. You might see a pop-up warning that your computer is infected with a dangerous virus, urging you to purchase fake software or send money to fix the problem.

Romance or Honeypot Scams: Criminals create fake profiles on dating apps and social media, feigning romantic interest to build trust. They then exploit this connection to ask for money, promote fraudulent investment schemes, or request personal details to access financial accounts. Often, they will quickly suggest moving the conversation to text or email to bypass the dating site’s safety measures.

What to Do If You’ve Been Scammed

If you realize you’ve been the victim of a scam, act quickly.

1. Contact your financial institutions. Let your bank and any other companies that manage your accounts know what happened.
2. Secure your accounts. Change all relevant usernames and passwords. Enable multi-factor authentication wherever possible for an extra layer of security.
3. Report the crime. Reporting helps protect future victims. Most countries have a central authority for handling cybercrime.
   • In the U.S., you can contact the Federal Trade Commission through its website or by calling 877-IDTHEFT (438-4338).
   • Europol provides a list of reporting websites for its member states.