Word of the Month for November 2025: Social Engineering

Have you ever gotten emails from people you've never met asking for information that you don't think you should give out?

Maybe a "friend" casually asks you for your user name/password to see what funny stuff you've posted on social media.  

Maybe you're searching online at work when, out of the blue you get an email or text from someone you don't know about something like:

Subject: Urgent: Your Amazon account has been compromised! 

Dear Customer,

We have detected suspicious activity on your Amazon account. To protect your information, please verify your account by clicking the link below:

[Link: Verify your account here: malicious-amazon-login.com] Failure to verify your account within 24 hours will result in account suspension. 

You click the link, you computer screen starts to flicker and it shuts off....OR 

Nothing happens but a few days later you discover that your username/passwords have been changed making it impossible to  access any of the accounts stored in your account manager (you know, where you have been storing your usernames/passwords for the last few years), OR

You get a visit from IT/HR saying that email you clicked from someone you've never met or heard of released a virus into the computer network and it's going to cost the company hundreds of thousands of dollars to fix and, oh yeah, you're fired.

Ever happen to you?   If this scenario has happened to you, you, my friend, have become a victim of social engineering.

I remember one time years before the word "social engineering" was even coined, I got a call from an official sounding guy.  There were sounds of people talking in the background, typewriters going, secretaries taking dictation, and such.  

Sounded legit.

Guy started in asking me questions like can I spell my name, where I lived, how old I was - that sort of thing.  Then he asked for my social security number.  

Just as I started to say the first number, something caught my attention and I'm like why do you need my SS#?  He started saying something and I got the BS feeling in my gut and hung up.

Don't know what the BS feeling is?  Essentially, it's if it looks like a duck and flies like a duck but smells like Bulls**t, it's probably not a duck.

Anyway, turns out social engineering happens to LOTS of people and organizations worldwide.  In fact, globally, social engineering attacks (including phishing, impersonation, etc.) cost businesses approximately $4.8 billion in 2024—up from about $4.2 billion in 2023.

Wait, what?!

Before we get too deep into this, let's define what Social Engineering is:  

Social engineering is a trick used to fool people into giving away private information or doing something they shouldn’t, usually by pretending to be someone they're not in order to gain the  trust of their victim(s).

Social engineering manipulates or deceives people into divulging confidential information or performing actions that compromise security (either to the private individual or a corporation).  It often relies on psychological manipulation - exploiting human emotions and instincts rather than technical vulnerabilities (like what you might expect from a computer hack). 

The success of social engineering lies in the fact that humans are prone to error and therefore fall for manipulative tactics. According to a social engineering attacks survey, “Social engineering attacks are one of the insidious and pervasive threats that compromise the individual’s privacy and security.  These malicious strategies exploit an individual’s tendency to trust digital resources...One of the primary causes of social engineering attacks is human error and emotional responses to factors such as greed, fear, empathy, and curiosity.” 

Social engineering is often the gateway to technical breaches (e.g., phishing leads to ransomware), but it doesn’t always get the credit—or blame—it deserves. It's less flashy, more human, and harder to track.  So, while attacks on computer systems get better press, using social engineering is often more readily employed as it is easier to exploit human weaknesses such as trust, a sense of safety, and the tendency to help others or seek the most convenient path than to go to all the trouble of hacking a computer network.

So, what are some of the more popular ways social engineering happens?

1. Phishing

Fake emails, texts, or messages that look legitimate but trick you into clicking links, downloading malware, or entering personal info.

Example: You get an email that looks like it’s from your bank, asking you to “verify your account.”

 2. Vishing (Voice Phishing)

Phone calls where someone pretends to be from tech support, a bank, or government agency to get sensitive info.

Example: “This is Microsoft. We’ve detected a virus on your computer…”

 

 3. Smishing (SMS Phishing)

Phishing via text messages. Usually includes a suspicious link or urgent message.

Example: “Your package is delayed. Click here to reschedule delivery.”

 4. Pretexting

The attacker creates a fake identity or situation (a “pretext”) to get you to trust them and share info.

Example: Someone pretends to be HR asking for your Social Security number to “update your file.”

 5. Impersonation

The attacker pretends to be someone you know or someone in authority (like a boss or IT support).

Example: A “CEO” emails asking you to urgently wire money for a business deal.

 6. Baiting

Luring someone with a tempting offer—like free software, a USB drive, or music downloads—that actually contains malware.

Example: A USB drive labeled “Employee Salaries” left in a company parking lot.

 7. Tailgating / Piggybacking

Physically following someone into a restricted area by pretending to be an employee or visitor.

Example: “Oops, I forgot my badge—mind holding the door?”

 8. Quid Pro Quo

Offering a service or benefit in exchange for information.

Example: “I’ll fix your printer if you give me your login credentials.”

These methods all rely on exploiting human trust, fear, curiosity, or helpfulness—not just technology. That’s what makes social engineering so powerful and dangerous.

So, how might a social engineering attack  play out in real life:

Scenario: "The IT Support Scam"

Target: An employee at a company
Attacker’s Goal: Gain login credentials to the company’s internal system

1. Pretext (The Setup)
   The attacker calls the employee pretending to be from the company’s IT department.

   "Hi, this is Mike from IT. We’re doing urgent maintenance on the login system, and I noticed your account has been flagged."

2. Creating Urgency and Trust
   The attacker uses technical jargon and time pressure.

   "If we don’t fix this now, your access could be locked and flagged for audit. I can help you reset it quickly."

3. Information Gathering
   The attacker asks a few harmless-seeming questions to gather details:

   "Can you confirm your username and the last four digits of your employee ID?"

4. Exploitation
   Then comes the real request:

   "Now I just need your current password to manually reset the system on our end. After that, I’ll send you a temporary one."

5. The Hook
   The employee, stressed and believing they’re helping IT, provides the password.

6. Execution
   The attacker immediately logs into the employee's account and accesses sensitive company data or plants malware.

What just happened?  The attacker didn’t hack any system—they hacked human trust. That’s social engineering in real time: manipulating someone into voluntarily giving up secure information.

Have you ever had this happen to you?  I'll bet it has but you didn't know it. 

So, what can you do to protect yourself?  Turns out there are a number of things you (or your company) can do to prevent (or, at least, delay the inevitable attack), like:

Recognize the warning signs

• Unexpected phone calls. If you get a call you weren’t expecting, especially if the caller says they’re from a bank, insurance, or an IT company, chances are it’s a phishing attempt. 
• Suspicious email sender’s address. If something feels off about an email you got, always check the sender’s email address because it may be a spam email.
• Unusual requests from someone that you may know. If your boss or a manager contacts you with urgent requests for money, credentials, documents, and other information when they've never done that before, it could be a phishing attempt. Always verify.
• Urgent requests or demands. Phishing attempts have a sense of urgency to them, such as “pay now” or “act quickly,” all designed to make you feel pressured, distracted, and overwhelmed into acting NOW!
• Unexpected links or attachments. Do not open attachments or click on links in emails you were not expecting. They could be malicious, and lead to dangerous sites. 
• Unusual layout and spelling. Incorrect grammar and spelling, strange sentence structure, and inconsistent formatting are strong indicators of a phishing attempt. 
• Generic greetings/signature. Greetings that don’t include your name, such as “Sir/Maam,” and signatures without contact information (or contact information that does not make sense) are strong indicators of a phishing email. 
• Offers that seem too good to be true. If an offer seems too good to be true, such as large amounts of money for seemingly useless information, it could be a phishing attempt.
• Requests on social media from someone you don’t recognize. Be wary of messages from people or entities you don’t know.

Implement multi-factor authentication

Multi-factor authentication, specifically phishing-resistant MFA, is a security method that requires users to verify their identity using two or more different types of proof, like a password and a code sent to your phone. The requirement of two or three extra steps lowers the risk of a breach even if attackers already have your credentials.

Train employees on awareness

Regular organization-level training is important to ensure the safety of your employees and data. Employees should be informed about and be taught to use defensive measures such as multi-factor authentication, the importance of  the use of strong passwords, and the use of firewalls.

Operate under the zero-trust mindset

Essentially, don't trust anyone. Always assume all incoming communications are social engineering attempts, and proceed with caution.  Always be looking for clear evidence that the message is legitimate.

Avoid sharing personal information online

Monitor your social media profiles keeping them private and ONLY share access with people you know personally. 

Like  the old timey radio show The Shadow instilled in baby-boomers everywhere: Who knows what evil lurks in the hearts of men? 

Who, indeed!?

Your best bet is to keep your personal information close to your vest and trust no one because everyone is out to get you (insert evil laugh, here).