Your guide to identifying social engineering scams and cyber threats

Technology has made everyday activities, from communicating to shopping and online banking, infinitely easier. Security advances make our digital lives safer than ever before, too. Yet criminals are always looking for a way in, and there’s one vulnerability that’s very hard to safeguard: human emotion.

In the U.S. alone, consumers lost $10 billion to fraud in 2023 — a new record, according to new figures released by the Federal Trade Commission, and a $1 billion increase over 2023. More fraud reports — 2.6 million in all — were filed last year too. Impostor scams, where criminals pretend to be representatives of the government or a legitimate business, topped the list of fraud categories, and for the first time, email was the most common communication channel swindlers used to reach their victims.

1. deceit, trickery

2. A person who is not what they pretend to be

“Cybercriminals often rely on human emotion like fear, curiosity, sympathy or pride to trick their victims into falling for a con,” says Donna Mattingly, principal of corporate security education and awareness for Mastercard. Social engineering scams can be used to steal money, install malicious software (malware), access business networks for insider info or bring down entire computer networks. It can be hard to see what swindlers are after, as their schemes have become incredibly complex.

They’ve also become more convincing. Cyber scammers build phony websites and create elaborate false identities to fool their victims. And they’re now using generative AI technologies to create misleading emails, phone calls (gen AI can mimic the voices of your loved ones), images and videos (known as deepfakes) that are so sophisticated, they’re nearly impossible to recognize as bogus.

Even people who’ve been trained to be cautious can be fooled, as evidenced by a recent incident in Hong Kong. There, a multinational financial company lost $25.6 million when an employee was tricked into transferring corporate funds to a criminal account. He’d been deceived by a deepfake video conference call with people who looked and sounded like colleagues, including the company’s CFO, but were actually computer-generated impostors.

To protect yourself from cybercrimes, it’s helpful to know what kinds of scams are out there, so you can dodge them.

What is social engineering?

Social engineering is the use of deception and emotional manipulation to influence someone else’s behavior. In the digital world, cybercriminals use social engineering tactics to trick people into revealing confidential information or taking actions that can harm them, or their employers, financially.

These types of cyber scams can include convincing people to hand over cash or send money electronically. Scammers also use them to obtain personal information like social security numbers, credit card numbers or log-in credentials so that they can later steal money, commit fraud or sell to other criminals.

Social engineering scams may be seeking access to your personal computer or corporate computer network to steal data or intellectual property, install viruses or ransomware (harmful software that locks up files until users pay a ransom) or cause system malfunctions that bring business to a halt.

Their goals can even include swaying elections or manipulating financial markets. Cybercriminals may email or post fake news stories, press releases or stock performance graphics that trick people into making investments.

Why are there so many forms of social engineering scams?

There are many forms of social engineering scams because criminals will always go where the victims are. As we find new ways to communicate and connect, bad actors come up with new channel-appropriate schemes to prey on our emotional vulnerabilities.

What is phishing?

Phishing is a social engineering tactic that relies on fraudulent emails to lure recipients into sending money or disclosing confidential information.

Remember the “Nigerian prince” emails of the 1990s, where a person claiming to be African royalty requested urgent financial assistance? We may laugh at the premise now, but that widespread scam was one of the earliest and most basic examples of phishing. Since those early days, phishing scams have grown in number and complexity.

What are the warning signs of a phishing email?

The warning signs of a phishing email are messages that inspire fear, panic or other strong reactions. They sound threatening or push for immediate action by presenting urgent situations, such as financial emergencies, the detection of “unusual activity” on your account or unpaid invoices.

The aim is to scare people into responding before they have time to think clearly. Many phishing emails ask recipients to click on a link or download an attachment, but doing either can lead to unintended consequences, such as linking to a nefarious website, triggering a computer virus or downloading dangerous software.

What to do if you've clicked a phishing link?

If you’ve clicked on a phishing link, disconnect your computer or device from the internet. This can interrupt malicious downloads or block them from starting. Scan your system using trusted security software and follow instructions if a virus or malware is detected.

If you typed in a username and password on one of your accounts while visiting a fake website, head to the legitimate site and change them immediately. If there’s any chance you’ve disclosed information that could be used to hurt you financially, contact your bank for instructions on how to proceed.

If you live in a country with credit bureaus, it’s a good idea to contact them. In the U.S., the three major credit bureaus can watch your file for suspicious activity. They will also let you “freeze” and “unfreeze” your credit file for free. Finally, report cyber scam or fraud to the appropriate authorities and tell friends and colleagues about the scam so they won’t be baited into repeating your mistake.

What is spear phishing?

Spear phishing is a targeted, more personalized form of phishing. Scammers do their research before initiating contact, so they can address you by name or claim to represent a company or a person you know.

Often they’re able to glean a lot of detail form social media, so consider using privacy settlings on social media sites to limit the exposure of your posts.

What is a whaling attack?

Whaling is a targeted phishing attack that’s aimed directly at corporate executives or other high-ranking individuals. In other words, the big fish (“whales”) in an organization.

What is vishing?

Vishing is a form of phishing that employs phone calls or voicemail messages rather than email.

What is smishing?

Smishing is yet another type of phishing, targeting potential victims via SMS (text) messaging.

What is quishing?

Quishing is a type of phishing where scammers convince people to scan a fake QR code that takes them to a malicious website, where they may be persuaded to give up confidential information or download harmful software.

What is zishing?

Zishing is a phishing technique that takes place on videoconferencing calls and uses deepfake technology to fool victims. The “z” stands for Zoom, but it can happen on any platform.

What is an angler phishing attack?

Angler phishing targets social media users who’ve posted complaints about a business or service. Fraudsters create fake social media profiles and then contact the original poster, posing as a customer service representative who wants to help. They’ll ask for personal information and use it for criminal activity.

What is email spoofing?

Email spoofing is when scammers hide their identity by disguising their email address or display name, so emails appear to come from someone the recipient recognizes. Sometimes scammers use email accounts so close — maybe differing by only one letter — that recipients fail to spot the discrepancies.

How does business email compromise work?

A business email compromise is when cybercriminals hack into a corporate email system to create emails that appear to come from someone in a leadership position. The emails are crafted to convince other employees to reveal privileged financial information or authorize payment transfers that send money to fraudulent accounts.

What is a scareware attack?

A scareware attack frightens computer users into installing malicious software or opening virus-infected files. A user may receive a pop-up notification falsely warning that their computer has been infected with a dangerous virus. They’re then instructed to purchase fake software or send money to unlock the computer.

What is a romance or honeypot scam?

A romance or honeypot scam is when criminals create realistic profiles on dating apps and websites or social media platforms and feign romantic interest in potential victims. Dangling the promise of a relationship, they ask for money, push fraudulent investment or cryptocurrency schemes or request personal details to access financial accounts.

Romance scammers often work around dating site safeguards by proposing a move to texts or emails soon after conversations begin.

What should I do after being scammed?

If you’ve been scammed, contact your bank and any other businesses that manage your financial accounts and let them know what happened. Change usernames and passwords and enable multifactor authentication for digital interactions. Help future victims by reporting the crime.

Most countries have a central authority that handles cyber scams and frauds. In the U.S., contact the Federal Trade Commission through its website or by calling 877-IDTHEFT (438-4338). Europol has a list of member states with individual reporting websites.