What are ‘social engineering’ scams?

If HMRC sent you a letter informing you of a tax rebate, you might be surprised that the least efficient arm of the state was getting in touch at all, let alone bearing good news.

In actual fact, they may not be.

Bogus letters purporting to be from official organisations are regularly sent out to manipulate people into sharing personally identifiable information.

Known as social engineering, these attacks may be targeted or indiscriminate.

They could be designed to achieve financial gain, conduct sabotage or prepare for identity fraud, at an individual or organisational level.

An astonishing 98 per cent of cyberattacks use social engineering techniques to some extent, contributing to the $10 trillion worth of damage expected to be incurred in 2025.

But what is social engineering? How does it work, and what can individuals do to avoid falling victim to it?

Social networks

Social engineering can take many forms, including (but not limited to) the following:

• Emails purporting to be from colleagues, clients or official bodies requesting unusual, sensitive or confidential information
• Phone calls and voicemails pretending to be from banks, ISPs or other service providers asking the recipient to verify their identity or ‘confirm’ billing information
• Spyware presented as legitimate software, or webpages promising to resolve a security issue (when they’re going to install the very malware they claim to be protecting you against)
• Links to compromised webpages distributed via email, social media, messaging apps or SMS messages.
• Letters pretending to be from trusted agencies or brands, whose familiarity leads customers not to question unusual requests for information or input
• Too-good-to-be-true claims – a competition win, a free gift or a job offer – which require disclosure of personal information to acquire whatever is being promised.

Notorious versions of social engineering include the Nigerian prince email scam, or fraudsters using dating sites to target wealthy victims.

The latter encapsulate the psychological manipulation techniques criminals rely on to urge, trick, guilt or coerce their victims into cooperating, often in stages or over time.

By preying on personal weakness rather than software flaws or network vulnerabilities, human hacking is often a lucrative way to acquire confidential personal information.

Again, this takes many forms – bank account details, login credentials, credit card data, network access, account passwords and PINs…

Acquired data may be used for targeted fraud and theft, resold on the black market in a wider database of stolen personal data, or used to sabotage and compromise legitimate platforms.

Employees might be targeted specifically because they have access to a corporate IT system, with the intention of compromising it from within.

What should I do if this happens to me?

A sense of urgency is usually injected into any social engineering attack, reducing the victim’s ability to step back and consider what’s being asked of them.

Heightened emotions – fear, excitement, anger – lower people’s resistance to being tricked, and the use of trusted brands (often alongside some legitimate information) adds a veneer of legitimacy.

Our first piece of advice is therefore to approach every unsolicited inbound communication with a healthy degree of suspicion, especially if it claims to be urgent.

If you’ve pre-emptively identified a potential social engineering attack, do nothing to facilitate it.

Delete downloaded software and run an antivirus scan; throw away letters without acknowledging them; hang up on incoming calls.

Accept safety concepts like two-factor authentication and automatic logouts, never leave personal devices unattended, and install antivirus software with automatic updates turned on.

If you’ve already fallen victim, your response depends on the damage that’s been done.

If spyware has been installed on your device, antispyware software can root it out (pun intended).

If money has been stolen, reporting it as quickly as possible increases your chances of a partial or full refund, as well as increasing the chances of the perpetrators being caught.

Legitimate agencies often know they’re being impersonated, but any additional reports will help them to identify the source/s and warn other people, as well as taking steps to mitigate against future attacks.

Finally, read our guide to phishing for a greater insight into common examples of social engineering.