Social Engineering: How to Tell if You’re Being Scammed

Social engineering is a common tactic cyber-criminals use to manipulate people into giving up confidential information or access to systems. Rather than relying on technical hacks, attackers exploit human traits such as trust, curiosity, urgency, and politeness. A common example is someone pretending to be IT support and asking for your login credentials.

To help keep you and our clients protected, below are ten common social engineering tactics you should be aware of:

• Phishing – Deceptive emails, messages, or links that appear legitimate and attempt to steal passwords, financial details, or other sensitive information.
• Whaling – Highly targeted phishing attacks aimed at executives or senior staff, often using personal or business-related information.
• Baiting – Offering something appealing (free software, discounts, or exclusive access) to trick users into downloading malware or sharing data.
• Diversion Theft – Creating distractions to gain unauthorized physical or system access.
• Business Email Compromise (BEC) – Impersonating a trusted colleague, manager, or vendor to request urgent payments or sensitive information.
• Smishing – Phishing attempts delivered via SMS or messaging apps.
• Quid Pro Quo – Promising a reward or service (such as tech support or gift cards) in exchange for confidential information.
• Pretexting – Inventing a believable scenario or identity to manipulate someone into sharing information.
• Honeytrap – Exploiting emotional or romantic connections to gain access to systems or data.
• Tailgating / Piggybacking – Gaining physical access to restricted areas by following authorized individuals.

Real-World Example

In a not so recent occurrence, Gotham Restaurant, a long-standing business in New York City, was forced to temporarily close after losing $45,000 to a cyber scam and on Nov of 2024 after 40 years of business eventually closed.The owner received what appeared to be a legitimate email from their payroll provider (@gotham.restaurant.com) requesting updated banking details due to internal issues.

The email address differed by just one letter (@gotharn.restaurant.com), an easy detail to miss. After transferring the funds intended for employee salaries, the owner realized the request came from cyber-criminals, not the payroll company. This incident highlights how even experienced professionals can be deceived if verification steps are skipped.

Key Takeaways

• Always verify requests involving payments, credentials, or banking changes, especially if they feel urgent.
• Check sender email addresses carefully for small inconsistencies.
When in doubt, pause and confirm through a secondary channel (call, internal chat, or official contact).
• Social engineering attacks rely on speed and trust. Staying informed and cautious is one of the most effective defenses.

If you receive a suspicious message or are unsure how to proceed, please report it immediately through the appropriate Virtual Coworker support or security channel.

Stay vigilant and stay protected.