How scammers are manipulating you and stealing your money. Social engineering.

A “bank employee” calls you and says that your account is at risk. He sounds convincing, asks you to name the code from the SMS in order to “save” your money. Or you find a flash drive labeled “Confidential” and connect it to your computer out of curiosity. Suddenly, your data is stolen and your account is empty. This is not fiction, but social engineering, a clever art of manipulation that exploits not the vulnerabilities of computers, but the weaknesses of the human psyche. In this article, we will dive deep into the world of social engineering.: what it is, how it works, why we are all vulnerable, and how to protect ourselves from cybercriminals. Get ready for real stories that will make you think, and practical tips that will save your money, data, and nerves.

What is social engineering?

Social engineering is a technique in which attackers manipulate people to gain access to their information, money, or systems. This is not about cracking passwords with a code, but about “hacking” your trust, fear, or curiosity. Social engineers are fraudulent psychologists who know how to get you to voluntarily open your doors to them.

Imagine: You are in the office, and a man in a technician’s uniform approaches you. He says he’s fixing servers, and he’s asking for access to your computer. You trust his professional appearance and skip him. After an hour, your corporate data may be stolen. Or you receive an email from an alleged government agency asking you to “verify your account” via a link that leads to a fake website. This is social engineering in action — a deception that plays on our emotions and instincts.

Key principles of social engineering

Why do we get caught? Because we are human beings, and our psyche is predictable. Social engineers use several universal principles:

• Authority: We tend to trust those who seem to be higher in status—government officials, doctors, and “supervisors.” If the “boss” calls and asks you to send money urgently, many people can comply without unnecessary questions.
• Urgency: Phrases like “Your account will be blocked in 10 minutes!”they force us to act impulsively, disabling critical thinking.
• Reciprocity: If someone does us a “favor” (for example, offers us an imaginary discount), we may feel obligated to return the favor.
• Curiosity and greed: Tempting offers like “You won a big prize!” or “Secret Documents” encourage us to click on links or open files.
• Social proof: If we are told that “all your colleagues have already done this,” we tend to follow the crowd.
• Trust: We trust people who seem friendly or familiar. A fraudster can pretend to be a colleague or a representative of a well-known organization in order to gain trust.

These principles work all over the world, regardless of age, gender, or culture. That’s why social engineering is so dangerous.

How Social Engineering works: Real Examples

To show how sophisticated social engineering can be, let’s look at a few well-known cases and common schemes.

Phishing attack on Twitter (2020)

In July 2020, hackers carried out one of the most high-profile attacks in the history of Twitter. They gained access to the accounts of famous personalities such as Elon Musk, Bill Gates, Joe Biden, as well as Apple and Uber companies by posting posts about the “distribution of bitcoins.” The scheme was simple: send the cryptocurrency to the specified wallet, and you will allegedly be refunded twice as much. The scammers managed to collect more than $118,000 in bitcoins in a short time, according to a report by Elliptic, a blockchain transaction analysis company.

How was it done? Hackers used social engineering techniques to trick several Twitter employees. They called, posing as the company’s IT specialists, and convinced employees to provide access to internal account management systems. This case shows how even large companies are vulnerable if one person is manipulated.

Lesson learned: Even employees of tech giants can become victims. Always check who is requesting access, even if it seems urgent and comes from a “colleague”.

“A relative in trouble”: Phone fraud

This scheme is popular in many countries around the world. Scammers often call elderly people, posing as their relatives or law enforcement officials. “Grandma, it’s me, your grandson! I was in an accident, I need money for a lawyer or to ‘resolve the issue’!” — the voice on the phone sounds. In a panic, the victim may transfer large amounts to the specified account. Scammers often use background noises (such as sirens) or voice modification software to enhance the effect.

According to the FBI Internet Crime Complaint Center (IC3), in the United States in 2023 alone, victims of such schemes lost over $129 million, with an average loss of about $6,000 per person.

Lesson learned: If you receive a call with such an “urgent request”, immediately interrupt the conversation and contact the relative yourself at his known number or contact the police directly.

USB Bait: A trap for the curious

Cybersecurity research has repeatedly demonstrated the danger of “lost” USB flash drives. For example, in one famous experiment conducted at the University of Illinois, about 48% of the flash drives scattered on campus were connected to computers by the people who found them. Flash drives may contain files with names like “Confidential: Employee salaries” or “Personal photos”. When you connect such a flash drive, your computer may become infected with a virus that steals data or locks the system.

This method shows how social engineers use curiosity. The found flash drive is a modern “Trojan Horse”.

Lesson learned: Never connect unknown USB devices to your computer. If you find a USB flash drive, it is better to hand it over to your organization’s security service or simply dispose of it.

Kevin Mitnick: A Legend of Social Engineering

Kevin Mitnick, one of the most famous hackers of the past, was a master of social engineering. He often used deception and manipulation to gain access to classified information and systems. In his books, such as The Art of Deception, Mitnick described many psychology-based techniques that allowed him to bypass even strict security measures, often simply by convincing someone over the phone or in person to give out the necessary information or provide access.

Lesson learned: Looks, confidence, and a well-thought-out legend can fool anyone. Always check the credentials and purpose of the visit or request, even if the person seems trustworthy.

Compromising Business Correspondence (BEC) and fake invoices

Business Email Compromise (BEC) attacks, also known as “CEO phishing,” remain extremely dangerous. Fraudsters hack into corporate emails or create very similar addresses, and then, on behalf of a supervisor or partner, send instructions to employees (often from accounting) to urgently pay a fake bill or transfer money to a new account of an allegedly well-known supplier. The damage from such attacks can amount to millions of dollars.

For example, in 2019, Japanese automotive components manufacturer Toyota Boshoku lost about $37 million due to such a fraudulent scheme, according to data published in their financial report.

The case that occurred in 2023 with an international energy company is also indicative, where an employee of the finance department transferred $23.5 million to fraudsters after receiving a fake email message allegedly sent by the CEO. The attackers had previously studied the corporate structure of the company through public sources and LinkedIn, which allowed them to create a convincing legend about an urgent transaction requiring confidentiality. According to a report by the FBI Internet Crime Complaint Center (IC3), similar attacks like BEC (Business Email Compromise) resulted in losses of more than $2.7 billion worldwide in 2023 alone.

Lesson learned: Always carefully check your email addresses and payment details. For large or unusual transfers, implement a multi-level confirmation system through alternative communication channels (for example, a phone call to a known number).

Why is social engineering so dangerous?

Social engineering threatens everyone because it exploits our human nature. Here are a few reasons why it is so effective.:

• Universality: Scammers attack everyone %E2%80%94 from teenagers to top managers, from individuals to corporations.
• Low entry threshold: Many types of attacks do not require deep technical skills. A phone, an email, or a confident voice is enough.
• Large-scale consequences: One wrong click or one rash action can lead to the theft of significant amounts, leakage of confidential data, or even blackmail.

According to a report by Cybersecurity Ventures, the global damage from cybercrime in 2023 amounted to about $8 trillion, with a significant portion of this amount coming from attacks using social engineering techniques. According to an IBM Security study, the average cost of a data breach in 2023 was $4.45 million per incident, up 15% from 2020.

According to the World Economic Forum’s 2023 report, cybercrime remains one of the main global threats facing companies and individuals. Interpol notes in its annual digital threats report that social engineering methods were responsible for more than 70% of successful cyber attacks in 2023.

But the scariest thing is not only the money. Stolen data can be used for identity theft, blackmail, or attacks on companies. Leaks of medical data, as has happened many times in different countries, can have deeply personal and sensitive consequences for patients.

Social Engineering techniques: How are you being deceived

Social engineers use a variety of methods. Here are the most common techniques:

Phishing

These are fake emails, instant messenger messages, or websites that look like they are official (from banks, government agencies, or well-known services). The goal is to force you to follow a malicious link and enter your usernames, passwords, card details, or other confidential information on a fake website.

Example: In 2023 and later, massive phishing campaigns continued, disguised as notifications from streaming services (such as Netflix), mail services, or marketplaces, asking them to “update payment details” or “confirm delivery.” According to a report by Proofpoint, more than 255 million phishing attacks were recorded worldwide in 2023 alone.

Vishing – Voice Phishing

These are phone attacks where scammers pose as bank employees, law enforcement agencies, technical support, or even your relatives. They create a panic (“they are trying to debit money from your account”, “your relative is in trouble”) so that you do not have time to check the information and follow their instructions (transferred the money to a “secure account”, reported the code from the SMS).

Example: In 2023, the US Federal Trade Commission (FTC) published data that Americans lost about $765 million due to telephone fraud, while the average damage per victim was about $1,400.

Smishing – SMS Phishing

These are fraudulent SMS messages. For example, the message “Your card is blocked, urgently call the number …” or “You have won a prize, follow the link to receive …” The goal is the same — to force you to call scammers or go to a malicious site.

Example: In 2022-2023, SMS messages about “winning the latest smartphone” or “small tax arrears” were distributed in Europe and other regions, which led to phishing sites. According to ENISA (the European Union’s Cybersecurity Agency), the number of smashing attacks increased by 23% in 2023 compared to the previous year.

Pretexting

The scammer creates a fictional scenario (pretext) in order to get the necessary information. He can impersonate a colleague, a courier, an IT specialist, or a representative of government agencies. This can be either a personal meeting, or communication by phone or in correspondence.

Example: A Verizon study presented in their 2023 Data Breach Report found that about 25% of all successful security breaches started with pretense or deception. There have been cases when attackers, posing as employees of the IT department by phone, convinced company employees to provide their passwords for a “planned system update,” which led to data leaks.

Baiting

Scammers offer something attractive to lure the victim into a trap. These can be planted USB flash drives with intriguing inscriptions, QR codes leading to malicious sites, or the creation of fake Wi-Fi networks in public places. By connecting or using the bait out of curiosity, the victim risks infecting his device.

Example: A study by the Norton Cyber Safety Insights Report showed that in 2023, about 17% of users connected to open Wi-Fi networks without additional protection. In the same year, Kaspersky Lab experts recorded a 36% increase in the number of attacks via fake Wi-Fi networks at airports, hotels and shopping malls around the world.

How to protect yourself from social engineering?

Protection against social engineering begins with awareness and vigilance. Here are 10 practical tips.:

1. Check the source. If you receive a call from a “bank” or write on behalf of a company, find the official phone number or website of this organization and contact them directly. Do not use contacts from the received message or email.
2. Be careful with links and attachments. Before clicking, hover over the link (in the desktop version of yandex.mail) to see the real URL. Do not open attachments in emails from unknown senders. Official websites often have a secure connection (https://) and a familiar domain.
3. Take your time. Scammers often create a sense of urgency to turn off your critical thinking. Take a break, think about it, consult with someone.
4. Use two-factor authentication (2FA) wherever possible. This makes it much more difficult for unauthorized access to your accounts, even if the password is stolen. Google research has shown that 2FA blocks 100% of automated attacks and 99% of targeted attacks.
5. Do not connect unknown devices. Did you find the flash drive? Don’t give in to curiosity. Do not scan suspicious QR codes of unknown origin.
6. Use complex and unique passwords. Do not use the same password for different services. Use password managers. Change important passwords regularly. According to LastPass, 65% of people use the same password for different services, which significantly increases the risk of compromising all accounts at once.
7. Teach your loved ones. Tell your parents, children, and colleagues about the fraudulent schemes. The elderly and young people are often particularly vulnerable.
8. Use antivirus software and update it. Reliable software on your computer and smartphone can help protect you from many malicious programs.
9. Be skeptical. If the offer seems too good to be true (a huge win, an incredible discount from an unknown seller), it’s most likely a hoax.
10. Report suspicious cases. If you encounter an attempted fraud, report it to your bank, the police, or the cybersecurity hotline, if one exists in your country.

A question for you: Have you ever encountered fraudulent calls or emails? Share your story in the comments — it will help others find out what the attacks look like. If you have avoided scammers so far, be on your guard — they are constantly inventing new schemes.

Historical example: The Trojan Horse

Social engineering is not an invention of the 21st century. One of the oldest and most famous stories is the siege of Troy. The Greeks, unable to take the city by force, built a huge wooden horse and left it at the gates of Troy as an alleged gift to the gods and a sign of reconciliation. The Trojans, despite the warnings of some fellow citizens, dragged the horse into the city. At night, Greek soldiers got out of it, opened the gates to the main army, and Troy fell. This is a classic example of trust manipulation and exploiting human weaknesses.

Psychology of the victim: Why do we believe scammers?

To understand how to protect ourselves, it is important to understand why we become victims. Psychologists identify several factors:

• Emotions override logic: Strong emotions such as fear, greed, curiosity, or empathy can temporarily overwhelm critical thinking. Scammers masterfully play on these emotions.
• Cognitive biases: We tend to believe that “this won’t happen to me” (optimistic bias), or trust authorities without due diligence.
• Social norms: It can be difficult for us to turn down someone who seems friendly, authoritative, or in need of help.
• Information overload: In today’s world, we process huge amounts of information every day, and it’s easy to miss alarms or overlook a catch in this flow.

Understanding these factors helps us to be more attentive. For example, if you feel a lot of pressure or urgency from the other person, this should be a red flag.

Social engineering in a corporate environment

Companies are a favorite target of social engineers, because a successful attack on one employee can open access to valuable corporate data or financial resources. Here are some examples of corporate attacks:

• Fake accounts and BEC attacks: As already mentioned, scammers send fake invoices or demand urgent transfers on behalf of the management.
• Physical access: Attackers can pretend to be couriers, technicians, and interview candidates in order to enter the office and gain physical access to computers, servers, or documents, or install spyware.
• Targeted Phishing (Spear Phishing): Attacks aimed at specific employees (often managers or those with access to finances or data). The letters are carefully prepared and contain personal information to make them look as convincing as possible.

Companies can protect themselves by conducting regular cybersecurity training for employees, implementing strict procedures for verifying payment requests and granting access, as well as using technical means of protection. According to a Ponemon Institute report, companies that conduct regular cybersecurity training reduce the risk of successful attacks by 70%.

The Future of Social Engineering: New Threats

With the development of technology, social engineering is becoming more sophisticated. Here are a few trends that are already actively emerging and will continue to develop.:

Artificial Intelligence (AI) and deepfakes

Scammers use AI to create convincing fake audio and video recordings (deepfakes). For example, there have already been cases where fraudsters have faked the voice of a company executive in order to convince a finance department employee to transfer large amounts of money. So, in early 2024, it became known about a case in Hong Kong, where a financial employee of an international company transferred about $25 million to fraudsters after participating in a video conference with deepfakes of several top managers. According to a report from the World Economic Forum, deepfake technologies were one of the top five cyber threats in 2023.

Attacks through social networks and messengers

Hackers actively collect information from public social media profiles to create personalized attacks. Hacking accounts in messengers to send requests for money on behalf of the account owner also remains a common threat. According to a Meta (formerly Facebook) report, the company blocks up to 1 million fake accounts daily, many of which are created to carry out fraudulent activities.

Attacks on Internet of Things (IoT) devices

Smart devices (cameras, household appliances, medical devices) can become the target of attacks, especially if they are not sufficiently protected. Compromising such devices can be used for espionage or as an entry point into a home or corporate network. According to a Palo Alto Networks study, about 57% of IoT devices are vulnerable to moderate or high-severity attacks, and the total number of attacks on such devices increased by 41% in 2023.

To stay safe, it is important to keep up with new technologies and constantly update your knowledge of cybersecurity techniques.

Conclusion: Your vigilance is your best defense

Social engineering is a game of human weaknesses, but you can become stronger than scammers. They’re counting on your haste, gullibility, or curiosity, but you can outsmart them if you’re attentive and knowledgeable. Check sources, don’t get emotional, use technical means of protection, and educate your loved ones. In a world where data is the new currency, your awareness is your best shield.

What are you going to do right now to increase your security? Perhaps check your two-factor authentication settings, update important passwords, or share this article with your friends and family. One small step can avert a big disaster.

---

Disclaimer:

This article is intended solely for informational and educational purposes. The methods and examples described in it serve to raise awareness of the risks of social engineering. Legislation, law enforcement practices, and specific safety recommendations may vary from country to country, including Kazakhstan. For accurate information, advice and assistance in specific situations, always contact the official government authorities of your country (for example, cybersecurity specialists, law enforcement agencies) and qualified experts in the field of information security. Do not take any actions that may violate the laws of your country.

Sources:

1. Отчет “Data Breach Investigations Report 2023”, Verizon Business
2. IBM Security: “Cost of a Data Breach Report 2023”
3. Cybersecurity Ventures: “Annual Cybercrime Report 2023”
4. FBI Internet Crime Complaint Center (IC3): “Annual Internet Crime Report 2023”
5. World Economic Forum: “Global Risks Report 2023”
6. Proofpoint: “State of the Phish 2023”
7. LastPass: “Psychology of Passwords Report 2023”
8. Palo Alto Networks: “IoT Security Report 2023”
9. Norton Cyber Safety Insights Report 2023
10. ENISA: “Threat Landscape Report 2023”
11. Elliptic: “Blockchain Analytics Report on Twitter Bitcoin Scam, 2020”
12. Meta: “Community Standards Enforcement Report Q4 2023”
13. Ponemon Institute: “Cost of Cyber Crime Study 2023”