Identifying and Mitigating Social Engineering Scams

Ransomware and other forms of cyberattacks seemingly live in today’s news cycles. It’s a topic we’ve covered frequently at RCM&D across all industries, and for good reason. However, it’s also important to not just touch on the cyberattacks themselves but also the methods that help make them possible.  

Social engineering is not a new phenomenon, and it can impact any industry at any time. According to a 2021 report by PurpleSec, 98 percent of today’s cyberattacks are the direct result of social engineering. It occurs when hackers pose as a trusted person or institution to their victims. This includes hackers posing as bosses, coworkers, friends, relatives, or legitimate institutions like banks. Once the hacker has gained the victim’s trust, they can exploit them with fraudulent requests for money or sensitive information. 

An article from CO highlights four social engineering scams all businesses should become familiar with as cyber threats continue to occur more frequently and be more costly. 

Phishing and Smishing

Phishing is perhaps the most common and one of the oldest types of social engineering scams. It occurs when a cybercriminal sends an email or text message that encourages the victim to click on a link or send personal and financial information. These messages usually include language that depicts an urgent matter or threat that requires a prompt response. 

For example, a person may receive an email from what seemingly looks like their bank or credit card company claiming there is an issue with their account and that they must log in to address the issue. If a victim does not know what to look for, they may send their banking or credit card information straight into the hands of a hacker ready to profit. 

An article from the FTC highlights some common narratives hackers may use in a phishing email. These narratives include:


Pretexting is an impersonation scheme in which hackers pose as known individuals, such as a corporate executive. Hackers will typically ask victims to carry out a business-related financial task or share personal information to “confirm their identity.” If a hacker has access to a business’s personal files or email addresses, they can easily contact employees and pose as their boss or HR director to make these requests. 


Vishing attacks typically occur over the phone, with the scammer informing their victims that they are “under investigation” and need to pay a fine to resolve the issue. Some example organizations hackers may claim to represent include government agencies like the Social Security Administration or credit and debit card companies.

Baiting or Quid Pro Quo

Baiting attacks are scams in which the victim is given some sort of offer. This “offer” could be for things like a fake promotion for an online retailer or for the chance to win a large prize. These attacks exploit the victim’s curiosity and trick them into providing personal information, such as log-in credentials. 

Red Flags and Questions to Ask

All social engineering schemes share some similar red flags and warning signs. These can include watching out for spelling and grammatical inconsistencies or incorrect domain names or email addresses from the sender. Additionally, Eric Breecem, Director of Cybersecurity at Sunrise Banks, recommends asking yourself a few questions when an email or message seems suspicious. These questions include:


Scammers are always looking to manipulate unsuspecting victims. Knowing the warning signs and the process behind their methods can help you and your organization safely navigate the web in today’s challenging environment.  

Additionally, while many of the social engineering scams described above would logically be exposures covered under a cyber policy, there are some that may also be endorsed for coverage under a crime policy. Talk to a trusted RCM&D advisor today with any coverage questions and for more on how to avoid social engineering scams.