Information ServicesSocial engineering

Do not get caught by social engineering scams. It’s not just email. It could be SMS, phone calls or social media.

Social engineering is the name given to the techniques used by cybercriminals to manipulate or trick people into divulging confidential information, transferring money or downloading malware.

Social engineering scams can be elaborate and highly convincing. They often impersonate organisations you trust, like your bank or the police. They use snippets of information they know about you to make the scam more realistic. 

Watch vishing scam video

Top tips to avoid social engineering scams

  • never reveal confidential information such as your username, password, or PIN
  • trust your instincts, if it does not feel right then it probably is not
  • it's completely reasonable to verify the authenticity of a caller requesting confidential information for you:
    • ask for the caller’s name and call back on the telephone number printed on the back of a bank card or on the organisation’s website
    • call back from a different phone, such as your mobile or landline
  • never open email attachments from unknown sources
  • never click on links in emails, texts, or social media posts from unknown sources
  • if you are unsure about a link in an email, you can roll your mouse pointer over it to reveal its destination, which is displayed in the bottom left corner of your screen; be careful if the destination is different from what you’d expect from the text of the link in the email

Remember a bank will never:

  • ask for your full PIN
  • ask for your full password
  • ask you to transfer money
  • send someone to collect your bank card

What are the different types of social engineering?

Fraudulent emails that claim to be from your bank, credit card provider, a government department, or a popular website. A phishing email will try to tempt you to open an attachment, click on a link or divulge confidential information like a password or PIN.

Phishing scams often ask you to take urgent action, for example to log on to a website to avoid your account being suspended. Find out more about phishing.

Phishing is generally used to refer to emails, but phishing techniques can be used in text messages, social media posts and instant messages.

Scams targeted at a specific individual or organisation is known as spear phishing.

Telephone scams that claim to be your bank, credit card provider, police or another trusted organisation. Callers inform you of a problem, such as fraudulent activity on your account, and will typically ask you to confirm confidential information to in order to resolve the situation. The scam may also involve courier fraud, where a "courier" is dispatched to collect payment cards or other records from you.

View the Royal Bank of Scotland's YouTube video on vishing. Another vishing scenario is where you receive a call from someone claiming to IT support for your computer or software. The caller may try to get you to divulge login details or to install malicious software.

USB sticks, memory cards, CD-ROM/DVD-ROMs or other storage medium that have been purposely left lying around and contain malware.

SMSishing is phishing using text messages. Scams can be very convincing and SMSishing messages can be made to appear like they have actually been sent from your bank.

You can protect yourself from SMSishing in the same way as you protect yourself against phishing.

Phishing is the name given to malicious emails that try to trick you into revealing sensitive information. Phishing emails pretend to be from banks, online shops and other trusted organisations like PayPal or your email account. They usually try to get you to follow a link or open an attachment.

Find out more about phishing.

Yes, go to the Get Safe Online Jargon Buster.