Skip to main content
Social engineering encompasses a broad range of nefarious activities accomplished through psychological manipulation — in person or online — through everyday human interactions for the sole purpose of divulging confidential information.

Once a social engineer has tricked their victim into providing this information, they can use it to further their fraudulent activities. A social engineer is excellent at gathering information, building relationships, exploiting their target and executing fraudulent activities. Once their agenda has been carried out and the fraudulent attacker remains undetected, the cycle will more than likely continue.

One of the best ways to keep yourself and your business safe from social engineering attacks is to be able to identify them. Read on to learn about the five common methods fraudsters use to carry out social engineering.

1. Phishing

Phishing is a technique where an attacker sends fraudulent emails, claiming to be from a reputable and trusted source such as a bank representative. They could claim to have important information about your account and require you to reply with your personal and/or account details such as your full name, birth date, government I.D. number and account number first so that they can verify your identity. Ultimately, the person emailing is not a bank employee; it’s a person trying to steal private data.

Learn more about phishing.

2. Vishing and smishing

Vishing is short for voice phishing and it occurs when a fraudster attempts to trick the target into disclosing sensitive information or giving them access to their online accounts over the telephone. The caller often threatens or tries to scare the person into giving them personal information or compensation.

Smishing is short for SMS phishing and is similar. Smishing uses the same techniques as email phishing and vishing, but through SMS/text messaging. Know that RBC will not request you to provide personal or account information over the phone or via text messaging.

Be wary of requests for your personal information and always ask why your information is required. If there are any doubts or concerns, a good practice is to contact the organization directly for confirmation.

3. Business Email Compromise (BEC)

  • Business email compromise takes place when a fraudster uses e-mail to create a scenario under false pretences and the victim feels compelled to comply. The fraudster may gain access to the sender’s legitimate account or create a false e-mail account to impersonate someone in a powerful position. The attacker then attempts to persuade the victim to follow their orders. During this type of attack, a bad actor may impersonate police officers, higher-ups within the company, auditors, investigators or any other person they believe will help them get the information they seek.
  • Pay attention to e-mail requests appearing to be from business associates or suppliers. Often, the e-mail addresses appear close to the legitimate contacts with slight variations. Ensure that you maintain online protection through reputable anti-virus software that can track and notify of known fraudulent e-mail addresses and websites.

4. Baiting

Baiting puts something enticing or curious in front of the victim to lure them into the trap. A baiting scheme could offer a free music download or gift card in an attempt to trick the user into providing credentials. A social engineer may hand out free USB drives to users at a conference. The user may believe they are just getting a free storage device, but the attacker could have loaded it with remote access malware which infects the computer when plugged in. Ensure that you and your business maintain online protection through reputable anti-virus software that can track and notify you about fraudulent e-mail addresses, websites and malware.

5. Fraudulent service providers

Fraudulent service providers often use social engineering tactics to attempt a trade of service for information. A typical scenario might involve an attacker calling the main lines of a company pretending to be from the IT department, attempting to reach someone who was having a technical issue. Once the attacker finds a user who requires technical assistance, they would say something along the lines of, “I can fix that for you. I’ll just need your login credentials to continue.” This is a simple and unsophisticated way of obtaining a user’s credentials. Scammers also pretend to be calling from your internet provider and offer a solution to improve your business network connections via remote connection. Keep in mind that it is unlikely that your provider will request log-in credentials or remote access over the phone.

It is important that you and your employees are mindful of the physical and virtual spaces in which you work and where personal information is shared. The best defense against social engineering tactics is ensuring you and your employees are educated about the potential threats and think twice before sharing sensitive information in person or online.

This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.