The Psychology of Getting Scammed (And How to Avoid It)
October is Cybersecurity Awareness Month. As part of our month-long series on cybersecurity, this week we’re focusing on how to recognize and defend against social engineering scams that exploit human behavior to steal personal information and money.
Key Takeaways
Social engineering uses manipulation tactics to trick people into giving away money and personal information – like impersonating banks and government agencies.
Common attacks: Fake urgent phone calls, phishing emails, text message scams, redirection, and business email compromise targeting local companies.
Protect yourself: Always verify unexpected contacts by calling official numbers, never rush when pressured to act immediately, and remember that legitimate organizations never ask for passwords over the phone.
The term “social engineering” might sound like a vague concept, but in fact, it’s a very real manipulation technique used by cybercriminals, and it’s currently on the rise. In the world of cybersecurity, social engineering describes a scenario where unsuspecting fraud victims are tricked into divulging confidential information or taking certain actions that compromise their personal and financial security.
This type of cybercrime has now become one of the most significant cybersecurity threats facing individuals and businesses today. Unlike traditional hacking that seeks to undermine technical vulnerabilities, social engineering exploits something far more serious—human psychology itself. Criminals manipulate human behavior for their own gain with methods as simple as a phishing email, or as complex as building a relationship with their victim over time.
Why Social Engineering Attacks Are So Dangerous
Social engineering tactics are worryingly effective because we’re wired to follow social norms. When someone calls claiming to be from your credit card company, and you give them your account details because you genuinely believe you’re preventing fraud, you’re behaving like anyone would in that situation.
Social engineers operate on creating an artificial sense of urgency, making you feel like you must act immediately—or else. They don’t want to give you time to think critically and will often establish a sense of trust by making themselves seem official. These types of schemes depend on victims who just want to be helpful, stay out of trouble, and not lose money.
For example, let’s say your business gets a call from someone claiming to be from your IT support company. They sound professional, reference specific systems you’re currently using, and tell you about an urgent security update. They just need you to confirm your login credentials “for verification purposes.” It might all seem completely harmless, but once you give them access, it’s unlikely you’ll be able to reverse what happens next.
Common Social Engineering Tactics
So, how do you prevent this kind of attack? In a world where you’re not sure who to trust, awareness of the more common social engineering tactics is a great place to start.
The following are some common tricks cybercriminals are using today:
Phishing: Using fake emails that look legitimate, directing you to download a file or click on a link.
Smishing: Fake texts from unknown numbers asking you to click on a link.
Vishing: Phone calls impersonating a business or organization, asking for personal information.
Quid Pro Quo: Offering a service (like IT support) in exchange for login information or access to your systems.
Honeytrap: Establishing trust through fake romantic relationships or friendships over time, gaining access to information and/or finances.
Watering Hole: Compromising vulnerable websites you regularly visit with malware that’s designed to access your network.
Business Email Compromise: Fake emails from executives or vendors requesting urgent wire transfers or changes to payment information.
Baiting: An enticing offer or opportunity, like a “free gift card,” that comes encoded with malware.
Diversion Theft: Redirecting your deliveries and/or communications to gain access to purchased items or sensitive information.
Family/Grandparent Scam: Impersonating a friend or family member—like a grandchild—who needs money immediately due to an emergency.
Double Imposter Scam: Impersonating a trusted entity (like your bank) to create urgency about fraud, then posing as a second authority (like law enforcement) to convince you to provide information or transfer money.
How to Protect Yourself: Practical Steps That Work
Even if you’re savvy to the ways in which cybercriminals work, you can still find yourself in a compromising situation. As technology becomes more and more advanced, so do the methods of social engineering deception.
The evolution of AI technology has made it easier for fraudsters to impersonate people you know. They’re actively creating convincing fake voices for phone scams and writing persuasive phishing emails that imitate the writing style of real individuals. Some are even using AI to write and format consistently with local dialects and “deepfake” technology to create realistic video calls with fake personas.
Despite this growing level of sophistication, there are still lots of ways to safeguard your information so that it doesn’t fall into the wrong hands.
Always verify before you act. If someone contacts you claiming to be from any organization (including First Utah Bank), don’t provide information on the spot. Hang up and call the official number for that organization. We promise, legitimate companies will never be upset if you take time to verify their identity.
Slow down when you feel pressured. Phrases like “your account will be closed today,” “immediate action required,” or “this offer expires in minutes” are major red flags. Real emergencies are rare, and most organizations give you time to respond thoughtfully. Again, when in doubt, verify the source.
Only use official websites and apps. Don’t click on links in emails or texts from companies or people you don’t know, and be extra cautious with those you do—in case they were hacked. If it’s a link you feel you need to open, use your browser and type in the website address yourself, or use an official mobile app when available.
Never give out passwords, Social Security numbers, or account details. First Utah Bank will never call you and ask for this information. Neither will other valid organizations. If someone claims they need to “verify” this information, that’s your cue to hang up and call the official number.
Keep your devices updated. Make sure your devices are all using current security software, and use strong, unique passwords with two-factor authentication whenever possible.
Ask questions and take your time. If you’re unsure if you’re talking to an authorized representative, ask them to provide an employee ID number, callback number, or other verification. They can also wait while you verify their identity through official channels.
Trust your gut. If something feels off, it probably is. That email asking you to claim a prize you didn’t enter, that call from the IRS threatening immediate arrest, or that urgent request from your “CEO”—listen to that little voice telling you when something isn’t right.
Utah’s Growing Cybersecurity Efforts
More than anything, it’s important to take cybersecurity seriously, and the state of Utah is putting systems in place to help individuals and businesses prevent these types of attacks. The Utah Cyber Center now coordinates efforts between local, state, and federal resources to defend against cyber attacks. As of May 2024, organizations doing business in Utah must report significant data breaches to both the Utah Attorney General’s Office and the Utah Cyber Center.
This means better information sharing about threats, more resources for businesses and residents, and stronger coordination when attacks do occur. At First Utah Bank, we work closely with these initiatives and regularly update our security measures to protect your accounts and information.
Stick to the Basics
No matter how complex social engineering schemes become, you can still protect yourself by following the steps outlined above. Always verify sources through official channels, don’t rush when you’re feeling pressured, and maintain a healthy skepticism, especially when it comes to unexpected communications.
It’s worth repeating: If you ever receive suspicious communications claiming to be from First Utah Bank, please don’t hesitate to visit any of our branches in person or call us directly using the number on your bank card or account statements. We’re here to help verify whether that communication is legitimate. Because we’re a community bank, we make a point to get to know you personally so that when these situations arise, we can better help you prevent fraud from taking place.
We also encourage you to report suspected scams to the Utah Cyber Center and the FBI’s Internet Crime Complaint Center (ic3.gov). Your reports help protect other community members from falling victim to the same schemes.
Social engineering attacks succeed because they exploit our natural human instincts to trust and help others. But they fail when we’re informed, cautious, and willing to take a few extra minutes to verify unexpected requests. A quick phone call or a moment of pause can save you thousands of dollars and countless hours of recovery.