The Human Vulnerability

Over the last several years, data breaches and identity theft have become commonplace. Criminal groups rely on social engineering to exploit human vulnerabilities in systems. Social engineering is "any act that influences a person to take an action that may or may not be in their best interest." Criminals tend to use social engineering to manipulate and gain trust of an individual to influence the victim to divulge sensitive information or perform actions compromising security of sensitive information or systems. According to the FBI’s IC3 2025 Internet Crime Report, phishing/spoofing was the number one reported crime with 191,561 complaints and resulted in $215,843,126.00 in losses.

Social engineering impacts everyone from giant mega-corporations to lonely grandmothers. These types of attacks are effective because humans are not robots. Humans have psychological, cognitive, and behavioral complexities, and can be compelled or motivated to act in certain ways, positive or negative. Social engineering can rely on emotions like love and fear, but it can also rely on created senses of urgency or inconvenience. It can exploit systemic routines, cognitive overload, and mental shortcuts of an employee.

Some common social engineering techniques include phishing, vishing, and piggybacking. Phishing attacks use email, SMS messages (sometimes called smishing), fake websites, and more to steal sensitive information like login credentials; for example, a victim follows a deceptive link mimicking their banking institution, entering credentials that are harvested by a threat actor. Vishing, also known as voice phishing, often occurs when a criminal uses phone calls or voice messages to gain access to sensitive information. Piggybacking is when a criminal attempts to gain physical access to a building by following an authorized user into a controlled area.  

As different as these methods may seem, they all rely on one common denominator: humans. Whether tricking someone into clicking a malicious link or playing on someone’s fear of seeming rude for not holding a door, it all hinges on the human element through habits, trust, biases, and emotions. With the rise of social engineering, security teams work diligently to design secure systems and prevent these intrusions, exploits, and takeovers by training employees on what to look for and how to handle different situations. Security teams encourage employees to err on the side of caution. A small breach may lead to the theft of one individual’s identity and accounts or the leak of millions of users’ sensitive personally identifiable information (PII), such as social security numbers and financial information.

In an article for IBM Think, IBM’s Stephanie Carruthers stated that her team does social engineering campaigns by vishing a client’s help center to reset an employee’s password. Her team has been successful every single time. Although these are mock attacks, they show where flaws and vulnerabilities are so clients can address these issues. Carruthers also mentioned that in most major data breaches, a vishing call is how the breach started and helped the hackers gain access to internal systems. 

Companies aren’t the only ones falling victim to social engineering scams. In October 2025, Phyllis Weisberg, age 90, shared with the National Council on Aging how tech support scammers convinced her she needed immediate help with her mobile device. The scammers used the information they gained to access her bank account and steal $20,000. A personal finance journalist for The Cut fell victim to a vishing scam and handed over $50,000 in cash in a shoebox to scammers who said her home was being watched. The scammers knew some of her personal information and preyed on fear for her family’s safety. Even someone who is an expert can fall victim to social engineering.

Pop Quiz:

A man receives a promotion and moves abroad for work. He wants to make changes to his bank account including his new phone number and address. He calls his bank’s customer service. After answering the security questions, he is told the bank’s security practices require an in-person trip to the bank to finalize the changes. The man balks and claims he can’t come in person. He asks why he can’t make the changes over the phone. The security protocol is reiterated. The man pleads with the customer service representative by saying he answered all the security questions, so he’s proven he is who he says he is. When his pleading fails, the man tries ‘hey, what if I told you I’m someone important?’

As the bank's customer service representative, do you:

a)        Give in and let the man change his information over the phone?

b)        Reiterate the security protocols again and apologize for any inconvenience?

c)        End the call?

‘C’ is the correct answer. Answer ‘a’ puts the bank at risk of a client’s account being taken over by a criminal, while answer ‘b’ prolongs the call and gives the caller more time to play on the representative’s emotions.

According to multiple news outlets, this scenario took place last year with a South Chicago bank when Pope Leo XIV called to change his address and phone number on his bank account. He gave the customer service representative his birth name of Robert Prevost and answered the bank’s security questions. He was told he must go in person to finalize the changes to his account. The Pope pleaded with the representative to make the changes over the phone, even reiterating that he had answered the bank’s security questions. The representative stood firm on the bank’s security policy. Then, thinking it might help, the Pope asked “Would it matter to you if I told you I’m Pope Leo?”

The customer service representative hung up. (I’m sure she was thinking, ‘yeah right, Bob. The Pope’s name is Leo.’)

Many online commenters expressed embarrassment for the bank and the customer service representative for enforcing their account security protocols. Other commentators complained about customer service representatives wasting people’s time and generally being unhelpful.

As frustrated as the Pope may have been, the bank’s customer service representative did the right thing. When the Pope allegedly tried pressing the representative to give in, the representative didn’t budge and followed the bank’s security protocols. The next time someone calls the Pope’s bank and says they are the Pope, it might not be him.

Tips to avoid falling victim to social engineering

• Enable multi-factor authentication (MFA), only use SMS-based MFA as a last resort
• Do NOT click links or open attachments from unknown senders, this includes emails or texts; disable link previews and automatic downloads in email and messaging clients
• Do NOT share or provide sensitive personal information in response to emails or robocalls
  • Sensitive personal information includes usernames, passwords, social security numbers, account numbers, addresses, and other PII
  • Legitimate businesses should not ask for sensitive information over the phone, especially when they call you
• Enable a PIN lock or similar protection for your mobile SIM account
• Verify phone numbers and email addresses with the actual bank, company, or vendor website; beware of sponsored Google search results, which may not direct to the correct website
• If an email, text, or phone call from a company uses pressure tactics like urgent language and pushes for immediate action, pause, do not act on the urgency, and verify through other means
• If an offer sounds too good to be true, it is
• Look for misspellings and/or slightly altered spellings of domain names
• Be wary of unsolicited and unexpected phone calls or emails. If an unsolicited contact claims to be affiliated with a legitimate organization, request their contact information and attempt to verify their identity directly with that organization.
• Establish code words with family or friends and have a plan for how to use them
• For businesses, conduct staff trainings on what to look for and how to report

If you would like to know more about our services and training and how we can help prepare you and your team to be resilient against social engineering and other cybersecurity threats, contact us.