Social engineering is the use of deception and manipulation to trick people into giving up sensitive information, access, or money. Instead of hacking code, attackers hack human behavior — trust, urgency, curiosity, fear, or helpfulness.
Common tactics you might see:
- Phishing: deceptive emails or messages that look legitimate (IT alerts, delivery notices, “professor requests”).
- Pretexting: a made-up story (“I’m from tech support; I need your OTP to fix this”).
- Baiting: tempting you with something free (free storage, gift cards, leaked study guide) in exchange for a click or download.
- Vishing/Smishing: voice or text versions of phishing, often using spoofed caller IDs or urgent SMS links.
Why do people fall for it?
- Urgency: “Act now or lose access” short-circuits careful thinking.
- Authority & familiarity: Messages “from” a professor, boss, bank, or friend feel trustworthy.
- Scarcity & reward: “Limited offer” or “grade release” creates excitement and pressure.
- Social proof: “Everyone is doing this update” lowers your guard.
Red flags to watch for
- Unexpected requests for passwords, OTPs, or personal data.
- Slightly off email addresses, links, or domains (e.g., univ-support.co instead of univ.edu).
- Poor spelling, off-tone language, or unusual urgency.
- Attachments you didn’t expect: QR codes or links that bypass normal portals.
How to lower your human risk (practical steps)
- Pause before you act. Urgency is a tactic; take 30 seconds to think.
- Verify the source. Contact the sender using a known number, website, or in-person — don’t reply to the suspicious message.
- Check the link before you click. Hover to preview the URL; when in doubt, navigate manually via bookmarks.
- Protect your accounts. Use strong, unique passwords and Multi-Factor Authentication (MFA) everywhere it’s offered.
- Lock down your info. Share the least possible personal data on social media; it fuels convincing scams.
- Report quickly. Forward phishing to your IT/security team or the campus help desk; early reports protect others.
If you think you got hooked
- Change your password(s) immediately — start with email, then anything reused.
- Revoke malicious sessions and check account activity/security logs.
- Notify IT/security so they can help contain any damage.
- Learn and share what happened — your experience can prevent someone else’s.
The bottom line
Cybersecurity is a team sport. Tools help, but people make the difference. Stay calm, verify first, and report suspicious activity — you’ll protect yourself and our whole community.
For more information, please access the resources: