Cybersecurity Awareness Month Week 2 2025 - Social Engineering & Human Risk

Social engineering is the use of deception and manipulation to trick people into giving up sensitive information, access, or money. Instead of hacking code, attackers hack human behavior — trust, urgency, curiosity, fear, or helpfulness.

Common tactics you might see:

• Phishing: deceptive emails or messages that look legitimate (IT alerts, delivery notices, “professor requests”).
• Pretexting: a made-up story (“I’m from tech support; I need your OTP to fix this”).
• Baiting: tempting you with something free (free storage, gift cards, leaked study guide) in exchange for a click or download.
• Vishing/Smishing: voice or text versions of phishing, often using spoofed caller IDs or urgent SMS links.

Why do people fall for it?

• Urgency: “Act now or lose access” short-circuits careful thinking.
• Authority & familiarity: Messages “from” a professor, boss, bank, or friend feel trustworthy.
• Scarcity & reward: “Limited offer” or “grade release” creates excitement and pressure.
• Social proof: “Everyone is doing this update” lowers your guard.

Red flags to watch for

• Unexpected requests for passwords, OTPs, or personal data.
• Slightly off email addresses, links, or domains (e.g., univ-support.co instead of univ.edu).
• Poor spelling, off-tone language, or unusual urgency.
• Attachments you didn’t expect: QR codes or links that bypass normal portals.

How to lower your human risk (practical steps)

• Pause before you act. Urgency is a tactic; take 30 seconds to think.
• Verify the source. Contact the sender using a known number, website, or in-person — don’t reply to the suspicious message.
• Check the link before you click. Hover to preview the URL; when in doubt, navigate manually via bookmarks.
• Protect your accounts. Use strong, unique passwords and Multi-Factor Authentication (MFA) everywhere it’s offered.
• Lock down your info. Share the least possible personal data on social media; it fuels convincing scams.
• Report quickly. Forward phishing to your IT/security team or the campus help desk; early reports protect others.

If you think you got hooked

• Change your password(s) immediately — start with email, then anything reused.
• Revoke malicious sessions and check account activity/security logs.
• Notify IT/security so they can help contain any damage.
• Learn and share what happened — your experience can prevent someone else’s.

The bottom line

Cybersecurity is a team sport. Tools help, but people make the difference. Stay calm, verify first, and report suspicious activity — you’ll protect yourself and our whole community.

For more information, please access the resources:

• https://www.lacoe.edu/content/dam/lacoeedu/documents/technologyservices/cybersecurity/cybersecurity-awareness-articles/Preventing%20Social%20Engineering.pdf
• https://easydmarc.com/blog/social-engineering-a-complete-guide/