Spotting Attacks

Social Engineering (Phone, Text & In Person)

Foundational

Social engineering is phishing without the email: someone manipulates you directly — by phone, text, chat, or in person — into giving access, information, or money. They exploit our instinct to be helpful, to trust authority, and to avoid awkwardness. The defence is the same everywhere: verify who you're really dealing with before you act.

Attackers are skilled actors. They'll phone pretending to be IT ("I need your password to fix your account"), text pretending to be your CEO ("I'm in a meeting, buy some gift cards / approve this payment urgently"), or show up pretending to be a contractor or delivery driver to get through a door. They create urgency and authority so you don't stop to check.

The single rule that defeats almost all of it: verify independently. Don't trust the number that called you or the name in the message — contact the person back through a channel you already know is real. Genuine requests survive that check; scams don't.

Verify before you act

DoIndependently verify anyone asking for access, information, money, or action — call them back on a known number or message them through your normal channel.
DoBe especially careful with anything urgent, secret, or unusual involving money, gift cards, payment details, passwords, or personal data — these are classic scam shapes.
DoIt's fine to say "I need to verify this first" and end the call or pause the request — a legitimate person will understand.
AlwaysConfirm the identity of anyone requesting sensitive access or action through a separate trusted channel, not through the contact details they gave you.

Don't be rushed or flattered into it

DoTreat pressure, secrecy ("don't tell anyone"), and appeals to authority ("this is the CEO") as warning signs, not reasons to comply.
Do notLet politeness or fear of looking unhelpful stop you from verifying — attackers count on exactly that.
NeverGive your password, an MFA code, or sensitive customer/company data to someone over the phone, by text, or in person because they asked.
NeverBuy gift cards, move money, or change payment details because of an urgent message or call, without verifying it independently first.

Ask yourself

AskDo I actually know this is who they say they are — verified through a channel I trust, not the one they used?
AskWhy the urgency and secrecy? Would a real colleague really ask for this, this way?
AskAm I about to do something I'd never normally do because I feel pressured?

Why it matters: Some of the costliest frauds — money wired to criminals, accounts handed over — start with a convincing phone call or text, not a hacked computer. Attackers target the human, not the system. A simple, unembarrassed habit of verifying through a known channel before acting stops these cold, no matter how urgent or authoritative the request seems.