Let’s look at a few pretend scenarios to see how these cons work in the real world:
The urgent email
A timeless classic:Imagine you’re at your desk, trying to get through a busy morning, when an email arrives claiming to be from your CEO. It says there’s a crucial wire transfer that needs to happen immediately to close a new deal. The email’s tone is pretty pushy—your “CEO” says they’re traveling and can’t be reached by phone. They demand you send the money right now. Feeling the pressure (and perhaps wanting to impress), you make the transfer without verifying the email’s legitimacy. By the time you realize the sender wasn’t really your boss, the money’s gone.
The fake prize offer
You get a well-worded text message telling you you’ve won something believable, like a free full-year subscription to your favorite online service or a $100 gift card. To claim it, you just need to click a link and sign in. It looks real enough—maybe the text includes the company’s logo and mentions features you love. But once you click, you land on a phishing site designed to steal your credentials. If you don’t double-check the address or confirm with the real site’s support, you might give an attacker direct access to your accounts.
Pretexting
Suppose a colleague gets a call from an attacker who claims to be from HR and mentions you by name. They say they need to verify personal details for an upcoming benefits update. They just need your colleague’s login information so they can check the right files. If your teammate believes the call is real, they might share those credentials, handing full system access to the attacker.
In each of these scenarios, the attacker counts on emotional triggers like urgency, excitement, guilt, or trust to trip you up. Again, social engineering isn’t about fancy hacking—it’s about taking advantage of normal human reactions.
