Social engineering scams are one of the most common ways criminals steal money and personal information, and they almost always rely on manipulating people – not hacking systems. Recognizing the red flags early can help protect both your accounts and your identity.
What is social engineering?
Social engineering is any tactic where a criminal pretends to be someone you trust to trick you into sharing information, sending money or giving access to your devices or accounts. These scams often use email, text, phone calls or social media and may involve impersonating a bank, employer, government agency or even a family member.
Recent reports show that social engineering plays a major role in cybercrime losses, with the FBI’s Internet Crime Complaint Center estimating more than $13.6 billion stolen in 2024 through cyber-enabled fraud such as phishing, spoofing, tech support scams and business email compromise.1 Studies also find that a large share of data breaches involve a human element (like phishing or pretexting), underscoring how frequently attackers target people instead of systems.
Red flag #1: Unusual or unexpected contact
One of the biggest red flags is any unexpected message, call or pop-up from someone you don't know and weren't expecting. Common examples include surprise "fraud alerts," unsolicited tech support messages or notifications claiming you have won a prize or are eligible for a loan you never applied for. If you didn't initiate the conversation, treat it as suspicious until you verify it using a trusted phone number or website. Atlantic Union Bank customers are always welcome to call using the number on the back of their debit card (800.990.4828) or by directly visiting AtlanticUnionBank.com.
Red flag #2: Pressure, fear or secrecy
Social engineers rely heavily on emotion, especially urgency and fear, to get you to act before you have time to think. You might be told that your account will be closed, your money will be seized or you could be arrested if you don’t respond immediately or follow specific instructions.
Another common sign is being told to keep the situation secret or not to talk to anyone else – especially your family, bank or law enforcement – because “it will interfere with the investigation,” or this is “highly confidential.” Requests to withdraw or wire large sums of money with vague or changing expectations are also well-known red flags in financial scams.
Red flag #3: Requests of sensitive information
Legitimate institutions will never ask you to share certain details through email, text or unsolicited calls, such as your full password, PIN or one-time access code. Social engineers, however, often insist that they need this information to “verify your identity,” reverse a transaction or fix an account issue. Providing this information can allow them to reset your credentials, take over your accounts or open new accounts in your name.
Red flag #4: Strange payment requests
Any time someone asks you to move money in a way that is unusual for you – or unusual for a bank – it should raise immediate concern. Common scam payment instructions include:
- Sending a wire or Zelle® to a “safe” or “escrow” account the caller controls.
- Paying in gift cards, cryptocurrency or deposits into a Bitcoin ATM to “resolve” an urgent problem.
- Hand-delivering cash to a stranger at a parking lot, gas station or other odd locations.
Many cyber-enabled fraud schemes tracked by the FBI rely on convincing victims to authorize transfers or payments themselves, which can make recovery more difficult because there may be no technical “hack” to reverse. If a request does not match how your bank typically handles transactions, stop and confirm.
Red flag #5: Look-alike emails, links and phone numbers
Attackers often use email addresses, websites and caller IDs that closely resemble legitimate ones, hoping that subtle differences will go unnoticed. This can include misspelled domains, extra characters or email addresses that don’t match the organization’s official website.
Links in phishing emails or texts may redirect to fake login pages designed to steal your username and password, and some reports estimate that phishing and spoofing make up nearly one quarter of cybercrime complaints received by the FBI.1 Smishing (SMS Phishing) has become especially effective, with some studies showing SMS phishing click-through rates several times higher than those for email. Always inspect links carefully, and when in doubt, navigate to your bank’s website or app directly instead of clicking a link in a message or by performing a web search.
How to protect yourself and your accounts
A few practical habits can make you far less vulnerable to social engineering, even as scammers’ tactics evolve. Consider these steps.
- Verify before you trust. If you receive an unexpected request involving money, logins or personal information, independently contact the organization using a phone number or website you know is real.
- Slow down and think. Take a moment to pause whenever you feel pressured to act immediately, keep secrets or break your normal banking routines.
- Guard your credentials. Never share your full password, PIN or one-time access code with anyone, including someone who says they are from your bank or law enforcement.
- Enable layers of security. Turn on multi-factor authentication where available and keep your contact information up to date so you receive legitimate alerts quickly.
If you think you may have responded to a social engineering attempt involving your bank accounts, contact your bank immediately using a trusted number, then consider reporting the incident to the FBI’s Internet Crime Complaint Center and relevant local authorities. Prompt reporting can improve the chances of stopping or limiting financial losses and may help protect others from similar scams.
To learn more about how you can safeguard your accounts, please visit our Security & Fraud Center.
1FBI Internet Crime Report 2024 https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
Zelle® and the Zelle® related marks are wholly owned by Early Warning Services, LLC and are used herein under license.