Business email compromise, commonly abbreviated to BEC, is a scam conducted through email. With a BEC attack, an email will appear to come from a legitimate source within the business. However, the sender is an imposter attempting to trick other members of the organization to divulge sensitive information.

Catfishing is a particularly cruel scam, also known as a “honey pot” scam, in which a fraudster poses as a romantic love interest via an online dating site or app. The catfisher will develop and maintain an online relationship with their victim for several days to weeks. They may then claim to be in a “tough spot,” or are going through some emergency, and convince the victim to send them money.

Pretexting revolves around the word “pretext.” It means to provide someone with a half-truth or series of small lies in order to convince someone that the speaker does so from a position of authority. A great example of this would be someone posing as an HR representative and pretending to arrange documents and meetings with an employee of a company. In the process, the employee would inadvertently provide the scammer with bank information, their social security number, or other sensitive information.

Phishing is the practice of tricking a targeted individual into voluntarily giving up access to personal information. The target is typically financial data, but any personal account could be subject to an attack. Phishing is the most common of all social engineering attacks. In fact, the tactic works so well, and so often, fraudsters have applied the tactics to newer methods, like vishing, clone phishing, and spear phishing.

Social engineering scams are most effective when the victim is stressed or in a state of heightened emotion. Scareware was invented to literally “scare” victims into an action. For example, clicking a malicious link, downloading malware, or sharing fraudulent links with others. Scareware is generally targeted toward very young individuals or older generations that are less tech-savvy.

Tailgating is a physical attack performed by someone willing to physically enter a company or organization as a means to steal data or deliver malware to a centralized database. This gutsy tactic requires someone willing to either pose as an employee of that company or a worker hired to fix a computer, wifi, or some other imaginary issue.

This is an old hunting term. It essentially means “finding prey where they gather.” The idea would be to first learn about the potential victim’s habits and likes online. Once habits have been identified, the fraudster will inject a marketing email, promo code, or webpage with malicious code from often-visited sites to attract clicks.

Quid pro quo means “this for that” in Latin. This implies that someone will give you something in exchange for something else. In a social engineering context, quid pro quo attacks seek to make allies of potential victims through empty promises, which the scammer has no intention of fulfilling.

Bad actors weaponize human curiosity by leaving an infected device, like a USB drive, in a public space for an employee to find. Baiting attacks exploit a victim’s well-intentioned desire to be helpful by finding the “owner” or investigating the drive. But, this is all it takes to unleash malware.

This tactic is especially damaging for eCommerce merchants who rely on logistics providers to fulfill orders. In this scam, bad actors contact your shipping carrier or a fulfillment employee, impersonate the customer, and provide a “new” delivery address. By doing so, the fraudsters trick your delivery partners into rerouting high-value goods directly into the wrong hands.