skip to content
  • Calendar
  • Maps

Social Engineering

What is it?

Social Engineering is a method of manipulation used to have someone perform an action that can compromise security or obtain confidential information from someone by phone, email, or in-person.

Examples of Social Engineering


Phishing is probably the most common form of social engineering we see at the University. The emails will typically contain a statement that something is going to happen to your account if you don't act now, which usually involves clicking on a link to a page where you are requested to provide your username and password and sometimes more.

Another variant of phishing is Spear Phishing, which is targeted towards a specific individual or position likely to obtain confidential information or higher level credentials.

Business Email Compromise

Business Email Compromise (BEC), also known as man-in-the-email scam, is a type of a scam that utilizes social engineering to trick and scam employees and executives in a company. They will impersonate higher level management in order to make wire transfers, give credit card information, write a check, or even purchase a gift card. To learn more about this type of social engineering, please check out these articles: article 1 and article 2.

Sextortion Hoax Scam

Sextortion emails include the cyber criminal threating to release compromising information or material of the recipient to their contacts. They will often include personal information include user names and passwords to further scare the victim. To learn more about this type of threat, see these articles: article 1 and article 2.


Baiting is when the attacker leaves a malware-infected physical device, such as a USB, in a place where it is sure to be found. Once the device is plugged in, the malware installs.


Tailgating is when an unauthorized individual follows an authorized individual into a secure area. This is usually for the unauthorized party to steal property or information.


When one party lies to another to gain access to privileged data, such as personal or financial data to confirm the identity of the intended recipient. Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. 

How do I protect myself?

Be suspicious!

If you receive a call that is requesting sensitive information, follow procedures. Don't be pressured into providing information.

Don't provide confidential information about yourself. If it is something that seems like a legitimate reason, verify who the person or organization is and call them back on a publicly available number. For example, if you receive a call that your banking card has been compromised, call the number on the back of the card.

Don't provide your password to others.

Dispose of sensitive data properly. Shred receipts and other documents containing personal information.

Be cautious about posting personal information online. Information found on Facebook or other sources can be used to make it seem like the attacker is someone you know or can be used to contact others to get more information about you.

Where can I report it?

You can contact the IT Service Desk at 801-626-7777 or or the Information Security Office at 801-626-6982 or