Skip to main content
Santa Clara University
Information Services
Information Security

Social Engineering

  1. Home
  2. Information Services
  3. Information Security Office
  4. Advice
  5. Cyber Awareness Items
  6. Social Engineering
Being aware of what Social Engineering is can prevent your computer and accounts from being compromised.

Social engineering attacks manipulate human psychology to gain unauthorized access to sensitive information or systems. Attackers often tailor these attacks based on what’s important and relevant to you, gathering information from public sources like social media to impersonate someone you trust, such as a boss, colleague, or family member. These attacks target employees to gain access to an organization’s systems or individuals to steal personal information.

Social engineering tactics are becoming more sophisticated, often combining multiple attack methods, including:

  • Phishing (Email-Based Attacks)
  • Smishing (SMS-Based Attacks)
  • Vishing (Voice-Based Attacks)
  • Quishing (QR Code-Based Phishing)
  • Pretexting (Fabricated Scenarios to Manipulate a Target)
  • Baiting (Luring Victims with Free Items or Services)

Phishing: Stop. Think. Click.

Phishing is a type of social engineering attack where cybercriminals attempt to steal your credentials or sensitive data by sending fraudulent emails. These emails often impersonate trusted institutions and may request:

  • Usernames and passwords
  • Social Security numbers
  • Bank account details
  • PINs (Personal Identification Numbers)
  • Full credit card numbers
  • Security questions, like your mother’s maiden name
  • Your birthdate
 Phishing email clicking icon graphic

SCU will NEVER ask for your password in an email.

Be cautious when receiving any email that asks for personal information. Follow these steps:

  1. Stop – You don’t need to respond immediately, download attachments, or click on links if something feels suspicious.
  2. Think – Examine the sender’s email address, look for misspellings, and assess whether the request seems urgent or unusual.
  3. Click – Only proceed if you’ve verified the sender through a trusted method, such as the SCU Phonebook.

If you are still not sure about an email or think you have responded to a phishing message: please call the Technology Help Desk x5700 (408-554-5700) or visit the Technology Help Desk on the first floor of the Learning Commons.

For more information about social engineering attacks, please visit this CISA’s social engineering awareness page.

Find some phishing examples here.

Smishing (SMS Phishing)

Smishing involves fraudulent text messages attempting to trick you into revealing sensitive information, similar to email phishing. These messages often use emotional triggers, such as:

  • “URGENT: Your bank account has been locked. Click here to restore access.”
  • “Your package delivery has been delayed. Update your information here.”
  • “You’ve won a free prize! Click this link to claim it now.”

SCU Smishing Attacks

Recently, there have been multiple reports of SCU employees being impersonated via smishing. Attackers frequently impersonate university administrators, HR staff, IT help desk personnel, and supervisors. These fraudulent messages may look like:

"Hi [Your Name], this is [Employee being impersonated]. Let me know if you get this message."

If you receive a text message from an unknown number or an email from a non-SCU email address claiming to be from an SCU employee, do not respond. Instead, confirm their identity using a trusted method, such as calling their office or using their SCU email. Please report the issue to the Information Security Office at iso@scu.edu.

Gift Card Scams

One common smishing tactic is the gift card scam, where an attacker impersonates a supervisor or executive, requesting that the victim purchase gift cards on their behalf. Learn more from the Federal Trade Commission’s Guide on Avoiding Gift Card Scams.

Vishing (Voice Phishing)

Vishing involves attackers calling victims while impersonating trusted organizations, such as:

  • IT support teams
  • Government agencies (IRS, Social Security, etc.)
  • Banks or credit card companies

These scammers often create a sense of urgency, claiming your account has been compromised, you owe money, or you must take immediate action.

How to Protect Yourself

  • Verify the Caller – Call the organization directly using an official number.
  • Be Skeptical of Urgency – Scammers pressure victims to act quickly.
  • Never Share Sensitive Information – Legitimate organizations will never ask for passwords or banking details over the phone.

Quishing (QR Code Phishing)

Attackers use QR codes to lead victims to malicious websites where credentials or sensitive data are stolen. These fraudulent codes may appear on:

  • Fake advertisements
  • Emails instructing users to scan for "account security verification"
  • Flyers posted in public places

How to Stay Safe

  • Inspect the URL after scanning a QR code.
  • Be cautious of QR codes in unexpected locations (random flyers, emails from unknown senders).
  • Manually enter website addresses when possible instead of scanning.

Pretexting & Baiting

  • Pretexting: Attackers create a fabricated scenario to manipulate a target into providing information (e.g., posing as IT support and requesting login credentials).
  • Baiting: Victims are lured with an enticing offer, such as free downloads, USB drives labeled as "confidential," or fake job postings that lead to malware infections.

How to Report a Social Engineering Attempt

If you believe you have encountered a social engineering attack, report it immediately by using the PhishAlarm button in Gmail. If you're unable to use PhishAlarm, you can also report it by forwarding it to the Information Security Office at iso@scu.edu. You can also report it by calling the Technology Help Desk: x5700 (408-554-5700) or by visiting the Help Desk on the first floor of the Learning Commons.

Mar 6, 2025