Some cyberattacks target technology. Social engineering targets people, and that is what makes it so effective. These attacks work because they take advantage of trust, helpfulness, and the routines we follow without thinking.
The most successful social engineering attempts feel completely normal. A coworker asking for a quick favor. An IT administrator requesting access. A vendor confirming a payment. The request fits the pattern of an ordinary workday, which is exactly why it works.
What Social Engineering Is
Social engineering is when an attacker pretends to be someone you trust, like a colleague, supervisor, IT staff member, or vendor, in order to get you to share information, click a link, transfer money, or grant access to a system. They are not trying to break into the network. They are trying to get you to open the door for them.
Common Tactics
Impersonation is the most common approach. An attacker poses as your supervisor, a coworker, or someone from IT and asks you to share credentials, approve a purchase, or send sensitive files. The request looks routine, but it is not coming from who it seems.
Pretexting takes it further by building a believable story. The attacker might claim to be from a vendor running a security audit, a new employee who needs help getting set up, or a university administrator handling something urgent. The story is designed to lower your guard so you act before questioning it.
Urgency and authority are often layered on top. A common one is something like, the Vice Chancellor needs this done in the next ten minutes. The pressure is the point. Real emergencies still allow time for a quick verification.
Protective Steps
A few habits go a long way:
- Verify unusual requests through a second channel by calling the person, walking to their office, or sending a fresh email to a known address.
- Question urgency, since attackers want you to act before you think.
- Protect your credentials and never share your password with anyone, including someone claiming to be from IT.
- Be cautious with links and attachments, even from known contacts, since their accounts can be compromised too.
- Trust your instincts and report anything that does not feel right. Checking is always better than assuming.
If You Were Targeted
Stop the conversation if you suspect social engineering. Change your password if you shared any credentials. Let your supervisor know what happened. Then report the incident to the Help Desk right away.
Reporting
If something feels off, report it to your campus IT help desk as soon as possible. The sooner it’s reported, the easier it is to contain. You can find contact information for your campus help desk here: Universities of Wisconsin (UW System) – IT Help Desks Contact Information.
Bottom Line
Social engineering works because the request looks normal. The fix is just as simple. If something feels off, even a little, slow down and verify through a channel you already trust. A short phone call has stopped more attacks than any piece of software.