You are here: American University Information Technology IT Security Social Engineering

Social Engineering

Important! The Office of Information Technology does not request account information (such as your password) by e-mail. If you receive such a message, it is what is known as a phishing attack. This is a criminal attempt to acquire sensitive information from would be victims.

Social Engineering is a technique used to trick an individual into giving up sensitive information that can be used in a criminal activity. Most often the targeted information is credit card and banking information, followed by social security numbers and passwords. The social engineer may use e-mails, voice messages, or even in person visits masquerading as a legitimate, trusted source.

The language used by the Social Engineer is often persuasively urgent, such as: "please enter your password before your account expires" or "we recently experienced technical problems with our computer system we need your assistance to validate your information, please enter your information on our website."

Phishing Attacks
Spear Phishing Attacks
Vishing Attacks

"Phishing" is a term used to describe fraudulent e-mail messages that masquerade as a bank, credit card company, or retailer asking you to provide personal data through a web page.

Never provide passwords, banking information, or personally identifiable information, based on instructions sent to you via email or an unsolicited voice mail message. More information is available at

Read more about how the Office of Information Technology is using Phishing Education and Self-Phishing to help educate the AU community.

Spear Phishing is a targeted attack, like Phishing comes from a trusted source; however, it appears to come from someone with authority in your organization. Sophisticated groups seeking financial gain or industry specific secrets generally perpetrate spear phishing.

"Vishing" is social engineering using the telephone. A voice message is left asking you to provide credit card or other personally identifiable information, or a person calls and claims to be from "Microsoft" or something similar, calling about the security of your computer. This technique takes advantage of peoples familiarity and trust in our telephone systems.

VoIP, Voice over IP, are telephones that use the Internet to transmit the call and are more easily exploited by hackers. As with other forms of social engineering, stay cautious. If in doubt, call or visit the institution requesting personally identifiable information or access to your computer.