Social Engineering

Social engineering refers to non鈥憈echnical methods used to trick individuals into revealing sensitive information or providing access to systems and resources. Rather than exploiting software vulnerabilities, social engineering relies on manipulating human behavior—often by creating a sense of urgency, trust, or authority.

These tactics may occur through email, phone calls, text messages, or even in鈥憄erson interactions. Attackers often impersonate trusted individuals or organizations, including OIT staff, colleagues, or service providers, in order to bypass normal security procedures.

Common social engineering techniques include:
• Impersonation (pretending to be OIT, the Help Desk, or another trusted entity)
• Phishing or vishing (email or phone鈥慴ased scams requesting information)
• Shoulder surfing (observing someone entering passwords or PINs)
• Using publicly available or discarded information to guess credentials or answer security questions
Social engineers rely on the fact that people may not realize the sensitivity of the information they possess, or may feel pressured to act quickly without verification

Examples of Social Engineering

• An individual contacts you by phone or email claiming to be from OIT and asks you to verify your account information or provide your password due to an alleged system issue.
• Someone contacts the Help Desk pretending to be a faculty or staff member and requests an urgent password reset in order to gain unauthorized access.
• An attacker uses personal details gathered from public sources or casual conversations to appear legitimate and trustworthy.

Why Social Engineering Is a Risk

Successful social engineering attacks can allow unauthorized individuals to gain access to systems, data, and services that are otherwise protected. This can result in data exposure, account compromise, service disruption, or misuse of institutional resources.

Because these attacks target people rather than technology, awareness and caution are key defenses.

Security Tips

• Be cautious of unsolicited phone calls, emails, or messages requesting personal or institutional information.
• Verify the identity and authority of anyone requesting sensitive information before responding.
• Do not share passwords, PINs, or authentication codes by email, phone, or text.
• Be mindful of your surroundings when entering passwords or accessing secure systems.
• If a request feels unusual, urgent, or unexpected, pause and confirm its legitimacy through known, trusted channels.

When In Doubt

If you receive a suspicious request or are unsure whether a communication is legitimate, contact the OIT Security Team or Help Desk directly at (214-768-4357) or help@smu.edu