On the rise: How to spot and avoid social engineering scams

The Government Empowerment Department in Abu Dhabi GED-AD, has emphasized that social engineering is a method based on exploiting human error. This form of fraud does not rely on technology, but rather on the victim’s trust. Many people have received fake messages, suspicious calls, or irresistible offers—these are often the gateways into the world of fraud known as “social engineering.”

According to the department’s official website, these attacks require no advanced technology; they hinge on simple communication between the victim and the scammer. Social engineering schemes rely heavily on artificial intelligence to manipulate user behavior through fake messages, deceptive calls, or fraudulent offers—all aimed at extracting personal information.

The department warned that detecting these scams is becoming increasingly difficult and that a single misstep could jeopardize an entire organization.

The department outlined four basic steps commonly used in such schemes:

Phishing—via emails or messages—is one of the most commonly used techniques in social engineering fraud, often targeting passwords, bank card details, personal accounts, or any sensitive data that fits the attacker’s agenda. The department underscored that these scams revolve around how people think and behave, and stressed the need to protect oneself by verifying sources and avoiding suspicious links. It affirmed that the individual is the strongest link in the cybersecurity chain.

The department refuted the common belief that the elderly are the primary victims of online fraud, citing 2024 survey results showing that 44% of individuals aged 20–29 had experienced online scams, compared to just 24% of those aged 70–79. Moreover, individuals aged 29 and under were found to lose money at double the rate of older age groups in financial scams.

The UAE Cybersecurity Council defines social engineering as a manipulative technique that exploits human error to gain private information, unauthorized access, or valuables. In the realm of cybercrime, these “human hacking” tactics often lure unsuspecting users into disclosing sensitive data, spreading malware, or granting access to restricted systems. Such attacks can occur online, in person, or through other interactions.

The Council further explained that social engineering is centered on understanding how people think and behave. Once an attacker identifies what motivates a user’s actions, they can effectively deceive and manipulate that user.

Hackers also capitalize on users’ lack of awareness. With the rapid pace of technological advancement, many consumers and employees remain unaware of threats like inadvertent downloads or the value of their personal data, such as phone numbers. As a result, many are unsure of how to best protect themselves and their information.

Social engineers generally pursue one of two main objectives:

Most social engineering attacks depend on direct interaction between the attacker and the victim. Rather than breaking in through technical means, attackers persuade victims to unwittingly give them access.

The typical social engineering attack cycle consists of the following stages:

This entire process may unfold in a single email or span several months through social media interactions. It can even occur face-to-face. But it always ends with the victim taking an action—such as sharing personal information or exposing their system to malware.

Social engineering is a powerful tool of confusion. Many employees and consumers are unaware that just a few pieces of personal information can grant attackers access to multiple accounts and networks.

By impersonating legitimate users during calls with IT support teams, attackers can acquire private data—such as your name, birthdate, or address—which can then be used to reset passwords and gain nearly unrestricted access. From there, they may steal money, distribute malware, or engage in further cyber exploitation.