Social engineering attacks are increasing, and financial institutions are prime targets due to their widespread digital footprint and access to personally identifiable information (PII), customer accounts, and payment streams. In 2025, business email compromise losses reached 3.046 billion, according to the FBI Internet Crime Report.
The consequences of these attacks can be severe and result in financial loss, data theft, reputational harm and operational disruptions. It’s imperative for financial institution leaders to better understand social engineering and how to prevent it in their organization and with their customers.
Social Engineering Definition
Social engineering is a form of psychological manipulation in which cybercriminals exploit the end user to gain access to sensitive information and compromise security. These attacks exploit humans’ innate senses to be trusting and helpful to manipulate individuals into disclosing sensitive information or performing unsafe actions. Various tactics can be utilized by bad actors to disclose confidential or sensitive information posing a significant risk to the institution’s security and operations.
In comparison to other types of cyberattacks, this method requires minimal technical skill. Deception and persuasion are the mechanisms criminals use rather than malicious code or malware. Think of social engineering as you would of a con artist: rather than picking a lock, the victim is persuaded to unlock the door themselves.
Why Social Engineering Is Prevalent in the Financial Institutions Industry
Financial institution employees are often targeted through fraudulent emails, texts or calls in an attempt to get login credentials, multi-factor authentication codes, or related information (i.e. employee or customer account information) that can result in unauthorized system access. Third-party vendors are also common targets for attackers to indirectly infiltrate an institution’s sensitive information.
This was the case when MGM was attacked by cybercriminals in 2023 through a social engineering attack on Okta, one of its third-party technology vendors that provided cloud-based identification software. A member of a cybercrime group simply called Okta and impersonated an MGM employee to gain credentials that gave them access to MGM systems. Following this social engineering scam, personal information of 37 million customers was compromised.
Attackers often craft their messages to trigger emotional responses such as urgency, fear or curiosity, short-circuiting rational decision-making in the process. This is particularly dangerous for financial institutions safeguarding customers’ information and financial accounts. Even with strong technical defenses in place, a single click or unverified response can open the door to a cyberattack.
Common Types of Social Engineering Attacks
A broad range of digital social engineering tactics can be used to acquire sensitive personal and financial information.
Phishing
Phishing involves fraudulent emails or messages that appear to come from trusted sources, such as well-known companies or institutions. These messages typically prompt the user to click on a link or download an attachment. While the email may look legitimate, complete with logos and professional language, the link usually directs the victim to a fake website designed to capture login credentials, personal data, or financial information.
Vishing
Vishing, also known as voice phishing or spam phishing calls, often trick individuals in providing sensitive information. In popular cases, the attackers will often impersonate organizations, such as a bank or a government agency.
For example, a scammer may call impersonating an employee from the Internal Revenue Service (IRS), or the individual’s bank, and demand immediate payments or claim suspicious activity was found on an individual’s account. They will then ask for account details such as social security numbers, account numbers and passwords to verify said account.
Smishing
Smishing, or also known as SMS phishing, is a type of social engineering attack delivered via mobile text messages. These attacks aim to trick individuals into clicking on malicious links that could download malware on the device or redirect the user to a fake website designed to capture sensitive information such as account credentials.
In these instances, the most common smishing attacks to date are often those that impersonate trusted brands like Google, Microsoft, Amazon, or FedEx. The messages typically use urgent language claiming an account is locked or a package cannot be delivered to encourage the individual to take immediate action without verifying the source.
Spear Phishing
Spear phishing is a more targeted form of phishing aimed at a specific individual or organization. Unlike generic phishing attempts, these attacks are personalized and tailored using information gathered about the victim, making the communication appear more credible and convincing. Attackers may use various channels such as email, SMS, messaging apps or phone calls to deliver these messages.
Some examples of the details they uncover include job titles, business relationships and recent transaction activity. A successful spear phishing attack can result in serious consequences, including unauthorized financial transactions, data breaches or significant reputational damage to the targeted organization.
Example Attack
Financial institutions have reported cyber incidents in which an employee received a phishing email that appeared legitimate, often mimicking internal systems with messages such as “session timed out” or “password reset required” for network and/or core‑banking system accessed on a regular basis by back-office staff.
After clicking the phishing link and entering their credentials, the threat actor was able to log into the institution’s network systems, bypass the multi‑factor authentication, and gain access to wire‑processing transaction monitoring database/solution for an extended period of time.
Before attempting to initiate a fraudulent wire transaction, the threat actor observed legitimate wire activity, and learned the approval process and workflow system, to better imitate trustworthy transactions.
AI Usage in Social Engineering
Artificial intelligence (AI) creates increasingly sophisticated social engineering scams through the use of deepfake audio and videos, or hoax media intended to mimic the look and sound of a real person.
Example Attack
The chief executive officer (CEO) of a credit union was the target of a social engineering scam when a cybercriminal used deepfake audio to impersonate the organization’s chief financial officer (CFO) instructing a large wire transfer. The CEO thought the audio message was real with legitimate instructions from the credit union’s CFO, so he moved forward with sending the transfer to a fraudulent account.
Preventing Social Engineering Fraud in Financial Institutions
The best defense against social engineering is employee education and awareness. While financial institutions will continue to experience attacks, taking proactive steps can help minimize the threat and potential damage.
Offer Employee Education and Training
Holding regular security trainings can help employees recognize social engineering attempts. Teach employees to:
- Pay close attention to the sender email address information and check the email formatting for generic greetings and poor grammar.
- Be cautious of unusual logos or improper use of copyright information that could make the email appear legitimate.
- Double check links by hovering over the link to confirm the link matches the description.
- Report anything suspicious in nature, no matter how small it seems.
Enforce Strong Password Controls
Ensure institutions enforce strong and complex password requirements for network and third-party vendor database systems that connect to or store institutional data. In addition, third-party vendors that access an institution’s internal network should also maintain strong password controls and meet the institution's security standards.
The use of weak or predictable passwords based on institutional name, seasons, cities, or common names can easily be compromised, leaving them vulnerable to brute-force and dictionary-based attacks.
Implement a Layered Security Approach
It’s imperative to have MFA across all access points, including network, third-party, remote-level (VPN), administrative, and high-risk applications. Ensure the additional authentication settings can be configured by system admins to signal changes such as login access from different devices or locations, session timeouts, inactivity time-out settings, etc.
Opt for modern authentication methods, such as FIDO security keys or app-based MFA, that require number matching on mobile device apps, rather than relying on push notification prompts, SMS code, or one-time passcodes (OTP) received by via email or text. This will reduce MFA fatigue and reduce real-time phishing attempts.
Modern authentication methods help verify authorized individual attempts to access devices or portals, and provide a better audit trail to detect and investigate suspicious activity.
Monitor Systems and Conduct Regular Audits
Monitoring critical systems 24/7 can prevent attacks and protect sensitive information. Additionally, regular audits will help identify any vulnerabilities, allowing your organization to proactively address them.
Implement Customer Controls
In addition to internal controls, customer-facing safeguards should be consistently reevaluated and adjusted to address evolving social engineering techniques and changing customer behavior. Ideally, customer controls are risk based and periodically reassessed based on:
- Emerging fraud trends
- Transaction patterns
- Delivery channels
- Changes in how customers interact with the institution
Controls may include enforcing appropriate authentication requirements, transaction limits, verification procedures, and monitoring for customer-initiated activities, particularly for higher-risk transactions. Institutions should regularly review whether these controls remain effective, are appropriately calibrated, and are consistently applied across channels and customer segments.
Clear and ongoing customer communication is critical. Institutions should reinforce approved communication channels, set expectations for verification and callback procedures, and routinely educate customers on what information the institution will never request via email, text, or phone. As fraud tactics evolve, customer education and control design should evolve with them.
Your Guide Forward
Cherry Bekaert’s Risk & Cybersecurity professionals collaborate with our Financial Institutions practice to help banks and credit unions build strong risk frameworks and implement practical safeguards to reduce vulnerabilities.
By combining ongoing training, policies and advanced risk management strategies, we help organizations strengthen their security posture against social engineering attacks and other evolving cyber threats. Contact us to learn how we can support your cybersecurity strategy, allowing you to protect your digital assets and empower your people.
Related Insights
- Article | Mobile Device Security for Financial Institutions: 8 Ways to Protect Your Bank
- Article | Building Trust With HITRUST AI Security Assessment and Certification
