Contributors

Michelle Maratto

Vice President, Cyber Advisory

Sana Hashmat

Senior Associate, Cyber Advisory

In today's ever-evolving cyber landscape, the threat of cybercrime looms larger than ever, with social engineering emerging as one of the most used tactics employed by cybercriminals.

The importance of awareness in combating these cyber tactics cannot be overstated. As cybercriminals become increasingly sophisticated, the need for vigilance and education grows. Understanding the mechanisms of social engineering is crucial in recognizing and thwarting these deceptive strategies. From phishing emails that mimic legitimate communications to elaborate scams that prey on trust, and even the use of deepfakes to impersonate trusted individuals, the spectrum of social engineering tactics is vast and varied.

As we delve into the world of social engineering, this article aims to equip you with the knowledge to recognize and defend against these misleading tactics, safeguarding your wealth and personal information from the clutches of cybercriminals.

What is social engineering?

Social engineering is the art of manipulating individuals into divulging confidential information, often by exploiting human psychology. The consequences of social engineering attacks can be severe, affecting individuals, organizations and even nations. With social engineering scams on the rise, 98% of cyber attackers are using social engineering techniques for exploitation.1

Social engineering attacks can take various forms, including phishing emails, smishing messages (text messages) and vishing calls (phone calls). The common thread among these tactics is the reliance on human interaction to achieve the attacker's goals. For instance, a phishing email may appear to be from a trusted source, urging the recipient to click on a link or download an attachment. Once the individual complies, the attacker can gain unauthorized access to sensitive information or systems.

One of the most concerning aspects of social engineering is that everyone is vulnerable, regardless of age or technical expertise. Cybercriminals craft their tactics to exploit universal human traits, such as trust and curiosity, making it possible for anyone to fall victim to these deceptive schemes. Whether it's a young person lured by a seemingly harmless online offer, or an elderly individual targeted by a convincing phone scam, the reach of social engineering knows no bounds.

What is the difference between phishing, smishing and vishing scams?

Phishing, smishing and vishing are all forms of social engineering attacks that aim to deceive individuals into revealing sensitive information:

Table showing three of the most common social engineering attacks that aim to deceive individuals into revealing sensitive information.

Phishing

Phishing is a cyberattack method that relies on fraudulent emails designed to look like they come from legitimate sources. These emails often impersonate trusted organizations, such as banks or popular online services, to trick recipients into believing the message is authentic. The goal is to lower the target’s guard and provoke engagement.

Smishing

Smishing, or short message service (SMS) phishing, is a technique where attackers use text messages to deliver deceptive content. These messages often appear to come from reputable companies or government agencies, making them seem trustworthy. The goal is to lure recipients into clicking on malicious links or sharing personal information.

Vishing

Vishing, or voice phishing, involves attackers making phone calls or voice messages to impersonate trusted entities such as financial institutions, government agencies or even family and friends. The caller’s objective is to gain the victim’s trust and extract confidential information, such as account numbers, password or Social Security numbers.

Examples of phishing, smishing scams

Consider the case of Jane, a successful entrepreneur who fell victim to a cleverly crafted phishing scam. An email, seemingly from her bank, requested urgent verification of her account details. Trusting the familiar branding and professional tone, Jane complied, only to find her accounts and her business compromised.

Let’s look at John, a tech-savvy individual who received a text one evening claiming to be from his bank, warning of suspicious account activity. Urged to click a link to verify his identity, he did so, entering his login details on a seemingly legitimate site.

The next day, John found unauthorized transactions in his account. Realizing he had been scammed, John contacted his bank, which flagged his accounts and worked to recover the funds. The emotional impact, however, was significant. Determined to learn from this, John shared his story with friends and family, stressing the importance of verifying messages.

In another notable case, a firm's CEO was targeted by cybercriminals using deepfake audio and video to mimic the voice and likeness of the CEO, instructing them to wire a significant amount of money to a fraudulent account. The voice and likeness were convincing enough that the CEO complied, believing he was following legitimate instructions.

Let’s review some things these individuals could have done to protect themselves.

Strategies to outsmart social engineering attempts

  • Stay skeptical: Always question unexpected communications, whether they come via email, text or phone call. If something seems off or too good to be true, it probably is.
  • Verify the source: Before clicking on links or providing information, verify the sender's identity. For emails, check the sender's address for inconsistencies. For texts and calls, contact the organization directly using official contact information.
  • Look for red flags: Be wary of messages that create a sense of urgency, request personal information, or contain spelling and grammatical errors. These are common signs of phishing, smishing and vishing attempts.
  • Do not share personal information: Avoid sharing sensitive information over email, text or phone unless you are certain of the recipient's identity and the necessity of the request.
  • Use Multi-Factor Authentication (MFA): Enable MFA on your accounts to add an extra layer of security. This requires a second form of verification, such as a text message code or authentication app, making it harder for attackers to gain access.
  • Use strong, unique passwords: Create complex passwords for each of your accounts and change them regularly. Consider using a password manager to keep track of them securely.
  • Update software and use anti-virus software: Regularly update your devices, operating systems, browsers and security software to protect against the latest threats. Use antivirus software on all devices to detect and remove any malicious software that may have been installed.

By understanding the mechanics of social engineering and implementing these protective measures, individuals and organizations can significantly reduce the risk of falling victim to these tactics.

The rise of artificial intelligence and deepfakes

Although artificial intelligence (AI) is enhancing efficiency and innovation across various industries, enabling smarter decision-making, personalized experiences and improved problem-solving capabilities, cybercriminals are leveraging AI to exploit individuals and organizations through advanced social engineering attempts, such as AI and even deepfakes.

Deepfakes are synthetic media created using AI to alter or fabricate audio, video or images, making it appear as though someone said or did something they did not. This poses a great threat, making it significantly difficult for individuals or organizations to distinguish between genuine and fabricated content.

Cybercriminals use AI and deepfakes to profile and target individuals and organizations. For example, they can use AI to:

  • Create fake identities to commit identity theft or unauthorized access to sensitive information: Cybercriminals leverage AI to generate realistic images and videos of non-existent people to create fake social media profiles or impersonate real individuals.
  • Manipulate audio and video to spread misinformation, damage reputations or manipulate public opinion: Cybercriminals use deepfakes to alter existing audio and video to make it appear as though someone said or did something they did not.
  • Commit social engineering attacks and scams: Cybercriminals use AI-generated content in phishing, smishing and vishing attacks to create more convincing emails, messages or calls that appear to come from trusted sources to deceive individuals into falling victim to potential scams.

As AI-driven threats and scams are on the rise, it is crucial for individuals and organizations to implement essential cybersecurity protections to counter these ever-evolving threats and to stay a step ahead of cybercriminals.

Here are more ways to remain vigilant in the face of a possible cyber attack.

  • Verify content authenticity of audio, video and images, especially if they involve sensitive information or requests. Pause before taking action, as deepfakes and other impersonations may be difficult to detect – take a moment to review the legitimacy. Do not assume a request is genuine just because the requester knows information about you, your family or your company.
  • Verify instructions through multiple communication channels and trusted methods, such as a direct phone call or face-to-face meeting with the person making the request, before acting on any financial instructions.
  • Establish a standard verification protocol for verifying unusual or high-value requests, which could include requiring written confirmation or approval from multiple senior executives.
  • Establish a unique safe word or phrase for verification that is known only to the parties involved in sensitive communications. This safe word or phrase can be used to verify the authenticity of requests or instructions, especially in situations where deepfake technology might be used to impersonate someone. If the safe word or phrase is not used or is incorrect, it can serve as a red flag to question the legitimacy of the communication.
  • Enable Multi-Factor Authentication (MFA) for financial transactions to ensure that additional verification steps are required before any transfer is authorized, making it significantly harder for cybercriminals to access your information.
  • Limit access to sensitive information and transaction capabilities to a limited number of trusted individuals within the firm.

To best protect your information, you should reduce your digital footprint to protect against cybercriminals who may use your information online to create convincing deepfakes or targeted social engineering scams. Sharing personal details online poses substantial risks, especially with AI tools that can exploit this data for cyber-attacks.

Example of an AI-engineered scam

An AI-driven scammer analyzed Julie’s online footprint, including her work details and industry-specific jargon, to create a highly personalized phishing email, leading to a cyber-attack on her company. The AI-generated phishing email appeared to be from a colleague and referenced specific projects, convincing Julie of its authenticity. When Julie clicked on the malicious link within the phishing email, it compromised her company's sensitive data, providing the scammer access to internal systems and leading to a larger cyber-attack that caused financial and reputational damage to the company.

Given the highly convincing and sophisticated nature of AI-driven threats and scams, it is essential for individuals and organizations to adopt fundamental yet vital cybersecurity measures to counter these ever-evolving threats.

Let’s review what Julie should have done before clicking on the phishing email.

  • Recognize advanced social engineering warning signs: With AI and deepfake technologies, cybercriminals are creating realistic content that mimics trusted sources, making scams appear more authentic and convincing than ever before. It is crucial to verify the authenticity of any unsolicited communications in an alternative way.
  • Do not put personal information into AI tools, as they are capturing and potentially sharing your data with the model, posing privacy and security risks. This can lead to unauthorized access, identity theft and loss of control over how your information is used.
  • Stay informed of the latest developments in AI and deepfake technology, as well as emerging social engineering threats and scams.
  • Regularly educate family members, employees, colleagues, etc. about threats in the cybersecurity landscape, especially the risks associated with deepfakes and AI scams, emphasizing the importance of skepticism and verification.

The bottom line

By fostering a culture of awareness and vigilance, it is a crucial step in defending against social engineering attacks. By recognizing the signs and implementing robust security measures, individuals and organizations can better protect themselves from the ever-evolving threat landscape.

Most importantly, always question unexpected communications, whether they come via email, text or phone call. Even if a communication appears to be from a trusted source, ensure you verify the legitimacy in an alternative way.

Your J.P. Morgan advisor can provide practical guidance and resources on how to protect you, your family and your business.

References

1.

Sprinto. “Social Engineering Statistics: Costs, Trends, AI” (December 31, 2024)

Connect with a Wealth Advisor

Reach out to your Wealth Advisor to discuss any considerations for your current portfolio. If you don’t have a Wealth Advisor, click here to tell us about your needs and we’ll reach out to you.

Connect now

IMPORTANT INFORMATION

This material is for informational purposes only, and may inform you of certain products and services offered by J.P. Morgan’s wealth management businesses, part of JPMorgan Chase & Co. (“JPM”). Products and services described, as well as associated fees, charges and interest rates, are subject to change in accordance with the applicable account agreements and may differ among geographic locations. Not all products and services are offered at all locations. If you are a person with a disability and need additional support accessing this material, please contact your J.P. Morgan team or email us at accessibility.support@jpmorgan.com for assistance. Please read all Important Information.

GENERAL RISKS & CONSIDERATIONSAny views, strategies or products discussed in this material may not be appropriate for all individuals and are subject to risks. Investors may get back less than they invested, and past performance is not a reliable indicator of future results. Asset allocation/diversification does not guarantee a profit or protect against loss. Nothing in this material should be relied upon in isolation for the purpose of making an investment decision. You are urged to consider carefully whether the services, products, asset classes (e.g. equities, fixed income, alternative investments, commodities, etc.) or strategies discussed are suitable to your needs. You must also consider the objectives, risks, charges, and expenses associated with an investment service, product or strategy prior to making an investment decision. For this and more complete information, including discussion of your goals/situation, contact your J.P. Morgan representative.

NON-RELIANCECertain information contained in this material is believed to be reliable; however, JPM does not represent or warrant its accuracy, reliability or completeness, or accept any liability for any loss or damage (whether direct or indirect) arising out of the use of all or any part of this material. No representation or warranty should be made with regard to any computations, graphs, tables, diagrams or commentary in this material, which are provided for illustration/reference purposes only. The views, opinions, estimates and strategies expressed in this material constitute our judgment based on current market conditions and are subject to change without notice. JPM assumes no duty to update any information in this material in the event that such information changes. Views, opinions, estimates and strategies expressed herein may differ from those expressed by other areas of JPM, views expressed for other purposes or in other contexts, and this material should not be regarded as a research report. Any projected results and risks are based solely on hypothetical examples cited, and actual results and risks will vary depending on specific circumstances. Forward-looking statements should not be considered as guarantees or predictions of future events.

Nothing in this document shall be construed as giving rise to any duty of care owed to, or advisory relationship with, you or any third party. Nothing in this document shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by J.P. Morgan and/or its officers or employees, irrespective of whether or not such communication was given at your request. J.P. Morgan and its affiliates and employees do not provide tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any financial transactions.

Legal Entity and Regulatory Information.

J.P. Morgan Wealth Management is a business of JPMorgan Chase & Co., which offers investment products and services through J.P. Morgan Securities LLC (JPMS), a registered broker-dealer and investment adviser, member FINRA and SIPC. Insurance products are made available through Chase Insurance Agency, Inc. (CIA), a licensed insurance agency, doing business as Chase Insurance Agency Services, Inc. in Florida. Certain custody and other services are provided by JPMorgan Chase Bank, N.A. (JPMCB). JPMS, CIA and JPMCB are affiliated companies under the common control of JPMorgan Chase & Co. Products not available in all states.

Bank deposit accounts and related services, such as checking, savings and bank lending, are offered by JPMorgan Chase Bank, N.A. Member FDIC.

This document may provide information about the brokerage and investment advisory services provided by J.P. Morgan Securities LLC (“JPMS”). The agreements entered into with JPMS, and corresponding disclosures provided with respect to the different products and services provided by JPMS (including our Form ADV disclosure brochure, if and when applicable), contain important information about the capacity in which we will be acting. You should read them all carefully. We encourage clients to speak to their JPMS representative regarding the nature of the products and services and to ask any questions they may have about the difference between brokerage and investment advisory services, including the obligation to disclose conflicts of interests and to act in the best interests of our clients.

J.P. Morgan may hold a position for itself or our other clients which may not be consistent with the information, opinions, estimates, investment strategies or views expressed in this document.  JPMorgan Chase & Co. or its affiliates may hold a position or act as market maker in the financial instruments of any issuer discussed herein or act as an underwriter, placement agent, advisor or lender to such issuer.