The rise of reverse social engineering scams

By now, most of you have read the story of one 32-year-old woman who was scammed recently of almost half a million pesos after falling prey to the guise of gift certificates seemingly coming from legitimate phone calls from one of her banks. It was a painful read, with red flags everywhere, and it makes for a compelling case study on how reverse social engineering scams are now on the rise.

Reverse social engineering is a type of psychological manipulation tactic where scammers impersonate trusted authorities or entities in an attempt to lull victims into compromising situations. Rather than trying to trick someone directly, reverse social engineering flips the script — playing on people’s psychological tendency to comply with perceived authorities.

Expect two things in this case: first, they will sound real, and they will have correct information about you (and your card and mobile plan details, to name a few). Most importantly, they can copy the real-life scenario of how these things transpire, i.e., when the fraud department calls you or when the IT support reaches out.

It will all feel real and all the more that you have to raise your guard. Statements such as “please watch out for fraud triggers as you will be getting those, and I would just need the verification code to bypass the system” are nothing but to have the OTP sent so they can take full control of your credit card, for example. That SMS coming from the bank is obviously not a fraud trigger but an urgent reminder for you to validate if you are indeed making the same transaction. If not, run away.

For years, stories of elderly victims being scammed out of their life savings by fraudsters using devious social engineering tactics have been far too common. I wrote about this previously on how exploiting the trusting nature and sometimes diminished mental capacities of the elderly is deplorable enough.

However, a new wave of sophisticated reverse social engineering scams hits even closer to home — preying on young, tech-savvy millennials instead. In other words, the scam design and its storytelling become intricate enough to get your interest and attention, with the accompanying financial and emotional consequences.

Learning and unlearning at the same time

While training and awareness about the tricks and psychological manipulation tactics used in reverse social engineering scams can help mitigate risks, cybersecurity experts agree there are no easy solutions. These scams capitalize on the innate human desire to be viewed as cooperative and address seemingly urgent issues from authorities.

In addition, these intricately designed scams reveal how even our best efforts to arm ourselves against deception may not be enough. That is why it is always important and very practical to keep reminding ourselves, our loved ones and our friends of the following best practices to avoid being victims of such scams:

1. Be vigilant. Know that you have to be extremely wary of anyone asking for personal or financial information, even if they claim to be from a legitimate authority. Verify their identity through other official channels and exercise human two-factor authentication.

The point here is not to believe what you hear in the first instance.

2. Do not take further action. This includes actions such as never installing software, remote access tools, or opening attachments from unsolicited emails or calls, even if they seem to be from your own company’s IT department. Moreover, it demands multiple layers of verification and approval for any unusual requests related to accounts, payments, or accessing secure systems.

3. Trust your instincts. The minute you hear and feel a red flag, immediately err on the side of caution. Raise your guard and believe that, yes, you will not receive that voucher promised to you as a reward for your continued use of the bank’s credit card. Neither will you get the P70,000 Sodexo gift certificate after creating your digital wallet account.

4. To organizations and employees, ensure that cybersecurity training is provided, highlighting the latest social engineering tactics and how to identify red flags.

More importantly, it is advisable to foster an environment where people don’t fear repercussions for questioning suspicious requests to help deter social engineering successes.

Remember, this type of scam is intricate and detailed enough for you to believe the legitimacy of the call. These people have been trained and are continuously practicing and mimicking what goes on in real life to make it appear that they are who you think they are. Now you know otherwise.

Kay Calpo Lugtu is the chief operating officer of Hungry Workhorse, a digital and culture transformation firm. Her advocacies include food innovation, nation-building and sustainability. The author may be reached at