BE
Bulk Equipment
Module 3 of 3
Getting started
Security Awareness Training

Social Engineering

Learn to recognize when someone is trying to manipulate you into giving up information, access, or credentials through deception rather than technology.

What is Social Engineering?

Social engineering is when an attacker tricks a person into doing something they should not do. Instead of hacking a computer, they hack the human. They use trust, urgency, fear, or helpfulness against you.

These attacks happen through phone calls, in-person conversations, emails, and text messages. The attacker pretends to be someone you trust: IT support, a coworker, HR, or even your boss.

Why this mattersBulk Equipment has experienced incidents where partner email accounts were compromised and used to send convincing messages to employees. Social engineering attacks are real and they target companies like ours.

Common Social Engineering Tactics

1. Pretending to Be IT Support

An attacker calls or emails claiming to be from IT. They say there is a problem with your account and they need your password to fix it, or they ask you to install software or visit a website.

Example Phone Call
"Hi, this is Mike from IT. We're seeing some unusual activity on your account and I need to verify your identity. Can you confirm your username and password so I can check the logs?"
The truthReal IT support will never ask for your password. They can reset it without knowing it. If someone calls asking for credentials, hang up and contact IT directly using a number you already know.

2. Pretending to Be a Coworker

An attacker contacts you pretending to be a coworker who urgently needs access to a system, a file, or information. They may use a real coworker's name and claim their own access is not working.

Example Email
"Hey, I'm working from home today and I can't get into the HR portal. I need to check my pay stub before the bank closes. Can you log in and tell me what my last deposit amount was? I know it's a weird ask but I'm in a bind."
The truthNever access someone else's account or share their information with them through unofficial channels. If a coworker needs help with access, they should contact IT directly. You cannot verify who is really on the other end of a message.

3. Shoulder Surfing

Someone watches over your shoulder as you type your password or view sensitive information on your screen. This can happen in the office, at a coffee shop, or anywhere you use a device.

ProtectionBe aware of who is around you when typing passwords. Angle your screen away from foot traffic. Lock your screen when stepping away. If someone is watching while you type a password, stop and wait for them to move.

4. Pretexting to Change Personal Information

An attacker contacts HR or payroll pretending to be an employee. They request changes to direct deposit information, mailing addresses, or other personal details. The goal is to redirect the real employee's paycheck to the attacker's bank account.

How to protect yourselfIf you receive a call or email from someone claiming to be a coworker asking you to change their information, always verify in person or through a known phone number. Never make changes based on an email or phone call alone.

How to Respond

The Verification Rule

Any time someone asks you for credentials, access, or personal information, verify the request through a separate, trusted channel before doing anything. This means:

  • If they called you: Hang up and call them back at a number you already know (from the company directory, not the number they gave you).
  • If they emailed you: Walk over to their desk and ask in person, or call them directly.
  • If they texted you: Call the person using a known number to confirm.
This is not rudeVerifying requests is professional and expected. A real coworker or IT person will understand and appreciate that you are being careful. Only an attacker will pressure you to skip verification.

Warning Signs of Social Engineering

  • Urgency or pressure. "I need this right now" or "This has to happen before end of day."
  • Asking you to bypass normal procedures. "Can you just do this one thing for me without going through the usual process?"
  • Asking for credentials. No one should ever need your password.
  • Asking you to keep it a secret. "Don't mention this to anyone else."
  • Name-dropping authority. "Mark told me to call you directly about this."
  • Offering something too good to be true. "You've been selected for a special bonus."

If You Suspect Social Engineering

  • Stop the conversation. You do not have to respond immediately.
  • Do not provide any information. Not your name, department, schedule, or anything else.
  • Report it to your manager. Even if you are not sure, it is better to report than to stay quiet.

Quick Reference

Never Give Out:

  • Your password or login credentials, to anyone, ever.
  • Another employee's personal information (pay, address, SSN, schedule).
  • Your own personal information (SSN, bank details) unless you initiated the contact through a known, trusted channel.
  • Information about company systems, security, or internal processes to unverified callers.

Always Verify By:

  • Calling back on a known number from the company directory.
  • Walking over to the person's desk and asking face to face.
  • Checking with your manager before acting on unusual requests.

Always Report:

  • Any phone call asking for your password or login information.
  • Emails from coworkers making unusual requests (especially involving money, account changes, or login credentials).
  • Anyone you do not recognize trying to access restricted areas or systems.
  • Requests that ask you to bypass normal procedures or keep something secret.
RememberSocial engineers exploit helpfulness and trust. Being cautious and verifying requests is not paranoia. It is protecting yourself, your coworkers, and the company.

Knowledge Check

Answer all 5 questions. Read each scenario carefully before choosing.

Passing score: 80% (4 out of 5)
Question 1 of 5
You get a phone call from someone who says they are from IT support. They say your account has been flagged for suspicious activity and they need your password to investigate. What should you do?
Question 2 of 5
A coworker sends you an email saying they are working from home and cannot log into the HR portal. They ask you to log in for them and send their pay stub information. What should you do?
Question 3 of 5
Which of the following is a warning sign of a social engineering attack?
Question 4 of 5
Someone calls claiming to be from your bank and says they need to verify your direct deposit details to process this week's paycheck. They already know your name and employer. What should you do?
Question 5 of 5
You notice someone standing behind you and watching your screen while you log into the HR portal. What should you do?