How Social Engineering Works: The Con Before the Click
Social engineering preys on trust, not technology. Learn how scammers manipulate Indians through WhatsApp, calls, and impersonation—and how to recognize it.
The Con Before the Click
I want to start with something I did wrong.
Three years ago, a man called me on my office line. He said he was from ICICI Bank's fraud department. My statement, he told me, showed suspicious activity—a transfer of ₹2.3 lakhs to an unfamiliar account in Bengaluru, made at 2:47 AM. I had not authorized it. My stomach sank. He asked me to verify my account number, date of birth, and the last four digits of my debit card.
I gave him everything.
It was only after I hung up—after I was already reaching for my phone to call the bank—that I realized what had happened. The number had not come from ICICI's verified line. I had no way of knowing that. And I had just handed a stranger the keys to my account.
The reason I tell you this is simple: social engineering does not fail because people are stupid. It succeeds because it uses something far more powerful than any password—it uses your own fear and your trust in institutions you have learned, over a lifetime, to obey.
This is what you need to understand about social engineering, especially if you live in India and use digital money every day. It is not primarily about technology. It is about psychology. And it is winning.
What Social Engineering Actually Is
Social engineering is the art of manipulating a person into revealing confidential information or performing an action that compromises their security. No malware. No exploit. No hacking in the sense most people imagine it.
Just a voice. A story. A sense of urgency.
The scammer is not trying to break into your house. They are trying to convince you to unlock the door yourself.
In India, the most common vectors are:
Voice calls impersonating banks, telecom companies, or government bodies. The caller ID shows a number that looks official—sometimes spoofed to display your bank's real number. They claim your account is compromised, a duplicate SIM card has been created in your name, or your UPI has unusual activity. They ask you to "verify" by sharing your OTP, UPI PIN, or bank details.
WhatsApp messages pretending to be customer service. "Hi, this is PayTM customer care. Your account has been flagged for unusual activity. Click here to verify." The message looks professional. The link leads to a fake login page that looks identical to the real one. You enter your credentials. The scammer logs in while you are still typing.
SMS that mimic official notifications. "Your SBI account is locked due to suspicious login attempts. Click the link to unlock." The URL is carefully crafted—sbibank-unlock.verify.com or something close enough that your eye skips over it in a panic.
Pretext calls from people you almost know. "Hi, this is Rajesh from HR at Infosys. We are updating our employee records. Can you confirm your Aadhaar number?" You half-remember a Rajesh. Your brain fills in the rest. You comply.
Job offers and investment promises. "We are expanding in India and need a financial manager. The role is remote, and the salary is ₹8 lakhs per month." You never applied. But the email looks professional. The man you video-call for the interview looks real (deepfake or borrowed footage). You sign documents. You send money for "processing fees" or to "verify your bank account". The company evaporates.
Each of these works because it does not ask you to do something illogical. It asks you to do the thing you would logically do if the premise were true.
Why It Works in India Specifically
I have spent enough time in Delhi, Bengaluru, and Mumbai to understand that social engineering here has particular leverage. Here are the reasons:
Respect for authority runs deep. If someone claims to be from SBI, ICICI, Google, or the Income Tax Department, a large segment of the population will comply first and verify later. This is not weakness—it is cultural conditioning from childhood. When an authority asks, you answer.
UPI and digital payment adoption created a new surface area. Fifteen years ago, a scammer could impersonate your bank and ask you to come to the branch. You would have time to think. You would see a human. Today, UPI means the money is gone in four seconds. The scammer does not need much. They need your 6-digit PIN, and they need you to panic enough not to double-check.
WhatsApp is ubiquitous and verification is nearly impossible. A phone number can be spoofed. A profile can claim to be your bank. There is no blue checkmark. Most Indians check the message once, see the logo, and assume legitimacy.
Verification by phone is treated as sacred. If someone calls you and identifies themselves with enough details, you believe it. The scammer has already gathered these details from LinkedIn, public records, or previous data breaches. When they use them, you think, "How would they know that unless they were real?"
Time pressure collapses rational thought. "Your account will be closed in 24 hours." "Click here immediately or your UPI access is locked." "Your OTP expires in two minutes." Under pressure, people do not verify. They obey.
The Anatomy of a Recent Case
A woman I know—let us call her Priya—received a WhatsApp message that appeared to be from her bank, HDFC. The message said her account had been flagged for a suspicious transaction of ₹1.5 lakhs to an unknown beneficiary. A link was provided: "Click here to reverse the transaction immediately."
Priya, in genuine alarm, clicked. The page that opened looked exactly like the HDFC login portal. She entered her username and password. A second page asked for her date of birth and card number. She entered these too. A third page asked for her OTP.
At this point, something in her mind shifted. She had given three separate pieces of information. Why would the bank ask for OTP after asking for password? She stopped. She hung up and called the HDFC helpline number on the back of her card.
The helpline told her: no transaction of ₹1.5 lakhs had been attempted. No alert had been issued. Her account was fine. The scammer, however, now had her username, password, date of birth, and card number. If she had given the OTP, they would have had everything.
The bank advised her to change her password immediately. She did. The account was never breached. But for two weeks, every time she opened the app, her hands trembled.
This is the hidden cost of social engineering. It is not just the money—though ₹2-3 lakhs can destroy a family's budget for an entire year. It is the loss of trust in the systems you depend on every day.
The Hard Truth
Here is what I have learned after years of watching this: the person most vulnerable to social engineering is not the uneducated person. It is the educated person who believes they are too smart to fall for it.
ITers, accountants, and business owners make up a significant portion of social engineering victims. Why? Because they believe they will recognize the scam. They drop their guard. They do not verify a call from "ICICI Bank" with the same paranoia a 65-year-old might. And by the time they realize it, they have already shared the OTP.
There is another hard truth: banks in India do not own this problem. They should, but they do not. The RBI has issued guidelines. The NPCI has issued guidelines. But when a customer's account is drained via a social engineering attack, the bank's first response is often, "You gave away your OTP. That was your fault."
Technically, yes. Practically, this is firefighting. The real issue is that the attack surface—phone calls, SMS, WhatsApp, email—remains largely uncontrolled. A scammer in Bangkok can spoof a Mumbai phone number and reach millions of Indians with no verification overhead.
What You Can Actually Do
Now. Practical things. I am moving away from the story into the list because some lessons are best absorbed as rules, not narratives.
-
Banks will never ask you for your OTP, UPI PIN, password, or full card number via call, SMS, or chat. Full stop. If someone is asking, it is a scam. Hang up. Call the bank yourself using the number on your card or statement. Do this every single time, even if it seems urgent.
-
Verify independently before panicking. If a call claims your account is compromised, hang up, open your bank's mobile app directly (do not click any link), log in, and check your statement. If you see suspicious activity, then—and only then—call the bank's official number. The scammer is counting on your panic to prevent this step.
-
Never click links in unsolicited messages, even if they look official. Open your bank's app directly instead. Type the URL yourself into your browser. Better yet, call the bank to confirm the message is real. This costs five minutes and saves ₹2 lakhs.
-
Treat your OTP like your PIN. Tell no one. Share it with no one. Even if someone claims to be from the bank, the RBI, or the government, they do not need your OTP. If they are asking for it, they are scamming you. The OTP is the final gate. Once it is given, the money is gone.
-
Be suspicious of job offers that arrive unsolicited, especially with unusually high salaries. Verify through the company's official website. Call the HR department directly (do not use numbers from the email). Ask for details that only a real company would know. If they ask you for money—for processing, for equipment, for travel—it is a scam. Period.
-
Check the sender's phone number and email domain carefully. Scammers use numbers that look similar to real ones (ICICI's official is usually a verified line; a personal mobile impersonating it is not). Email addresses matter: icici.com is real; iciicibank.com is not. Use a magnifying glass. Use your brain.
-
Tell your parents and grandparents: if someone calls and creates urgency, hang up and verify. This is the single most effective defense. Scammers prey on people who do not verify because they trust the authority. Removing that trust is the entire defensive strategy.
One final thought: social engineering will not stop because it works too well and costs the scammer almost nothing. What can change is how you respond to it. Every time you hang up on a suspicious call and verify independently, you are not just protecting yourself. You are also, unknowingly, wasting the scammer's time. They need volume. If enough people break the chain by verifying, the economics of the scam collapse.
That is not much. But it is something.
