Social engineering attacks: What every bank executive needs to know now

Payments Fraud prevention Banking

Social engineering attacks have rapidly become the dominant threat in digital banking and payments. In 2024, 59% of banking leaders in North America reported a rise in social engineering scams, per Datos Insights. Artificial intelligence, instant payment rails, and regulatory shifts are escalating the threat. Unlike traditional cyberattacks, social engineering fraud targets people—not systems—bypassing device- and channel-based security controls. Forward-thinking leaders now recognize that unchecked social engineering can create severe operational, financial, and reputational risks. Fortunately, resilient, customer-friendly defenses exist.

What are social engineering attacks? How are they different from traditional cyberthreats?

Social engineering attacks leverage human psychology—trust, urgency, fear, or authority—to trick customers or bank staff into disclosing sensitive information, overriding good judgment, or sending funds to a fraudster. Unlike technical exploits (malware, brute-force attacks), social engineering works by manipulating a person rather than a system or machine

Traditional attacks: Exploit system weaknesses.

Social engineering attacks: Exploit human nature often through a phishing, vishing, or impersonation scam.

Most technical and regulatory controls are designed to validate devices or credentials, but social engineering techniques manipulate legitimate users into bypassing those controls themselves.

The main social engineering attack types affecting banks today

Phishing and smishing

Phishing (fraudulent emails) and smishing (fraudulent texts/SMS) impersonate brands or individuals to elicit sensitive information or credential submission. These attacks are now enhanced with AI-generated content, deepfakes, and domain spoofing for realism and scale.

Vishing and call center social engineering

Vishing involves fraudulent phone calls from criminals impersonating bank staff, IT, or regulators, sometimes using spoofed caller ID. Fraudsters may convince bank employees to reset credentials or process unauthorized payments by exploiting urgency or protocol gaps.

Authorized push payment (APP) scams

APP scams are one of the fastest-rising fraud vectors. Customers are manipulated into authorizing push payments to criminal accounts. APP fraud is difficult to prevent or remediate as the action is “voluntary”—even though it is coerced. US losses to APP fraud are projected to double from $8.3 billion in 2024 to $15 billion by 2028.

Impersonation scams

Impersonation attacks often take the form of:

Bank staff, law enforcement, or government impersonation: For example, urgent calls about “fraud” or “locked accounts.”
Family/friend scams (“grandparent scams” or romance fraud): manipulating emotion and trust.
Business Email Compromise (BEC): Fake or hijacked business email correspondence to redirect payments or steal information.

Why do social engineering attacks bypass traditional controls like SCA?

Strong Customer Authentication (SCA), device fingerprinting, and even behavioral analytics are designed to spot unauthorized use. Social engineering scams, however, convince legitimate account holders to provide access or initiate transactions themselves.

Attackers now employ AI to craft hyper-personalized scams and can even clone voices for callback fraud, further negating traditional controls.

How do these threats exploit real-time payments, Zelle/P2P, and instant transfers?

APP and real-time payment fraud thrive in environments where transactions are instant and irreversible, significantly reducing fraud detection and recovery windows. The proliferation of Zelle and other P2P payment channels makes it easier for criminals to move and launder stolen funds via mule accounts. Real-time payment APP scam losses will make up 80% of total APP scam values by 2028.

The cost of inaction

Not taking decisive, visible action on social engineering fraud exposes FIs to:

Financial losses: Direct (reimbursements, credits, unrecovered losses) and indirect (higher operating and compliance costs).
Regulatory pressure: UK, EU, and other regions are enacting mandatory victim reimbursement for APP and social engineering fraud.
Reputational harm: Up to 30% of US scam victims switch banks after a scam incident.
Customer impact: Permanent loss of life savings, emotional trauma, and churn.
Operational burden: Increased volumes of fraud investigations and compliance verifications.

Steps to protect your FI from social engineering attacks

Deploy multi-layered, context-aware authentication: Upgrade from static passwords and OTPs to behavior, device, and context-based checks, plus biometric or strong app-linked authentication.
Adopt dynamic fraud detection and AI-powered risk scoring: Use real-time analytics and risk-adaptive authentication, integrating data from across channels to spot suspicious behavior and intent.
Strengthen customer and staff education: Regularly update training and client-facing alerts to reflect the latest social engineering tactics and illustrate real-world scam scenarios.
Implement real-time payment holds or warnings: For flagged or high-value transactions, consider a mechanism to dynamically delay the transaction. Or add out-of-band confirmation or warning steps to give customers a chance to reconsider.
Increase data sharing and collaboration: Participate in industry initiatives for sharing fraud insight, mule account identification, and scam typology updates.
Prepare for regulatory change and reimbursement: Monitor emerging rules and ensure policies are aligned to minimize future liability.
Monitor, benchmark, and review regularly: Establish KPIs on fraud detection rates, customer impact, and control performance. Benchmark against sector leaders and regulatory minimums.

Further resources

If you want to explore how to better protect your customers from social engineering scams : Contact Entersekt.