In cybersecurity, many of the most successful scams aren’t new, they’re decades old. Social engineering relies on human behavior, not technology, and human habits don’t change much. Whether it’s email, phone, or text, attackers exploit trust, fear, and urgency to manipulate people into taking quick actions.
Despite modern defenses like spam filters, multi-factor authentication, and awareness training, old techniques continue to evolve and find success. Below are five classic social engineering tactics that have survived for years, and are still stealing money, data, and access today.
This scam dates back to the early days of workplace email, yet it remains one of the most common corporate frauds.
An employee receives an urgent message that appears to come from a manager or executive:
Hey, I need a few $100 Apple gift cards for a client. I’m in a meeting, please send me the codes once you buy them.
The attacker spoofs or mimics the boss’s email address or phone number and counts on employees’ willingness to help. Once the victim sends the codes, the scammer redeems them immediately, leaving no traceable transaction.
Why it works: It uses authority and urgency - two powerful psychological levers to override skepticism.
Text-based scams are as old as SMS itself. A typical message says:
Your package couldn’t be delivered. Please confirm your address here: [malicious link].
Clicking the link can lead to a fake tracking site that steals credentials or installs malware. The rise of online shopping has only made this trick more believable.
Why it works: People receive legitimate delivery updates daily, so they’re conditioned to act quickly when they think a package is waiting. Having three to five different delivery companies, each with its own communication channels and procedures, makes this process even more complex, causing the victim to lose track and overlook potential threats.
The tech support scam has been around for over a decade and remains one of the most persistent phone-based threats. Attackers pose as representatives from Microsoft, Apple, or an internet provider and claim your computer is infected. The interaction might start with an incoming call, or the victim may initiate the call after receiving an email containing the phone number.
We’ve detected a serious issue with your device. Please give us remote access so we can fix it.
Once connected, they can install malware, demand payment for fake services, or harvest sensitive data.
Why it works: A professional tone and technical jargon make the scam sound credible, while fear of being hacked pushes people to comply quickly.
Impersonation scams targeting finance departments are a long-standing favorite among cybercriminals. Attackers send a convincing invoice or payment request that looks like it’s from a known supplier or partner.
Please confirm this month’s payment to avoid account suspension.
If the victim transfers funds or opens a malicious attachment, the attacker profits immediately.
Why it works: It blends seamlessly into everyday business operations and exploits routine processes where trust is high and time is limited.
Perhaps the oldest trick in digital history, this tactic preys on the universal fear of losing account access. Victims receive an email claiming to be from Google, Microsoft, or another trusted service:
We detected unusual activity. Please reset your password immediately.
The link leads to a fake login page designed to capture credentials, which are your “old” and “new” password.
Why it works: It mimics legitimate security alerts and creates panic, making victims act before verifying authenticity.
Even as technology evolves, human psychology stays the same. Scammers don’t need cutting-edge exploits when the weakest point in any system is still the person using it. A message that feels urgent, authoritative, or helpful can override logic and training in seconds.
Classic techniques like phishing, vishing, and smishing succeed not because they’re sophisticated, but because they’re familiar they blend in with the noise of everyday communication. Traditional awareness training often fails because people think: That would never happen to me
We learn best through experience, and that’s why realistic simulations in security training are so effective. They create genuine reactions, help people recognize real threats faster, and make them far less likely to repeat the same mistake.
Lana Kuzmina is a Cyber Threat Analyst at revel8, specializing in OSINT, threat actor tracking, and intelligence reporting. With experience across early threat detection and malware research, she brings a sharp eye for uncovering emerging attack techniques and translating them into actionable insights for defenders.
