They Didn’t Hack a System. They Hacked a Person. 

A real social engineering attack – broken down so you can spot it before it’s too late. 

This week, someone nearly lost a significant sum of money to a social engineering attack. Not because they were careless, or naive, or bad with technology. Because the attack was good. Meticulously staged, psychologically precise, and designed to exploit the exact instincts we’ve been trained to trust. 

Here’s how it unfolded. 

Stage One: The Setup Call 

It started with a phone call from what appeared to be Bank A’s fraud team. 

The caller was calm, professional, and credible. They mentioned “unusual activity” on the account – vague enough to feel real, specific enough to feel urgent. Then they did something clever: they said they’d sent a text message to verify the call was genuine. 

The text arrived. It looked completely legitimate – appearing to come from the same sender ID as Bank A’s real messages. This is known as SMS spoofing, and it’s more accessible to attackers than most people realise. 

The caller then mentioned they’d need to report the suspicious activity to the FCA (Financial Conduct Authority), and, almost as an aside, asked: “Do you use any other banks?” 

It felt like routine due diligence. It wasn’t. 

Bank B was mentioned. The call ended. The person believed the fraud had been caught and resolved. 

What actually happened: Stage one was purely intelligence gathering. The goal wasn’t to take anything yet. It was to establish trust, confirm which banks were in play, and hand off a believable story to the next caller. 

Stage Two: The Closer 

A short while later, the phone rang again. This time: Bank B’s fraud team, calling about “a report they’d received.” 

Of course they were. Stage one had just created that report. 

The second caller was equally professional. To build further credibility, they invited the person to web search the phone number – go on, check it yourself, you’ll see it’s our fraud team. And it checked out. 

This is a tactic worth understanding. Fraudsters can use numbers that appear in legitimate search results, either through spoofing caller ID or by exploiting how search engines surface directory listings and third-party sites. 

Then came the ask. 

The caller asked whether the person had access to any online-only banks. When the answer was yes, they began explaining that for security purposes, funds needed to be moved to a “transition account” – a temporary holding account at Online Bank C while the fraud investigation was completed. 

This is the moment. 

Everything up to this point – the spoofed text, the FCA mention, the intel handoff, the searchable number – had been building to this: getting the person to willingly initiate a transfer themselves. 

This time, something clicked. The person recognised the pattern, ended the call, and didn’t transfer a penny. 

Why This Attack Is So Effective 

This isn’t a new scam. It’s commonly called an Authorised Push Payment (APP) fraud or a bank impersonation scam. But what makes this version particularly dangerous is the two-stage architecture. 

Most awareness training focuses on a single suspicious call. This attack uses the first call to make the second call trustworthy. By the time the real ask arrives, the groundwork has been so thoroughly laid that the request feels like the logical conclusion of something that started hours ago. 

Key psychological levers being pulled: 

• Authority – FCA mentions, fraud team branding, professional tone 

• Social proof – “search our number, you’ll see it’s legitimate” 

• Urgency without panic – calm urgency is far more effective than high-pressure tactics; it disarms scepticism 

• Consistency – each stage reinforces the last, building a coherent narrative 

• Reciprocity – they “helped” with Bank A first; now Bank B needs a small favour in return 

What To Do If This Happens to You 

1. Hang up. Even if it feels rude. Even if they sound completely legitimate. 

1. Call your bank back on the number on the back of your card or from the official website – not one provided in the call or text. 

1. Report it to your bank, and to Action Fraud (UK: 0300 123 2040 / actionfraud.police.uk). 
2. Tell people. The most effective defence against social engineering is knowing what it looks like.