Social engineering is increasingly recognised as a dominant threat vector in the modern cybersecurity domain. Unlike traditional hacking, which exploits software vulnerabilities, social engineering attacks manipulate human behavior to bypass even the most secure technical systems. The attack methods, ranging from phishing, baiting, vishing, and tailgating to pretexting, are designed to psychologically exploit individuals, making human error the weakest link in cybersecurity.
Internationally, social engineering has cost businesses and governments billions of dollars annually. In the United States (US), the Federal Bureau of Investigation (FBI) reported over $2.4 billion lost due to Business Email Compromise (BEC) schemes in 2021 alone.
The European Union (EU) has similarly flagged spear phishing and identity impersonation as major national threats. Countries like Germany and Australia have made cybersecurity education mandatory at corporate and school levels.
Pakistan, on the other hand, is still catching up. The country is experiencing a rapid digitisation boom with e-governance platforms, digital banking, and healthcare records moving online. Yet, cyber literacy remains low.
According to the Pakistan Telecommunication Authority (PTA), over 50% of internet users in Pakistan are unaware of basic digital hygiene practices. Coupled with an inadequate legal framework, limited law enforcement training, and cultural over-reliance on trust, the environment becomes fertile ground for cybercriminals.
Significance
The importance of understanding social engineering within Pakistan cannot be overstated. As the country increasingly relies on digital platforms to provide services, manage finances, and maintain citizen records, the risks associated with human-centric cyberattacks are rising exponentially.
From a national security perspective, breaches involving government personnel or sensitive state data could have serious geopolitical implications. For instance, an attack on NADRA (National Database and Registration Authority) could compromise identity records of millions, allowing adversaries to forge documents or disrupt public service delivery.
Social engineering in Pakistan is a growing threat that exploits human psychology more than technological flaws. The attacks are diverse in technique, frequent in occurrence, and devastating in their impact on both individuals and institutions.
Economically, businesses, especially in the banking and fintech sectors, are frequent targets. In 2022, a leading Pakistani bank reportedly lost over Rs200 million through a combination of phishing and social engineering attacks targeting its call center staff. Beyond monetary loss, such incidents cause reputational damage and customer mistrust, leading to long-term operational setbacks.
On a societal level, the attack vectors disproportionately affect women and the elderly. Numerous cases have been documented where women were manipulated into revealing One-Time Passwords (OTPs) or digital wallet credentials under false pretenses. Hence, understanding and mitigating these threats is essential for inclusive digital safety.
Social engineering attacks have evolved into a sophisticated toolset used by cybercriminals worldwide. The tactics involve exploiting cognitive biases such as authority, urgency, fear, and curiosity. These strategies bypass technological barriers and directly target human behavior.
Global types and trends
- Phishing: The most common vector globally. In 2022, Google blocked over 100 million phishing emails daily.
- Spear phishing: Targeted attacks, often impersonating executives. Used in the infamous Sony Pictures hack.
- Business Email Compromise (BEC): Losses of $43 billion globally from 2016–2021.
- Pretexting: Fraudsters impersonate banks or tax departments to solicit sensitive data.
- Baiting: Leaving malware-infected USBs in public areas.
Effects on narratives
Social engineering reshapes public narratives by creating and passing on “alternative facts” that get remembered in popular imagery, far beyond the time when the truth is usually recalled. This is “narrative engineering”-using deception to control discourses.
1. Creating echo chambers and polarisation
Platforms algorithmically elevate sensational content, enabling social engineers to flood feeds with tailored lies. For instance, spread “fascist” hyperbole, deepening divides in society and forms the narratives of the candidates in people’s minds: one side perceives a “savior,” the other a “threat”, at the cost of nuance.
2. Amplifying propaganda and sstroturfing
Pseudo social movements astroturfing: They give the appearance of popular support. State actors post coordinated disinformation to shape global opinion on issues. In cyberspace, artificial intelligence (AI) chatbots generate thousands of posts hourly, creating the illusion of organic consensus.
Psychological impact: It exploits cognitive biases, such as confirmation bias, making false narratives feel intuitive. One study in 2022 found that social engineering-based scams succeed 70% of the time by building emotional “stories” of victimhood or heroism.
3. Long-term changes in society
Stories continue to be told after the movements developed from social-engineered threads of conspiracy. By 2025, AI-embedded tools have blurred lines between intentional disinformation and viral misinformation, eroding institutional trust. Public discourse analysis reveals that cybercrime narratives, informed policy debate; 25% of online conversation is skewed by bots.
Pakistani context
Pakistan has seen a surge in social engineering due to the following:
- Low cyber hygiene: The public is often unaware of red flags.
- Language barriers: Many scams occur in Urdu or Roman Urdu, bypassing English-based filters.
- Cultural trust: Attackers exploit familial trust and polite social behavior.
Real cases
1. NADRA data leak (2020): Alleged social engineering of an insider led to a data leak of millions.
2. Mobile wallet fraud (Jazz Cash & Easy Paisa)—Attackers pose as relatives, requesting urgent transfers.
3. PTA Staff Impersonation (2021)—Victims gave over SIM details after receiving calls from fake PTA numbers.
4. Job Scam Emails—Youth targeted with fake job offers leading to identity theft.
These attacks are not just technical problems; they are socio-psychological crises in a rapidly digitizing society.
Prevalent type of cyber fraud involves receiving unwanted WhatsApp messages declaring the recipient a winner of large cash prizes. Scammers often use fake prize letters with official-looking logos of different TV channels or government bodies to give an air of credibility. Victims are then told that they have to make a “registration” or “tax” fee payment, usually in thousands or tens of thousands of rupees, through mobile money services. Needless to say, this is a completely fabricated scheme, about which authoritative sources have sent more than one warning. Once the payment is made, the scammer breaks all contact, leaving the victim out of pocket.
In another common scam, people receive fraudulent calls wherein the caller claims to be a bank officer. The caller tries to alarm the victim with claims that their account is about to get blocked or suspended. Under this pretext of urgency, they ask for highly sensitive information, such as CNIC number, OTPs, or an account PIN. The actual scenario is that no valid institution can ever call and ask for confidential passwords and PINs over the phone. The motive behind this call is solely to capture personal data in order to access the victim’s account without permission and extract funds.
Scammers also take advantage of social welfare programmes by sending fake messages on programmes that include the Benazir Income Support Programme. These messages promise hefty amounts of money to innocent people, asking them to call a number with the information on their eligibility and how to process the payment.
Fake job ads are another major threat that are mostly published on online job portals like Facebook and OLX. Another highly threatening hoax involves calls or WhatsApp from people claiming to be the Federal Investigation Agency (FIA) or police. Aggressively, the caller tells the victim that their number has been involved in criminal activities and asks them to pay a heavy fine without going into lengthy and complicated court proceedings or summoning them to their office.
This demonstrates that social engineering in Pakistan is a growing threat that exploits human psychology more than technological flaws. The attacks are diverse in technique, frequent in occurrence, and devastating in their impact on both individuals and institutions.
While global examples offer blueprints for prevention, Pakistan needs a context-specific approach tailored to its sociocultural and linguistic landscape. A national strategy must be designed that includes legal, educational, and technical reforms.
Social engineering must no longer be seen as a niche or rare problem. It is a central challenge in Pakistan’s journey toward a secure digital future.
The author is former IGP KPK/Gilgit-Baltistan/ex DG FIA and PhD in law, currently visiting faculty in law university Karachi.



















Comments
Comments are closed for this article.