It started with a phone call. Which, in retrospect, is how these things always start.
“Hi, is this Sara?” The voice was warm. Friendly. The kind of voice that belongs to someone who coaches youth soccer on weekends. “This is Dave, calling from Visa’s fraud prevention team. We’ve flagged some unusual activity on your account and I just wanted to get you taken care of quickly.”
Unusual activity. Those two words did exactly what Dave needed them to do. My stomach dropped a little. I was already paying attention.
“Oh no — what kind of activity?”
“A few charges out of state, looks like possibly Florida. Did you make a purchase of $847 at a sporting goods store in Tampa this morning?”
I did not make a purchase of $847 at a sporting goods store in Tampa this morning. I have never voluntarily been to Tampa.
“No, that wasn’t me.”
“That’s what I thought,” Dave said, with the reassuring tone of someone who deals with this every day and has seen it all. “We’re going to take care of this, don’t worry. I just need to verify a couple of things to confirm your identity before we put a hold on the account.”
And then Dave paused. Not a business pause. A human pause.
“Sorry, I can hear a dog in the background — is that yours?”
It was. It was my dog, Rosie, losing her mind at a squirrel that had the audacity to exist in her yard.
“Yeah, that’s Rosie. She’s — she’s having a moment.”
Dave laughed. A genuine, warm laugh. “Oh I know. I have a beagle named Captain. Complete disaster of an animal. Obsessed with garbage. We had to get a lock for the kitchen trash can.”
I laughed too. I couldn’t help it. Because that is exactly the kind of thing a beagle would do, and in thirty seconds Dave had transformed from a stranger on the phone into a fellow dog owner who understood the particular chaos of sharing a home with a small irrational animal.
We talked about Captain for a moment. His tendency to steal socks. His complete lack of shame about it. I told him about Rosie’s squirrel vendetta.
And then Dave, warm lovely dog-owning Dave, said: “Okay, so to verify your identity I just need your full card number, the expiration date, and the three-digit code on the back.”
I had already started reaching for my wallet.
I want you to sit with that for a second. I — someone who has spent twenty years in IT security, who has literally given talks about this exact type of attack — had my hand on my wallet.
Because Dave wasn’t a shadowy hacker. Dave was a guy with a beagle named Captain. And somewhere in the previous two minutes, my brain had filed him under “safe.”
That’s social engineering. It’s not about tricking stupid people. It’s about being human at you until your guard drops, and then making an ask that feels reasonable in the moment.
I caught myself. Put the wallet down. Told Dave I’d call the number on the back of my card to continue the conversation. Dave, somewhat predictably, got a little less friendly at that point. Funny how that works.
Here’s what to watch for:
The warmth is the setup. The ask is the payload. Every social engineer worth their salt knows you don’t lead with the thing you want — you lead with connection. A shared laugh about a dog, a commiserating comment about kids, a moment of genuine-feeling human warmth. By the time the ask comes, you’re not talking to a stranger anymore. You’re talking to Dave.
When someone creates urgency and rapport in the same phone call, that combination should set off a quiet alarm in the back of your head.
The rule is simple: if someone calls you, hang up and call back on a number you find yourself. Your bank’s number is on the back of your card. Apple’s is on their website. The IRS doesn’t call you — they write letters, like it’s 1987, because that’s apparently still how they do things.
And if someone tries to bond with you over your dog before asking for your credit card number?
Tell Captain I said hi. Then hang up.
