Someone Tried to Scam Me Last Week — Here's Exactly How It Worked

By Amardeep Maroli  |  May 12, 2026  |  Social Engineering, Scam Awareness, Cybersecurity Basics  |  15 min read

Home About Contact

I want to be upfront about something: I am studying cybersecurity. I understand social engineering techniques. I have read about them, practised identifying them in labs, and written about them on this blog. And last week, I almost fell for one.

Not because I was stupid. Not because I wasn't paying attention. But because the attack was well-executed, exploited the right psychological levers at the right time, and I was in the middle of genuinely looking for an internship when it arrived. Context matters enormously in social engineering — attackers know this and exploit it deliberately.

I'm writing this because the experience taught me more about how these attacks work in practice than anything I've studied theoretically. And because most social engineering awareness guides describe generic scenarios, not real attacks with the psychological mechanics explained step by step.

Here is the full story and exactly what the attacker did.

Note on identifying details: I've changed some specific details (exact company names used, specific messaging platform) to avoid giving active scammers a ready-made script. The psychological techniques and progression are accurate and real.

What this guide covers:

1. How the scam started — the initial contact
2. Phase 1: Building credibility through research
3. Phase 2: Creating rapport and investment
4. Phase 3: The ask — where the actual scam happened
5. Every psychological technique used, explained
6. The complete red flags checklist
7. What to do if you're targeted

How It Started — The Initial Contact

I received a LinkedIn connection request from someone with a convincing profile: a recruiter at what appeared to be a mid-sized Bengaluru-based cybersecurity consulting firm. The profile had 500+ connections, profile photos that looked professionally taken, an employment history going back several years, and endorsements from other accounts.

Within a day of accepting the connection, I received a message:

Attacker (posing as recruiter) Hi Amardeep! I came across your profile and I'm really impressed with your background — especially your work on API security and the PortSwigger labs you've documented. We're looking for a security research intern for our team in Bengaluru and I think you'd be a great fit. Would you be open to a brief chat this week?

My response Hi, thanks for reaching out. Yes I'm interested in internship opportunities, happy to chat.

Nothing obviously wrong at this point. Recruiters genuinely do reach out through LinkedIn. The message was personalised to my actual work — it mentioned PortSwigger specifically, which is referenced in my public GitHub. Someone had done research on me before sending this message.

This is the first thing that makes modern scams different from old-style mass spam: they are targeted. The attacker had read my public profile before contacting me. That personalisation creates a first impression of legitimacy that generic outreach doesn't have.

Phase 1 — Building Credibility Through Research

Over the next two days we had a video call (the attacker's camera was conveniently "broken" — a detail I noted but didn't act on at the time), and several LinkedIn messages. During this phase, everything seemed normal:

• The "recruiter" asked intelligent questions about my cybersecurity knowledge — SQL injection, XSS, penetration testing methodology. Questions I could answer. This built my confidence and made the interaction feel technically credible.
• She mentioned specific real tools (Burp Suite, Nmap, Metasploit) correctly and in context — giving the impression of genuine security industry knowledge.
• She described a realistic-sounding internship: working on vulnerability assessments for enterprise clients, working alongside a senior pentester, stipend of ₹15,000/month. Plausible numbers for a legitimate Indian internship.
• She named-dropped a real Indian cybersecurity conference and mentioned their team had presented there last year. Verifiable detail — or so it seemed.

By the end of Phase 1, I had invested time in this opportunity. I had had a video call, answered technical questions well, and felt like I had made a good impression. This investment matters. Psychologically, people are reluctant to discard opportunities they have already put effort into.

Phase 2 — Creating Urgency and Exclusivity

After the video call, she messaged saying the team was very impressed and wanted to move quickly — they had two internship positions and were interviewing three candidates. She would send over a "formal screening task" for me to complete before Friday.

⏰

Technique: Artificial Scarcity and Time Pressure

Psychological Technique

Two positions, three candidates, Friday deadline. This is a classic social engineering technique — artificial scarcity creates urgency that bypasses careful deliberation. When we believe an opportunity is limited and time is short, our decision-making shifts from careful analysis to quick action. We become less critical of details because we're focused on not missing out.

How to spot it in real time:

Any opportunity that creates urgency — "act by Friday," "only 2 spots left," "I need your answer today" — deserves more careful scrutiny, not less. Legitimate employers understand that candidates need time to do due diligence. The urgency itself is a red flag.

The screening task arrived as a PDF. It was professionally formatted — company letterhead, task description, evaluation criteria. It asked me to document a simulated vulnerability assessment of a provided test domain. Legitimate sounding. I started the task.

Phase 3 — The Ask (Where the Actual Scam Happened)

The next day she messaged to check on my progress. Then, almost as an aside:

Attacker By the way, I need to set you up with access to our internal systems for the task — I'll need to send you a temporary login via our onboarding portal. The portal requires you to verify your identity before issuing credentials. Could you share a photo of your Aadhaar card (just the front) and a selfie? Standard KYC for consultancy vendors. We process all interns through this.

This was the ask. Everything that came before — the personalised outreach, the credibility building, the video call, the technical questions, the professional task document — was preparation for this moment.

Because I had invested time and was close to a realistic opportunity, my first instinct was to comply. I had my Aadhaar card within reach. I started to open the camera.

What stopped me: a moment of deliberate pause. I am studying cybersecurity. I know what Aadhaar data is used for. I decided, before sending anything, to spend 10 minutes verifying the company independently.

The company's website existed but had been registered 4 months ago. The LinkedIn profile of the "senior pentester" she had mentioned had inconsistencies in employment dates. The conference she had name-dropped had no record of their company presenting. The "recruiter's" profile, on closer inspection, had all its connections added in the last 6 months — a manufactured network.

I had been 30 seconds from sending my Aadhaar and a face photo to a fraudster.

Every Psychological Technique Used — Explained

🎯

Spear Phishing — Targeted Personalisation

Attack Technique

Generic scams are easy to spot because they are obviously generic — "Dear Customer," lottery wins, Nigerian princes. This attack was personalised using information I had publicly posted. Mentioning PortSwigger, my MCA programme, and my specific skills made it feel tailored and therefore legitimate. Any attacker who took 20 minutes with Google and LinkedIn can personalise an approach convincingly.

Counter:

Personalisation does not equal legitimacy. Verify the organisation independently through means you find yourself — search the company, find their official website, call a publicly listed number. Do not rely on contact information provided by the person reaching out.

🏗️

Pretexting — Building a False Context

Attack Technique

A pretext is a fabricated scenario created to justify the ultimate request. The entire internship storyline — recruiter, technical interview, screening task, company profile — was a pretext constructed specifically to make the final ask (Aadhaar + selfie) seem like a normal and expected step in a legitimate process. When you are inside the story, each step feels logical.

Counter:

Step outside the story before any sensitive action. Before you send any document, make any payment, or share any credential — pause and ask: if I knew nothing about the context I've been given, does this request on its own seem reasonable from a stranger? If the answer is no, investigate before proceeding.

📈

Commitment and Consistency Bias

Psychological Principle

Once we've invested time and effort in something, we become psychologically committed to seeing it through — we are biased toward consistency with our past behaviour. I had invested a video call, preparation for technical questions, and partial work on a screening task. The cost of stopping felt like wasting that effort. Scammers deliberately build investment before making their real ask, because a committed target is much harder to stop than a fresh one.

Counter:

Past investment does not obligate future action. Sunk costs are gone regardless of what you do next. The question is only: does this request make sense right now, independent of what has come before? If the answer is no, it is fine to stop — your time was not wasted, you learned something.

🏢

Authority and Social Proof

Psychological Principle

The fabricated LinkedIn profile, the professional company letterhead, the name-drop of a real conference, the apparent 500+ connections — all of these constructed the appearance of authority and established presence. We are conditioned to comply more readily with requests that come from apparent authority. Professional appearance and social connections are easy to fake with a week of setup work.

Counter:

Verify authority through independent channels. A professional-looking profile is not verification of anything. A company website is not verification. The actual verification steps are: search the company registration, find employees via other platforms (not the one the contact is on), check when social media accounts and websites were created.

🎁

Reciprocity — The "Too Good to Be True" Offer

Psychological Principle

The internship offer was designed to be attractive without being unbelievably so — ₹15,000 stipend (reasonable), interesting technical work (appealing to a cybersecurity student), flexible timeline (accommodating). It was positioned as valuable without triggering the "this sounds fake" response that an extreme offer would. When something is genuinely attractive, we naturally want to believe it is real — and this desire to believe inhibits critical evaluation.

Counter:

Apply more scrutiny to opportunities you want to be real, not less. The emotional investment in a genuinely appealing offer is exactly when critical thinking is most needed.

The Red Flags I Missed in Real Time

🚩 Red Flags — In Chronological Order

• Camera "broken" on the video call. Legitimate recruiters very rarely have broken cameras during scheduled interviews. This protects the attacker from being identified later.
• LinkedIn profile with 500+ connections all added in 6 months. Real long-term profiles have connections built over years. Mass-added connections suggest a manufactured network.
• Request for KYC documents from a first-contact recruiter. Legitimate companies do not request Aadhaar before issuing an offer letter. KYC happens during formal onboarding with proper documentation, not via WhatsApp from a recruiter.
• Urgency around an unsolicited opportunity. "Only 2 spots, decide by Friday" — legitimate employers give candidates reasonable time. Urgency exists to prevent you from doing verification.
• Company website registered within the last 6 months. Easily checked with a WHOIS lookup. A 4-month-old website claiming to be an established consultancy is a red flag.
• Unverifiable claims. Conference presentation that couldn't be found. Specific client names that couldn't be verified publicly. When claimed credentials cannot be independently confirmed, treat them as unconfirmed.

What to Do If You're Being Targeted Right Now

✅ Immediate Steps

• Do not comply with any request while considering this. The urgency is manufactured. Whatever the supposed deadline, taking 30 minutes to verify will not cause you to miss a legitimate opportunity.
• Verify the company independently. Use Google, not links provided by the contact. Check the company registration on the MCA21 portal (India). Check when the website domain was registered (WHOIS lookup). Find the company on LinkedIn through search, not through the recruiter's profile.
• Never provide Aadhaar, PAN, or biometric information to an unverified contact. No legitimate company requires these from a recruiter via WhatsApp or LinkedIn messages. Formal KYC happens through official, documented processes.
• Call a publicly listed number. If the company is real, they will have a publicly listed phone number that you find yourself. Call that number and ask to confirm the recruiter works there.
• Report it. In India: cybercrime.gov.in. Report the LinkedIn profile directly. If you've already shared documents, contact the UIDAI helpline (1947) immediately.

If you've already shared your Aadhaar: Contact UIDAI at 1947 immediately. You can lock your Aadhaar biometric data through the mAadhaar app or the UIDAI portal — this prevents fraudulent biometric authentication even if your Aadhaar number and photo are in the attacker's hands. Do this immediately, not later.

Related Guides on This Blog

• >How Hackers Find Vulnerabilities — And How to Protect Yourself
• >I Tested My Own Security — Every Weakness I Found
• >Types of Cyber Attacks — Real Examples and How Each Works
• >What is Cybersecurity? The Foundation Guide

About the Author

Amardeep Maroli

MCA student from Kerala, India. I write about cybersecurity from actual experience — the labs I work through, the things I learn, and occasionally the attacks aimed at me personally. This blog is my learning journal and portfolio.

All Posts GitHub Telegram Contact

Social Engineering Scams — FAQs

How do attackers build fake LinkedIn profiles so convincingly?

Modern fake profile construction uses a combination of AI-generated profile photos (indistinguishable from real photos), cross-referenced work history that sounds plausible, and network building through automated connection requests to hundreds of real accounts. Many real people accept connection requests from unknown profiles without much scrutiny — which is how a new profile accumulates hundreds of connections quickly. Some operations also buy aged LinkedIn accounts. LinkedIn's fraud detection has improved but profile verification is difficult at scale. The practical defence: look at when connections were added (visible on some profile settings), verify employment through other channels, and treat unsolicited opportunity outreach with the same scrutiny regardless of how legitimate the profile looks.

Why would anyone need my Aadhaar in this kind of scam — what do they do with it?

Aadhaar plus a selfie provides biometric identity verification material. This combination is used for: opening fraudulent bank accounts in your name, taking out loans in your name, completing SIM card registrations in your name (enabling further fraud, OTP interception), and creating fraudulent UPI accounts. The financial damage from identity fraud using Aadhaar can take months or years to resolve and affects your CIBIL score. If you have already shared these with a suspected fraudster, lock your Aadhaar biometrics through UIDAI immediately and file a complaint at cybercrime.gov.in.

Am I more vulnerable to social engineering if I'm actively job hunting?

Yes — context matters enormously in social engineering susceptibility. When you're actively seeking something (a job, a loan, a relationship), you are psychologically primed to evaluate incoming contacts in that light. An unsolicited job message when you're not job hunting gets scrutinised differently than the same message when you're actively applying. Attackers know this and time their campaigns accordingly — job scam volumes increase significantly around graduation seasons and during high unemployment periods. The awareness that you're more susceptible during active searching is itself protective: it prompts you to apply more scrutiny, not less, to exciting-seeming opportunities.

What should I do if I already fell for a scam like this?

Act quickly — most fraud damage is time-limited if you respond fast. Step 1: Report at cybercrime.gov.in and your local police station. Step 2: If Aadhaar was shared, call UIDAI at 1947 and lock biometrics via mAadhaar app. Step 3: Notify your bank of potential fraud risk on your account. Step 4: If any payment was made via UPI, report to your bank and NPCI immediately — UPI fraud complaints submitted within 24 hours have a higher recovery rate. Step 5: Document everything — screenshots of all communications — before blocking and reporting the attacker. Do not feel ashamed: these attacks target smart people specifically because they're more likely to be in positions worth targeting.