Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

What is social engineering?

In a nutshell:
Social engineering relies on the exploitation and deception of individuals rather than trying to find technical vulnerabilities within a network – if your workforce is not sufficiently trained, it’s the easiest way for cybercriminals to gain access to your organisation.
2020 saw a 22.5% rise in cyber-attacks when compared to the previous year, with a staggering 67% of these attacks occurring from what’s called, social engineering.

In our ever-evolving digital landscape, educating and training your employees to recognise and identify cyber threats has never been more vital. In a recent report from Positive Technologies, it was revealed that 2020 has seen a 22.5% rise in cyber-attacks when compared to the previous year, with a staggering 67% of these attacks occurring from what’s called, social engineering. This is hardly surprising when it was also revealed by Cyber Talk that companies now have 70% of their workforce operating remotely. With a likelihood for social guards to be down in a home environment this only increases risk.

So, what is social engineering and why is it so important?


Social engineering is a term used to refer to an attack strategy used by hackers. The attack relies primarily on human interaction and manipulation, eventually causing them to break standard security practises or reveal sensitive information.

Social engineering relies on the exploitation and deception of individuals rather than trying to find technical vulnerabilities within a network – if your workforce is not sufficiently trained, it’s the easiest way for cybercriminals to gain access to your organisation.

Threat actors will often disguise themselves as a trusted entity or information source in order to gain the trust of an individual (like payroll or a supplier) – As a result the victim is more willing to reveal confidential information, click on a malicious link, or grant access to an account.

How does social engineering work?

In the majority of social engineering attacks, fraudsters will begin by investigating the chosen target and further gather background information. This potential victim could be an individual or an entire enterprise – if it is the latter, the perpetrator might begin by researching the employee structure, internal processes, potential weaknesses or any other relevant information needed to proceed with the attack.

Often, a common tactic of hackers is to examine the social media accounts of employees to study their behavior and subsequently design a personalised and targeted attack. Once this information is gathered, any potential weaknesses are ready to be exploited.

Common methods of social engineering

There are various different types of social engineering attacks, the most notorious undoubtedly being phishing campaigns. If you want more information on how to spot this common form of attack, have a look at our annotation of a real scam email received and spotted by one of our staff here.

Whilst phishing is the most popular form of social engineering attack, occurring when a hacker makes fraudulent contact with the victim via email or texts, there are multiple other types of social engineering methods you might not have heard as much about…

Spear Phishing

Spear phishing is (not surprisingly) an advanced form of phishing attack. Whilst phishing campaigns are often formed through identical scam emails send to thousands of individuals in the hope that one lands, spear phishing is much more targeted. A spear phishing attack is specific to the victim, using personal information to gain trust and appear valid. Unsurprisingly, the personal nature of this tactic means it tends to have a much higher success rate in deceiving the victims as opposed to regular phishing emails.

Baiting

Baiting is when a cyber-criminal leaves a malware-infected device (or ‘bait’) somewhere that is likely to be found. This device would typically be a USB flash drive or CD, often marked with company information for added authenticity. The success of this method is based on the expectation that whoever finds the bait will load it into their computer out of curiosity (particularly if it is marked with something enticing that plays on the prying nature of humans), and subsequently install the malware.

Pretexting

In this tactic, the attacker obtains confidential information by lying to the victim and creating false circumstances in which to gain the access or data. An example of this could be the perpetrator impersonating co-workers, or official authorities and pretending to need personal information in order to confirm the victim’s identity.

Through pretexting, the scammer can gather information such as login credentials, financial details, access to networks and more. This is particularly effective as it often uses fear and intimidation on the victim if the scammer is impersonating an authoritative figure.

Tailgating

Tailgating is a physical social engineering method, whereby an unauthorised individual gains entry into a secure location by following behind an authorised user. This could happen by asking somebody to hold a door open for them, or even to borrow their phone to call a friend, whilst unknowingly installing malware or steal information. This technique is also sometimes known as piggybacking and targets trusting individuals.

Quid pro quo

This attack method occurs when a cybercriminal requests sensitive information from the victim in exchange for a service or some sort of compensation. An example of this could be requesting personal credentials in order to receive a free gift, or pretending to assist with IT support. This method can be particularly effective around holidays – playing on those happy to hear about Christmas offers and discounts!

Scareware

This technique involves victims receiving false alarms and threats to scare the user into purchasing or installing fake antivirus protection – this would then install the attacker’s malware. Common forms of scareware include pop-up banners in your browser but can also be circulated through emails.

The list of social engineering tactics is extensive but through awareness and education, it’s easy to spot the most common methods when used.

How to prevent social engineering attacks

Our latest insights

  • Cyber security threats

    Top 5 Most Dangerous Cyber Security Threats, SANS Reveals

    May 22, 2023
    Read full article
  • digital UK security

    Key findings: UK Cyber Security breaches Survey 2023

    May 9, 2023
    Read full article
  • What is Microsoft Security Copilot?

    April 21, 2023
    Read full article
  • The Dangers of Chatbots

    April 19, 2023
    Read full article
  • cyber essentials

    Cyber Essentials 2023 update

    April 21, 2023
    Read full article
  • Microsoft announces Co-pilot: The productivity game changer

    March 28, 2023
    Read full article
  • ibm x-force threat intelligence index Breakdown

    March 3, 2023
    Read full article
  • Microsoft Partner Pledge

    March 2, 2023
    Read full article
  • Microsoft price increase image of keyboard

    Microsoft April 2023 Price Increase

    February 15, 2023
    Read full article
  • Chat GPT

    Chat GPT - What's the hype?

    February 3, 2023
    Read full article
  • 12 Tips for a Cyber Safe Christmas

    February 28, 2023
    Read full article
  • The importance of back up and DR

    January 22, 2023
    Read full article