Skip to Content

Social engineering is the manipulation or deception of individuals into revealing confidential and sensitive information or performing acts that may compromise an organisation’s security. Unlike traditional hacking, which relies on technical exploits or software vulnerabilities, social engineering focuses on human psychology and exploiting the individuals trust, emotions, and behaviour. The attacker uses these tactics to gain access to sensitive data, often by pretending to be someone trustworthy or in need of assistance, commonly in the form of:

  • Phishing/ Vishing (Voice Phishing) – when cyber criminals use scam emails, text messages or phone calls to trick their victims.
  • Pretexting – the use of a fabricated story, or pretext, to gain a victim’s trust and trick or manipulate them into sharing sensitive information and/or downloading malware onto their work devices.
  • Baiting – where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware
  • Tailgating – exploiting an individual’s kindness and using deception to gain access to a controlled area, simply by closely following someone with legitimate access credentials, often having the door help open for them out of kindness from the victim.

Defending against social engineering can be a challenge for many organisations as the most critical vulnerability is human error. Common factors that make this a challenge can be organisations underestimating human behaviour, lack of awareness, overconfidence, emotional manipulation and the sheer difficulty in detection of such attacks.

The failure to defend against social engineering can have severe consequences for both the individual and the organisation. The implications can include:

  • Data Breaches
  • Financial Loss
  • Reputational Damage
  • Malware and Ransomware Infections
  • Regulatory Consequences
  • Operational Disruption

Like any other form of cyber-attack, organisations can defend against social engineering attacks in numerous ways to help prevent any potential threats.

  1. Education, Simulations and Training: Frequent training for employees about the common signs of social engineering. Employees should learn how to recognize phishing emails, suspicious phone calls, and unfamiliar requests. Phishing simulations and Security Awareness Courses can help reinforce training and improve overall awareness.
  2. Multi-Factor Authentication (MFA): Enabling MFA on all accounts and systems adds an extra layer of security, making it more difficult for attackers to succeed even if they acquire login credentials through social engineering.
  3. Verification Processes: Establishing verification processes for any sensitive requests, such as money transfers or confidential information sharing, can prevent attackers from exploiting trust. Always verify through trusted channels before acting on any unexpected requests and never grant access to the building of someone you do not know or recognise before internal authorisation. Always double check prior to permitting entry.
  4. Secure Communication Protocols: Use secure communication methods such as encrypted email, secure file-sharing platforms, and trusted voice communication tools to ensure that sensitive information is transmitted safely.
  5. Encourage a Security-Conscious Culture: Encourage employees and individuals to question unsolicited requests, to be sceptical of urgent requests, and to report suspicious activity with no negative consequences if their suspicions are wrong. It’s better to be safe than sorry! A security-conscious culture can help make social engineering attacks much less effective.

While network and system defences are an important and vital part of an organisation’s security posture, the human element is often the weakest link and forgotten about. It should be deemed important for all organisations and individuals to prioritize education, awareness, and vigilance to effectively defend against these types of attacks as the best defence against social engineering is a well-informed, educated and cautious workforce.