While companies continue to invest in technology and software to fend off cyberattacks, hackers often target what's percived to be the weakest link: people. Social engineering is the art of manipulating people into giving up confidential information. These attacks don’t require sophisticated tech or advanced hacking skills; they rely on human error, trust, and misjudgment. And, they’re increasingly common.
In the UK, businesses of all sizes face growing threats from social engineering. Whether it’s through phishing emails or fake customer service calls, attackers are using a variety of tactics to trick employees into exposing sensitive information.
In this blog, we’ll explore the top five social engineering risks companies in the UK should watch out for – and what you can do to mitigate them.
Phishing is the most well-known social engineering tactic. Despite widespread awareness, it continues to be the most common type of breach or attack in the UK. Cybercriminals send fake emails that appear to be from trusted sources – like banks, government bodies, or even colleagues. The goal is to get the recipient to click on a malicious link or download an attachment.
Why does phishing work? It preys on human instinct. Many phishing emails create a sense of urgency, such as saying your “account has been compromised”, or you’ve “missed a payment”. In a moment of panic, employees might react without thinking.
Common phishing attacks include:
How to protect against phishing:
Pretexting is when an attacker creates a fabricated scenario to obtain information from a victim. In many cases, the attacker pretends to be someone in a position of authority, such as a manager or IT technician. By gaining the victim’s trust, they can trick them into revealing personal or corporate data.
In the UK, pretexting is often seen in the form of fraudulent phone calls, where the attacker claims to need information for “security reasons.” This could be anything from a fake HR representative asking for employee records, to a scammer posing as a client requesting sensitive project details.
Common scenarios include:
How to protect against pretexting:
Baiting is another form of social engineering where attackers lure victims into giving up information by offering something enticing. This could be anything from a free software download to a fake job offer. In many cases, the bait contains malware, which infects the victim’s computer when they take the bait.
Physical baiting can also occur. For example, a USB drive left in the company’s car park might tempt an employee to plug it into their computer to see what’s on it. The moment they do, malware could be installed, compromising the company’s network.
Common baiting techniques include:
How to protect against baiting:
Tailgating, or “piggybacking,” happens when an attacker gains access to a secure area by following someone with legitimate access. This is more of a physical security risk but still falls under social engineering, as it relies on human trust and the assumption that the person behind you is meant to be there.
In a busy office environment, it’s easy to hold the door open for someone. Attackers take advantage of this courtesy and ignorance, especially in companies with large numbers of employees. Once inside, they can access sensitive areas or steal valuable assets.
How to protect against tailgating:
Modern cybersecurity training is so important to prevent tailgating. Without the knowledge of these kinds of attacks, employees are likely to hold the door open for people or not question unknown people within their office building.
In quid pro quo attacks, the attacker offers a service or benefit in exchange for information. This could be anything from offering “free” technical support to conducting a fake survey that asks for personal details.
One of the most common quid pro quo scams involves fake IT technicians. The attacker calls an employee and offers to fix a problem with their computer, requesting login credentials to “help.” Once they have access, they can steal data or install malware.
How to protect against quid pro quo attacks:
Traditional cybersecurity training sucks. It’s passive, infrequent, and fails to address the risks in real time. That’s where ThinkCyber’s Redflags® solution can save your business from these types of attacks.
Redflags® is a modern approach to security awareness training, using behavioural science to divert people away from high-risk actions in the moment they’re about to occur. Imagine a gentle nudge, reminding your employees before they click on a suspicious link or share sensitive information outside the company. It’s like a friendly tap on the shoulder when it’s most needed. Our solution has already helped businesses see measurable improvements, like a 73% drop in clicks on emails from unknown senders and a 90% engagement rate with security communications.
As well as using Redflags®, other steps businesses in the UK can take to minimise the risk include:
Social engineering isn’t going away anytime soon. By understanding the most common tactics and staying vigilant, UK businesses can better protect themselves against these increasingly sophisticated attacks.
Are you ready to strengthen your security posture? Book a 15 minute demo today and we can jump on a call to demonstrate Redflags® in action.