The Top 5 Social Engineering Risks Companies are Facing in the UK | ThinkCyber

Cybercriminals are getting smarter. Half of businesses, and around a third of charities, have experienced some form of cyber breach or attack in the past year, according to a study by the British government in 2024. 

While companies continue to invest in technology and software to fend off cyberattacks, hackers often target what's percived to be the weakest link: people. Social engineering is the art of manipulating people into giving up confidential information. These attacks don’t require sophisticated tech or advanced hacking skills; they rely on human error, trust, and misjudgment. And, they’re increasingly common.

In the UK, businesses of all sizes face growing threats from social engineering. Whether it’s through phishing emails or fake customer service calls, attackers are using a variety of tactics to trick employees into exposing sensitive information. 

In this blog, we’ll explore the top five social engineering risks companies in the UK should watch out for – and what you can do to mitigate them.

1. Phishing – Still the biggest threat

Phishing is the most well-known social engineering tactic. Despite widespread awareness, it continues to be the most common type of breach or attack in the UK. Cybercriminals send fake emails that appear to be from trusted sources – like banks, government bodies, or even colleagues. The goal is to get the recipient to click on a malicious link or download an attachment.

Why does phishing work? It preys on human instinct. Many phishing emails create a sense of urgency, such as saying your “account has been compromised”, or you’ve “missed a payment”. In a moment of panic, employees might react without thinking.

Common phishing attacks include:

• Spear phishing – Targeted attacks aimed at specific individuals in a company, often senior leaders.
• Clone phishing – Where a legitimate email is cloned and sent again, but with malicious links or attachments.
• Whaling – A type of phishing attack that specifically targets high-level executives.

How to protect against phishing:

• Train employees to spot phishing attempts. Look out for poor grammar, unusual requests, and suspicious links.
• Implement email filters to block malicious emails before they reach inboxes.
• Roll out multi-factor authentication (MFA) so that even if credentials are compromised, attackers can’t easily gain access.
• Use Redflags^® to divert people away from high-risk activities in the moment, making a measurable reduction in operational risk.

2. Pretexting – Playing the part

Pretexting is when an attacker creates a fabricated scenario to obtain information from a victim. In many cases, the attacker pretends to be someone in a position of authority, such as a manager or IT technician. By gaining the victim’s trust, they can trick them into revealing personal or corporate data.

In the UK, pretexting is often seen in the form of fraudulent phone calls, where the attacker claims to need information for “security reasons.” This could be anything from a fake HR representative asking for employee records, to a scammer posing as a client requesting sensitive project details.

Common scenarios include:

• Fake tech support – The attacker pretends to be from the company’s IT department and asks for login details or other sensitive information.
• Impersonating management – The attacker claims to be a senior leader and pressures employees to hand over confidential data.

How to protect against pretexting:

• Verify the identity of anyone asking for sensitive information. If in doubt, call them back on an official number.
• Educate staff about the risks of pretexting and encourage them to question unusual requests.
• Limit the amount of personal information shared over the phone or online (make sure this is in your company policy).

3. Baiting – Tempting employees to make a mistake

Baiting is another form of social engineering where attackers lure victims into giving up information by offering something enticing. This could be anything from a free software download to a fake job offer. In many cases, the bait contains malware, which infects the victim’s computer when they take the bait.

Physical baiting can also occur. For example, a USB drive left in the company’s car park might tempt an employee to plug it into their computer to see what’s on it. The moment they do, malware could be installed, compromising the company’s network.

Common baiting techniques include:

• Fake software downloads – Attackers offer what appears to be legitimate software or updates, but they contain malware.
• Job scams – The attacker pretends to be a recruiter offering an attractive job opportunity, asking the victim to share personal details or download malicious files.

How to protect against baiting:

• Block access to unapproved websites where employees might be tempted to download software.
• Train employees to avoid plugging in unknown devices, such as USB sticks.
• Use endpoint protection software to detect and block malicious downloads.

4. Tailgating – Exploiting physical security

Tailgating, or “piggybacking,” happens when an attacker gains access to a secure area by following someone with legitimate access. This is more of a physical security risk but still falls under social engineering, as it relies on human trust and the assumption that the person behind you is meant to be there.

In a busy office environment, it’s easy to hold the door open for someone. Attackers take advantage of this courtesy and ignorance, especially in companies with large numbers of employees. Once inside, they can access sensitive areas or steal valuable assets.

How to protect against tailgating:

• Implement strict access controls, such as keycards or biometric scanning, for secure areas.
• Encourage employees to be cautious about letting anyone follow them into restricted areas.
• Use surveillance cameras and security personnel to monitor access points.

Modern cybersecurity training is so important to prevent tailgating. Without the knowledge of these kinds of attacks, employees are likely to hold the door open for people or not question unknown people within their office building. 

5. Quid pro quo – Offering something for something

In quid pro quo attacks, the attacker offers a service or benefit in exchange for information. This could be anything from offering “free” technical support to conducting a fake survey that asks for personal details.

One of the most common quid pro quo scams involves fake IT technicians. The attacker calls an employee and offers to fix a problem with their computer, requesting login credentials to “help.” Once they have access, they can steal data or install malware.

How to protect against quid pro quo attacks:

• Train employees to be suspicious of unsolicited offers of help, especially if it involves providing personal information or access to systems.
• Limit the amount of personal and corporate information shared with unknown individuals or third-party vendors.
• Ensure that only authorised IT personnel are allowed to provide technical support.

ThinkCyber’s Redflags^® can help your business stay safe

Traditional cybersecurity training sucks. It’s passive, infrequent, and fails to address the risks in real time. That’s where ThinkCyber’s Redflags^® solution can save your business from these types of attacks.

Redflags^® is a modern approach to security awareness training, using behavioural science to divert people away from high-risk actions in the moment they’re about to occur. Imagine a gentle nudge, reminding your employees before they click on a suspicious link or share sensitive information outside the company. It’s like a friendly tap on the shoulder when it’s most needed. Our solution has already helped businesses see measurable improvements, like a 73% drop in clicks on emails from unknown senders and a 90% engagement rate with security communications.

As well as using Redflags^®, other steps businesses in the UK can take to minimise the risk include: 

• Clear policies: Make sure there are clear company policies in place around data sharing, physical security, and how to respond to suspicious activity. Encourage employees to report any attempts at social engineering.
• Use technology: While social engineering targets people, technology can help. Implement email filtering, firewalls, and endpoint protection software to reduce the risk of an attack.
• Limit access: Only give employees access to the information and systems they need to do their jobs. The less data they have, the less they can unknowingly give away.
• Encourage vigilance: Foster a culture of security within the company. Encourage employees to question anything that seems unusual or suspicious – it could make all the difference.

Social engineering isn’t going away anytime soon. By understanding the most common tactics and staying vigilant, UK businesses can better protect themselves against these increasingly sophisticated attacks.

Are you ready to strengthen your security posture? Book a 15 minute demo today and we can jump on a call to demonstrate Redflags^® in action.