Cyber crime

Cyber security is a growing concern for global businesses. What can you do to defend your organisation?

Author: Lisa Forte

18 August 2020

Social engineering is the use of deception to make a target do something or disclose information in a way that seems harmless but is malicious. Phishing emails are the most well-known social engineering tactic, but they are not the only attack vector in this category. Vishing (malicious phone calls), Impersonation (physical penetration of the building) and Smishing (malicious SMS text messages) are all growing in frequency.

Social engineering is one of the fastest growing cyber-attack vectors because it provides cyber attackers with a much better return on investment. They don’t need to spend months trying to bypass a company’s technical controls and just go through staff (who already have access to data) instead. 

Humans are often referred to as the weakest link in a company’s cyber defence. However, they can be your greatest defence if given the proper investment in awareness training, tools and support.  

How does social engineering work?

Criminals use social engineering to persuade their target that they can trust them. The attacker will likely come across as charming and friendly. They will know things about your company, your likes and hobbies, to appear similar to you and mirror your world views. 

An attacker can’t just guess these things about you. The odds of them getting that right are too low. So, they need information about you. Today, all the information an attacker needs is available online. This is normally derived from social media, company websites, blogs and other online resources. Open Source Intelligence is the name given to this publicly available information. 

A classic technique is when attackers employ language in an email or phone call that leaves you feeling emotional or panicked. By making you feel anxious, panicked or angry, the attacker gets you to act impulsively and without thinking logically, when you are far more likely to make a mistake.

Case study: social engineering in practice

One case that I worked on involved a dental practice with an office in Bristol. The practice had just had a loan approved for more than £100,000. The CEO was abroad skiing with his family when his personal assistant received an email that looked as though it has come from him:

“Hi Beth, 

I am having a great time on the slopes! I just wanted to make sure that you have remembered to transfer the full amount of the loan into this account today for us to buy that company in Belarus. I really don’t want to miss this opportunity.”

Beth panicked; she hadn’t even put this on her to do list. She was supposed to be heading home soon so she quickly logged into the online banking and transferred the full amount of the loan as requested. On Monday morning the CEO, back from his relaxing break in the Alps told Beth that they needed a meeting to discuss how to use the loan. 

Beth turned white and reminded the CEO of the email he had sent her on Friday. I can imagine what his face must have looked like. The loan was gone, and the bank refused to reimburse the money.

This company made some crucial mistakes. Firstly, on the day the loan was approved they had posted it on social media, which made them a target for attackers. The CEO had been tweeting his holiday photos so it was clear that he was not in the office. Beth should have called him and checked that the request was legitimate, but she didn’t. The culture in the company was such that the CEO would often ask her to transfer money at the drop of a hat. 

This cost the company a lot of money and lost them a lot of business. It wasn’t a sophisticated attack at all, just the right story, to the right person at the right time, which resulted in a great return on investment for the attackers. 

How to spot a malicious email or phone call

The first thing to remember with a social engineering attack is that they will always want you to do something or disclose something. A phishing email, for example, will usually contain a malicious link or attachment that they need you to click on. Any unsolicited email you receive asking you to click on a link or attachment should make you pause to think about its authenticity.

This is great in theory; however, most phishing attacks are crafted to create an emotional response not a logical one. If they can make you feel emotional – angry, anxious, excited – they can make you react impulsively. They will also create a sense of urgency using deadlines like “offer ends at noon” or “pay the fine by 3pm”. If you ever receive an email or social media message that generates a strong emotional feeling, pause, have a coffee and come back to it. I guarantee that you will see it differently.

“If they can make you feel emotional – angry, anxious, excited – they can make you react impulsively”

If your social media accounts are not set to private you have no idea who may be viewing your posts, why they are viewing them, and what they will do with that information. Once something is posted online you have lost control of it.

Spend some time looking at your social media and your company website to see what information you are putting out to the world. If you feel it is too detailed or revealing then remove it. 

There are several key protective measures you can take to make yourself and your business much harder to attack.

  • Training: invest in really good quality, face-to-face and online training for yourself and your staff. GCHQ runs a certified scheme for training providers that helps you pick a course that meets best practice guidelines. You can find a list of approved training providers on their website.
  • Audit: search for yourself online to see what you can find out. If there is anything there that is too personal or that you didn’t realise existed, delete it. Check that your social media accounts are locked down.
  • Cyber crisis exercises: have a plan of what to do if you experience a cyber-attack and run exercises to test that plan in the same way you would practise a fire drill. In my experience, companies with no tested plan make critical mistakes during a cyber-attack and this can increase the damage.
  • Talk about it: share information about security with friends, family and other colleagues. Attackers are great at helping each other and sharing information on what works. So, talk to others in your industry about security and help each other become more secure., @LisaForteUK

Related competencies include: Data management, Risk management

Further information: Details of training and more are available from

Centre for the Protection of National Infrastructure (CPNI) has a Think Before You Link campaign on mitigating risks from hostile state actors and COVID-19 specific security issues under Related advice, including cyber section.

Related Articles


go to article The commercial lease code is here


go to article Ethics and party wall practice


go to article Keeping homes fit for habitation

This website uses cookies to collect information about your browsing session. By collecting this information, we learn how to best tailor this site to you.  To learn more, view our 

Cookie Policy.