If you are a decision-maker within a business, you must be aware of the risks that social engineering can pose to your organisation...

Share this Blog post

In this blog, we will explore what social engineering is, how it operates, and most importantly, how to mitigate the risks associated with it. By gaining a better understanding of social engineering, you will be better equipped to safeguard your organisation against its harmful effects.

Recent government reports have highlighted the alarming rise of cyber attacks on medium to large businesses in the UK. These attacks are estimated to cost an average of £19,400, which is a considerable amount for any organisation. However, this figure may not be entirely accurate, as many businesses do not report their breaches, making the actual cost potentially much higher. In light of this, ITRM recognises the need for businesses to take cyber security seriously. This blog aims to provide valuable insights into one common method of cyber crime: social engineering.


What is online social engineering?


Understanding Online Social Engineering:

Online social engineering refers to a malicious tactic employed by cyber criminals to exploit human vulnerabilities and gain unauthorised access to sensitive information. This technique typically involves the use of deceptive tactics, such as phishing scams and pretexting (creating a fake story), to trick unsuspecting targets into disclosing confidential data. By exploiting human error, cyber criminals can breach security defences and gain access to valuable assets, including financial accounts, personal data, and intellectual property.


How is online social engineering different to typical cyber attacks?

Online social engineering is a type of cyber crime that sets itself apart from other forms of cyber attacks as it exploits the vulnerabilities of end-users, typically employees, by misleading them into revealing sensitive information or performing some form of action that compromises security. Unlike a typical cyber attack where a hacker would breach an IT infrastructure remotely using malware, social engineering relies on human error and often involves psychological tactics such as manipulation, deception, and coercion. 

How does online social engineering work?

Online social engineering can come in many forms, we are going to delve into one of the most common methods used, Phishing. Phishing is a broad topic that has various sub-variants within it, such as Whaling, Spear-Phishing, Smishing, Quishing and many more ‘ings’, to learn about specific terminology, see here. 


Have you ever received an email or a message from someone that seemed suspicious? Well, this is called 'phishing' where cyber criminals try to manipulate people into revealing sensitive or important information by sending fake messages whilst impersonating someone else. 


Why do people fall victim to online social engineering?

As previously mentioned, social engineering relies directly on human error. The attack can utilise certain psychological traits that humans commonly respond to:

  • Trust and authority - Employees are conditioned to listen to those who are more senior and complete tasks they may receive. Cyber criminals will use emails that appear to be the same as someone in power within your organisation. As an example, a "boss" could send you an email telling you to sign up for a webinar, in signing up, you have given your details to a criminal, endangering your credentials and your business.
  • Limited-time offers - Have you ever received an email discount for 30% off a website or online shopping with a limited time/amount remaining? This tactic is employed by cyber criminals to rush a user into making a rash decision, upon clicking the link, you sign in to what you believe to be the website with a discount but end up giving your information to a cyber criminal.
  • Social Proof - Cyber criminals will trick victims into believing they are yet to complete certain work surveys by including, for example, 'you are the only remaining member of staff to complete this survey'. This manipulates end-users into unwillingly giving away their sensitive information by creating a sense of urgency and pressure to finish it quickly.


What is a developed online social engineering attack?

Social engineering attacks are carried out using various methods, some of which are more sophisticated than others. A more developed attack often begins by targeting high-level employees, such as Financial Directors (FD), who are tricked into downloading spyware that infects their endpoint devices. 


In the event of an initial infection, the hacker may not launch an immediate malicious attack. Instead, they may opt to bide their time and closely observe the user's behaviour, such as their writing style and formatting preferences, as well as their typical invoicing practices. Over time, the hacker can amass a wealth of information about the user, including a list of their frequent contacts and the nature of their relationships with them. By building a comprehensive database of information about the Financial Director, the hacker can carefully plan and execute a more effective attack in the future.


Upon creating a comprehensive database of relevant information, they can use it to orchestrate a refined cyber attack. To do this, they can create a fake email address and send deceptive emails to a targeted list of individuals. An example of an email the hacker would send would be an invoice on a date that doesn’t raise suspicion with the money going to a different account. If these individuals are not well-educated in cyber security or if the correct security protocols are not in place, they may fall prey to the hacker's tactics and become victims of the attack.

Share this Blog post

Related Articles

Protect Your Mission:The Importance of Cyber Security for Charities

Protect Your Mission:The Importance of Cyber Security for Charities

In this blog, explore the current cyber threat landscape, why charitable organisations are at risk and how to protect your charity/not-for-profit so you can continue your mission...

30th May 2024
Cyber Security: Identifying the level of investment required

Cyber Security: Identifying the level of investment required

Determining the level of investment in cyber security can be challenging as the cyber threat landscape continually expands. We explore the different factors to consider when investing in cyber security solutions...

8th May 2024
Visit our blog for more articles like these

Your privacy

By clicking “Accept all cookies”, you agree ITRM can store cookies on your device and disclose information in accordance with our Cookie Policy.

Cookie Settings

When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, blocking some types of cookies may impact your experience of the site and the services we are able to offer.