Cybersecurity in 2023

Helping employees spot the signs of social engineering

In the latest in our series of blogs looking at cybercrime and small businesses, we’re taking a closer look at the growing threat of social engineering.

If you use the internet, have an email address, or you’re one of the 4.48 billion people across the world who are currently active on social media, then you’re likely to have been the target of social engineering.

It is a method that is increasingly being used by cybercriminals and which poses a huge risk, not only for individuals but for businesses.

So, what is it? And how can you help employees spot the warning signs?


What is social engineering?

Social engineering is essentially a form of data harvesting that uses deceptive tactics to gather valuable information.

As opposed to hacking (whereby a cybercriminal may look to exploit and gain access through weaknesses within a company’s IT system) social engineering preys on human error. It can be used to dupe unsuspecting employees into voluntarily sharing sensitive information, such as bank details and passwords, by gaining their trust.

An example of social engineering in use on social media would be a supposedly fun post asking people to share the name of their first pet, or other information that may typically form part of common security questions. The target of these types of attacks will be unaware that they are doing anything wrong.

Over time, these small snippets of data may help criminals crack passwords or even be pulled together and combined for use in other fraudulent activities, such as identity theft.

Another example would be a website that looks like a legitimate shopping site, but which is purely there to gather bank details from unsuspecting people who try to make a purchase.


How big a problem is social engineering?

Social engineering is a growing problem for businesses. The latest statistics released by the 2021 Data Breach Investigations Report (DBIR) estimate that 98% of cyberattacks on businesses occurred as a result of social engineering, meaning it is currently the biggest cyber threat companies are facing.


What are the social engineering techniques that scammers use?

Part of the reason why social engineering attacks have such a high success rate is that they present as being a trustworthy source.

A social engineering attack could be disguised as an email from a colleague or a known business connection. It could equally come in the form of a fake website posing as a legitimate one. Or be an ad or profile page on social media.

Here are 3 of the most common social engineering attacks targeted at businesses:


  1. An email pertaining to be from a known contact

Email hacking is a popular tool social engineering fraudsters use to prey on businesses and to infect computers with malicious viruses like malware and ransomware. It involves a hacker gaining access to an individual’s email account and emailing their contacts, pretending to be that person. The email will contain an attachment or malicious link that, when clicked, infects the recipients’ computer with a virus.


  1. Phishing emails

Phishing emails also appear to come from a legitimate source, for example, a bank or government agency. Their intent is usually to harvest information or money. You may receive an email asking you to verify some personal details or to donate to a worthwhile cause. You might also be told you’ve won a prize and be directed to a claim form. Like emails pertaining to be from someone you know, phishing emails can be incredibly difficult to distinguish from legitimate communications because they look and sound so authentic.


  1. Freebies or ‘too-good-to-be-true’ deals

Another way social engineering scammers aim to extract information or money is by offering something for nothing, or at an incredibly low price. These types of attacks are usually distributed via social media, online listings, or peer-to-peer websites. They’ll bait the user by offering a free download or an amazing looking product, duping the individual into giving up personal information and/or bank details, only for the claim to be a sham.


How to spot social engineering 

Social engineering is a big problem for businesses because attacks of this nature are difficult to detect and pose a wide range of potential security risks.  It only takes one well-meaning employee to accidentally trust the wrong source for a malicious virus to spread, or sensitive information to be leaked.



One of the strongest lines of defence against any form of cyberattack is to ensure employees use a unique password for each business system they access. This protects other systems within your business from being compromised and helps to better contain the threat.

A strong password is one that contains a unique combination of characters, numerals and symbols, preferably also with a blend of upper and lower case letters. You’ll find some more top tips in our blog: Do I need a company password policy?



As with all cyber security threats, awareness and education are paramount to keeping employees vigilant and for minimising the chances of a successful attack. Ensure you are keeping your employees up to speed on the latest cyber security threats and scams. It’s advice that will not only help your employees at work but in their personal lives too. You can find more in our blog: Employee cybersecurity training tips for SMEs

A big part of the training should be helping employees know what to look out for and how to reduce their risk. For example:

  • Never clicking on links or using websites that have a small typo – like using an 0 instead of an o, or that use a I instead of an i. The use of small typos makes it very hard to spot that the site is a fraud, unless you’re really looking
  • Keeping social media profiles private and not answering supposedly fun questions or taking part in competitions posted on social media without being 100% sure of the creator
  • Confirming an email is definitely from a known contact by calling them directly, especially if it is asking about any kind of sensitive information. A classic scam here is to ask for invoicing details to be changed to another account.
  • By reporting anything suspicious to a manager and not clicking on it or forwarding it on to anyone else


Concerned about IT security or cyberattacks?

At Dragon IS, we work with small and medium-sized businesses, helping them with a broad range of issues relating to their IT systems, processes and procedures.  From expert advice and guidance, to introducing systems that can effectively scaleup with a growing business, call us for an informal chat on 01908 613 080 or email