Social Engineering: The 7 most common tricks cybercriminals use (and how to stop them)
Posted on January 20, 2025 by Louise Howland
Social engineering is one of the biggest cybersecurity threats out there. Instead of trying to hack into systems, cybercriminals manipulate people into giving away sensitive information or access. It’s a sneaky and highly effective way to bypass even the best technical security measures.
According to the UK’s Cyber Security Breaches Survey 2024, 32% of businesses and 24% of charities reported experiencing cyber breaches or attacks in the past 12 months, with phishing being one of the most common attack methods.
In this blog, we’ll break down the 7 most common social engineering techniques, how they work, and what you can do to protect yourself and your organisation.
1) Phishing
Phishing is when attackers send fake emails, messages, or links that look like they’re from a legitimate source – such as your bank, a colleague, or a well-known company. These messages often create a sense of urgency, tricking you into clicking a malicious link or sharing personal information like passwords or payment details.
How to spot phishing:
- Look for spelling mistakes or unusual sender addresses.
- Be cautious of unexpected emails asking for sensitive info.
- Never click links without verifying their source.
- Hover over links to check the actual URL before clicking.
- Check for inconsistencies in email signatures or formatting.
2) Pretexting, Impersonation, and Business Email Compromise (BEC)
While phishing typically involves mass distribution of fraudulent messages, pretexting, impersonation, and BEC take a more targeted approach. These attacks exploit trust and authority by tricking victims into believing they are interacting with a legitimate person or entity. Pretexting involves attackers creating a fabricated scenario to gain information, while impersonation and BEC involve fraudsters posing as trusted figures such as IT support, senior executives, or financial institutions. BEC is particularly dangerous as it can lead to fraudulent financial transactions and data breaches.
How to stay safe:
- Verify requests through official channels before sharing sensitive information.
- Encourage a culture of scepticism – Train staff to spot red flags in emails, such as unexpected requests, urgency or unusual sender behaviour.
- Use multi-factor authentication to protect email accounts.
- Regularly review and update email security settings.
3) Baiting and Quid Pro Quo
Baiting relies on curiosity or greed to trick victims into exposing their systems, such as leaving infected USB drives in public places or offering free downloads containing malware. Quid pro quo, on the other hand, involves attackers offering something beneficial, like free tech support or exclusive access, in exchange for sensitive data.
How to avoid them:
- Be cautious of unsolicited offers and giveaways that seem too good to be true.
- Avoid using unknown USB devices or downloading files from unverified sources.
- Implement strict policies on handling external devices and software.
- Educate employees on the risks associated with unsolicited offers.
4) Tailgating (or Piggybacking)
Tailgating is a physical security risk where an attacker gains access to restricted areas by closely following an authorised individual, such as pretending to be a delivery driver or claiming they’ve lost their credentials. Attackers often take advantage of polite or busy employees who hold doors open without verifying identity.
How to protect your organisation:
- Always check credentials before letting someone in.
- Don’t hold the door open for strangers in secure areas.
- Use access control measures such as keycards or biometric authentication.
- Report any suspicious individuals to security immediately.
5) Vishing (Voice Phishing)
Vishing involves attackers making phone calls while pretending to be from trusted organisations like banks or IT departments. They often create a sense of urgency, claiming that immediate action is required to prevent financial loss or security breaches.
How to stay protected:
- Never share personal details over the phone unless you’ve initiated the call.
- Hang up and call the organisation back using a trusted number.
- Be wary of urgent requests asking for sensitive information.
- Use caller ID verification and block suspicious numbers.
6) Smishing (SMS Phishing)
Smishing uses text messages to trick recipients into clicking malicious links or providing personal information. Attackers often impersonate trusted services like delivery companies, government agencies, or banks, asking you to confirm account details or track a package.
Tips to stay safe:
- Be cautious of texts with urgent language or unexpected links.
- Contact the company directly if you’re unsure.
- Avoid clicking links in unsolicited messages.
- Use spam filters and block unknown senders.
7) Social Media Exploitation
Cybercriminals use social media to gather information about individuals and organisations, which can be leveraged for phishing attacks, identity theft, or impersonation. Oversharing personal details like birthdays, job titles, or travel plans can make it easier for attackers to target you.
Protect yourself by:
- Limiting what you share publicly to minimise exposure.
- Reviewing your privacy settings regularly to control who can see your posts.
- Avoid accepting connection requests from unknown individuals.
- Be mindful of the personal details shared in public posts or profiles.
How to protect yourself against Social Engineering
At ramsac, we provide a range of services to help protect your organisation against social engineering attacks and enhance your overall security posture, these include the following;
Cybersecurity Awareness Training: Our training sessions educate employees about phishing, social engineering, and other common cyber threats. This ensures your team can recognise, respond to, and report suspicious activities.
secure+ Managed Security Service: Our proactive cybersecurity monitoring service detects and responds to threats in real-time, providing continuous protection for your organisation.
Phish Threat Simulations: We conduct simulated phishing attacks to test and improve your employees’ ability to identify and handle phishing attempts, reinforcing their training with practical experience.
By implementing these solutions, we can help your organisation build robust defences against social engineering attacks, safeguarding your data and ensuring business continuity.
Stay vigilant and always trust your instincts!
Be cyber-secure with ramsac
There are two types of organisations; one’s who have suffered a cyberattack and those that will. Over 90% of successful hacks and data breaches start with phishing scams. Reports estimate that 3.4 billion malicious emails are sent daily worldwide. Don’t become part of the statistic. Make the secure choice today.
