Not every cyber attack begins with complex code or brute force. Often, the easiest way into your organisation isn’t through your systems; it’s through your people.
Social engineering attacks exploit human nature, not technical flaws. They manipulate trust, urgency, and fear to get users to take actions they normally wouldn’t, such as clicking a malicious link or sending sensitive information to someone pretending to be their boss.
This approach works frighteningly well. 98% of cyber attacks rely on some form of social engineering, and 90% directly target an organisation’s employees rather than its technology. In other words, attackers don’t need to hack systems when people will open the door for them.
These types of attacks are on the rise. According to Verizon, phishing and pretexting are now the leading social engineering techniques used against SMBs, with newer methods such as prompt-bonding attacks (overwhelming users with repeated authentication requests) also on the up.
This article will help you understand how social engineering works, why it’s so effective, and most importantly, what you can do to protect your business.
A Few Small Actions = Big Risk Reduction
Social engineering is dangerous because it looks ordinary. The messages don’t always look suspicious. The requests don’t always feel unreasonable. In many cases, they appear to be routine business communications.
But once you know what to look for and have the right checks in place, these attacks become much easier to avoid.
This matters because the impact is huge. 86% of social-engineering incidents result in business disruption, including downtime, financial loss, or reputational damage. And with the average global cost of a data breach reaching $4.88 million in 2024, even a single successful attack can have long-lasting consequences.
By building awareness, verifying requests, and reinforcing good habits, you can drastically reduce your exposure to one of the most common attack methods businesses face today.
What Is Social Engineering?
Social engineering is a type of cyber attack that manipulates people into giving up confidential information or performing actions that benefit an attacker.
Rather than exploiting software vulnerabilities, social engineering exploits human behaviour such as trust, helpfulness, fear of consequences, and respect for authority.
Social engineering attacks can take many forms, including:
-
- Phishing emails
- Fake invoices or payment requests
- Impersonation of colleagues or suppliers
- Fraudulent phone calls (vishing)
- Malicious text messages (smishing)
- Fake login pages designed to steal credentials.
According to industry research, 20% of confirmed data breaches directly involve social engineering, while 68% are attributed to human error, often including falling for scams, phishing emails, or impersonation attempts.
Related Reading: Protect Your Business Data with These 10 Must-Do Strategies
Understanding the Psychology Behind Social Engineering
The success of social engineering hinges on our natural instincts, especially our tendency to trust familiar-looking communications or act quickly when something feels urgent or important.
Attackers design messages to bypass rational thinking and trigger emotional responses. The speed at which this happens is one of the most alarming aspects of social engineering.
- The median time for a user to fall for a phishing email is under 60 seconds
- Once an email is opened, the median time to click a malicious link is just 21 seconds
- It then takes only another 28 seconds for victims to enter sensitive information
In under a minute, a single lapse in judgment can lead to account compromise or data loss.
Attackers typically rely on one or more of the following psychological techniques:
Authority
The attacker impersonates someone senior, a director, a finance lead, or an external partner, and sends a message that feels too important to question. It might say something like:
“Transfer this now and confirm once done.”
“I need you to reset my password urgently. I’m in a meeting.”
Because people are conditioned to respect authority, they are less likely to question these requests.
Urgency
You’re told something needs to happen immediately, and any delay will cause damage or disruption. These messages can look like:
“Your account will be suspended in 10 minutes. Click here to verify.”
“We need this payment completed before close of business today.”
Urgency creates pressure, and when people feel rushed, they are far more likely to make mistakes.
Fear
Fear creates compliance. These messages may reference a data breach, suspicious login attempts or a legal issue to cause panic: “Unusual login activity detected — act now to secure your account.”
Greed or Reward
You’re offered a reward or incentive in exchange for an action:
“Claim your free £50 gift card by clicking this link.”
“You’ve received a bonus document; view it here.”
These approaches are dangerous because they often look like normal business communication, making them hard to spot without training or experience.
Common Types of Social Engineering Attacks
1. Phishing Emails
Phishing remains the most common form of social engineering. These emails are designed to look legitimate and often imitate:
- Banks or service providers
- Internal IT teams
- Senior leadership
- Trusted third parties.
Their goal is typically to:
- Steal login credentials
- Deliver malware
- Trick users into transferring money.
The Anti-Phishing Working Group (APWG) recorded:
- 1,003,924 phishing attacks in Q1 2025
- 1,130,393 phishing attacks in Q2 2025, a 13% quarter-on-quarter increase
An average of 2.9% of employees click on phishing emails, which may sound small until you multiply it across an entire organisation.
2. Brand Impersonation Attacks
Nearly 49% of all socially engineered threats involve brand impersonation, where attackers pose as trusted services or well-known companies.
Commonly impersonated brands include:
- Microsoft
- Amazon
- DocuSign
- Dropbox
- PayPal
- Adobe
- DHL
- OneDrive
- Microsoft 365.
Because users already trust these brands, they are far more likely to engage without hesitation.
3. Business Email Compromise (BEC)
BEC attacks are highly targeted and often financially motivated. According to Verizon, BEC accounts for roughly 24-25% of financially driven cyber attacks.
An attacker may:
- Compromise a real email account
- Monitor communication patterns
- Send realistic payment or data requests.
Because the emails come from genuine accounts, these attacks can be extremely convincing.
4. Smishing and Vishing
Social engineering isn’t limited to email.
- Smishing uses SMS or messaging apps
- Vishing uses phone calls.
These attacks often bypass email security controls entirely and rely on direct interaction.
5. Pretexting
In pretexting attacks, attackers create detailed backstories to gain trust. Pretexting accounts for roughly 27% of social-engineering breaches.
They may pretend to be:
- A new supplier
- An auditor
- IT support
- A contractor
The more convincing the story, the more likely the target is to comply.
Why Mid-Sized Companies Are Frequent Targets
Mid-sized businesses are particularly vulnerable to social engineering attacks. In fact, SMBs are targeted nearly four times more often than large enterprises.
They often:
- Handle valuable financial or personal data
- Have less formalised processes than large enterprises
- Lack dedicated security teams
- Rely heavily on trust-based workflows
Attackers know that smaller teams often move quickly, rely on informal communication, and may lack strict verification procedures.
Related Reading: The Case for Companies to Embrace Managed Cyber Security
How to Defend Against Social Engineering Attacks
You don’t need to invest in complex tech to lower your risk. Some of the best defences are simple processes that involve your people, not just your software.
Raise Awareness
Make sure your team understands the signs of social engineering. Train them to recognise suspicious language, unexpected requests, and emotional triggers like panic or urgency.
Promote a ‘Think Before You Click’ Culture
Encourage your staff to pause and review before responding to any unexpected message, especially those involving money, login details or sensitive information.
Verify, Always
If something seems off, verify it through a trusted method, a quick call to a known number, or a direct Teams message to the supposed sender.
Enable Multi-Factor Authentication (MFA)
MFA is one of the easiest ways to reduce risk. Even if a password is compromised, MFA can block unauthorised access.
It is one of the most effective controls against phishing-related account compromise.
Encourage Reporting
Create a culture where it’s safe and encouraged to flag anything suspicious. Early reporting often prevents wider impact.
Related Reading: Top 10 Cyber Security Training Tips to Protect Your Business from Attacks
Social Engineering Is a Business Risk, Not Just an IT Issue
Phishing and pretexting via email now account for 73% of all breaches, and 86% of social-engineering incidents cause business disruption, not just technical inconvenience.
This makes social engineering a financial, operational, and reputational risk, not just an IT concern.
Finance, leadership, HR, and operations all play a role in prevention.
Related Reading: The Reality of Ransomware: Lessons from the Frontlines
Need Help Protecting Your Team?
Nexus works with organisations across England and Wales to implement simple, effective cyber security solutions that protect people and data, without slowing your business down.
Areas where we can help:
- Awareness training
- Phishing simulations
- Multi-factor authentication (MFA)
- Email security
- Ongoing user support.
Get in touch with our team today to book a free, no-obligation consultation. Let’s make sure your business is protected, not just technically, but humanly too.