When it comes to cybersecurity, we’re often told that “you are as secure as the weakest link”. In this case, the tech is usually strong, but the people are the weakest link. Most cyber attacks targeted towards individuals don’t start with some genius hackers breaking through networks, but start with someone being tricked into handing over information. This is called social engineering.
What is social engineering?
Social engineering is when criminals use psychological tricks such as urgency, fear, or trust to manipulate people into giving up sensitive information. Instead of forcefully breaking into your account, they simply indirectly persuade you to let them in. Even the most cyber-savvy can get tricked by social engineering because, as people, we trust messages that look official, act quickly when we feel pressured or panicked, and want to be helpful, which is something scammers love to exploit.
Who are the common targets?
Everyone can be a target, but young people are especially at risk because of high social media use and the pressure to stay connected. Students, job seekers, and small business owners are also often targeted because scammers know they may not have strong security systems in place.
What does a phishing attempt look like?
Phishing is the most common type of social engineering scam. It usually comes as an email, text, or direct message that looks like it’s from a trusted company, asking you to click a link or share personal info.
In 2023, thousands of students across the UK received emails claiming to be from Student Finance. The emails said their account would be suspended unless they clicked a link to “verify details”. The link led to a fake website that stole login credentials and bank information. Many victims only realised after money had already been taken.
Red flags to look for:
- Messages that create panic, such as statements like “Your account will be closed today if you don’t act within the next couple of hours.”
- Suspicious links embedded in the email. You can hover over them to see the real web address to determine if they are truly fake.
- Poor grammar, spelling mistakes, or weird email addresses.
Beyond email: new forms of phishing
Cyber criminals are always inventing new tricks. Here are some you should know:
- Quishing: Scammers use QR codes that lead to fake websites designed to steal your info. They’re often printed on posters, flyers, or sent in emails. If you come across a QR code, don’t be quick to scan it!
- Vishing: A form of phishing over voice, where scammers call you pretending to be your bank, your phone provider, or someone from a reputable company. They will pressure you to confirm details or make urgent payments.
- Smishing: Phishing by SMS, which is usually seen in the form of fake delivery texts saying “your parcel is waiting, click on this link for tracking information”. You can protect yourself against these by enabling SMS filtering on your phone to filter and flag such suspicious texts.
- Angler phishing: Fraudsters create fake customer support profiles on platforms like Facebook, Instagram, and X. These accounts closely mimic real company pages and reply to frustrated customers asking for help. They’ll then send a link to resolve the issue, which is designed to steal your login credentials or infect your device with malware.
How to stay one step ahead
- Slow down – don’t let urgency trick you into acting without thinking.
- Double-check – contact the company directly through official websites or numbers.
- Protect your accounts with strong passwords and MFA – so even if details leak, attackers can’t get in.
- Share what you know – help friends and family spot these scams too.
Cybersecurity isn’t just about software; it’s about people. By learning to spot social engineering tricks, you’re making yourself the hardest target.
