What is social engineering? Understand how attackers manipulate people, explore common techniques, and learn how to stay safe online.
When we used to think about cyberattacks, we imagined hackers breaking into systems through the back end. However, nowadays, many attacks start with something much simpler such as a conversation, an email, or a message that feels completely normal.
This is called social engineering, and it’s one of the most common ways attackers get into your systems.
What is Social Engineering in Cyber Security?
Social engineering is when someone tricks you into sharing information or taking an action that benefits them. So, instead of hackers breaking into systems, they rely on people slipping up. They normally do this by manipulating things like trust, curiosity, or urgency.
It might look like:
- An email asking you to reset your password
- A phone call from your ‘IT support’
- A message saying you’ve got a delivery waiting
On the surface, these seem harmless. But they’re very carefully designed to catch employees out. A prime example of these types of attacks is the M&S, Harrods and Co-op attacks that happened in 2025, where an attacker group posed as employees and tricked help desk staff into resetting passwords or disabling MFA. You will remember how much disruption this caused across the entirety of the UK.
Why people fall for it
Social engineering works because it doesn’t feel like a cyber attack. Attackers are very good at creating situations where you might act quickly without thinking, trust the source without questioning it, feel worried or pressured to respond or are trying to be helpful.
In busy, everyday situations, like work emails or personal messages, it’s easy to miss the warning signs. Especially when they are so subtle.
Common types of social engineering attacks
You will have most definitely heard or even come across most of these:
Phishing emails: Messages that look like they’re from legitimate companies, asking you to click a link or log in.
Text message scams: Short, urgent messages about deliveries, payments, or prizes.
Phone scams: Calls where someone pretends to be from a trusted organisation and asks for information.
Impersonation: Someone posing as your boss, a colleague, or a supplier, often asking for urgent help or payment.
Baiting: Offering something tempting (like free downloads or rewards) in exchange for your details.
Why it matters for businesses
For organisations, social engineering is more than just spammy emails or inconvenience, it can lead to serious risks. One small action, like clicking a link or sharing login details can lead to a serious cyberattack.
And because these attacks target people rather than systems, even the best tech can’t stop them completely.
What should your business do?
Not everyone can be a cyber security expert, but there are a few simple habits can make a big difference.
Take a moment: If something feels urgent, slow down. This pressure is often intentional from the attackers.
Check before you trust: Look closely at who’s contacting you, even an extra letter in someone’s email address, or even added punctuation like ‘.’ can make a huge difference. If unsure, use official channels to confirm.
Keep your details private: Passwords and sensitive information should never be shared casually, even over email.
Be careful with links: If you didn’t expect a link, don’t click it.
Train your team: One of the most effective ways to reduce risk is through regular cybersecurity awareness training. At Mother, we offer training powered by KnowBe4 that helps staff recognise real-world scams, spot red flags, and respond confidently.
It’s practical, easy to follow, and designed for everyday people, not just IT teams. Making employees carry this training out regularly raises their awareness on the scams and can make a big difference to your organisation.
For more information on our cybersecurity awareness training: https://www.mothertech.co.uk/security-awareness-training/
