Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Social Engineering: Hacking the Human

Social Engineering

about the author

Share this post

Social engineering is nothing new. Way before computers entered our lives, human beings were being scammed using psychological tricks. Back in 1947, a book entitled “Illustrated Circular of Confidence Tricksters and Expert Criminals” was published. This book was a “Who’s who of international swindlers”. Fast forward to 2021, and international crime gangs take a more digital approach to swindling folks out of money, data, and corporate login credentials. Although there may be decades, even centuries, between fraudster scam campaigns, they all have one thing in common; fraudsters of old and new use social engineering to get what they want.

Social Engineering: Tricks of the Phishing Trade

It only takes a single click to potentially end up with an infected device. This infection can spread like wildfire across the corporate network and any connected devices. The infection could end up costing a company vast sums of money in downtime, lost data, and damaged reputation.

The single click experience is what both marketers and cybercriminals aspire to. By creating a situation where people don’t need to think too much before acting, you can more successfully capture an audience.

Marketers want to elicit an emotional response to a marketing campaign, engaging the individual with a product to the point where they click for more information or, even better, click to buy.

Cybercriminals, too, want to get that ‘knee-jerk response’, so they use similar tactics to get the human to click.

Digital criminals have advantages over their non-digital scammer equivalent. The reach, for example, is wider, with a ‘spray and pay’ approach by cybercriminals who use mass phishing campaigns to reach millions of targets. Or fraudsters can get personal and use targeted spear-phishing that focuses on an individual.

Phishing attacks are built around human behaviour – what makes us tick, makes us click. Much of this comes down to the silent training we have all had in using the internet. Web and app designers are focused on creating the ‘seamless UX’, i.e., an easy user experience that is based on a seamless technology-human interaction. The result is that we are all used to following certain patterns of behaviour in the digital realm. It is these patterns that cybercriminals use to trick us into the click action.

Spotting the Signs of Social Engineering

The techniques used by cybercriminals to trick the human brain into acting on a trigger, are typical of how we normally develop human relationships:

Trust: Using a well-known brand as the basis for a phishing email allows the scammer to use trust to hack a human. Popular brands for mass target phishing campaigns include Office 365, Facebook, Google, and eBay. However, more targeted campaigns may pick a brand more closely aligned to a company, for example, a specific web app or vendor portal. These campaigns can make phishing emails even more difficult to detect and add an extra element of trust into the attack if the spoofed brand is closely connected and highly recognisable to the target. Even security vendors can be the victim of brand spoofing in phishing campaigns: Check Point Software, a trusted security vendor, had their brand used on a phishing website.

Curiosity and urgency: These are typical elements of a phishing campaign. Fraudsters trick users into doing their bidding by making them feel they are dealing with a trusted entity and the task is urgent. An example of this is an Office 365 phishing campaign from 2020. Researchers identified a campaign that began with an employee receiving an email showing a “missed voice message”. Users were prompted to click on a button to go to their Office 365 account to access the missed message. The message also showed a “Message from Trusted server” notification at the top of the email, to build on the ‘trust’ element. If the user clicked the button and entered credentials into the spoof Office 365 site, those credentials would be stolen.

The persuasive voice: Persuasion plays a major part in phishing success. According to research into marketing by Cialdini there are six basic principles used to influence customer behaviour. These principles, alongside similar research into persuasion and influence, were used by a research team looking at how social engineering works in phishing. The researchers came up with five key elements of highly persuasive, and therefore successful, phishing campaigns:

  1. Authority: Use of an authoritative name, e.g., a company CEO
  2. Social proof: Build a campaign that uses peer pressure to encourage behaviour
  3. Liking, similarity, deception: Successful persuasion works when people or subject matters are familiar
  4. Commitment, Reciprocation & Consistency: People like to be consistent and like to believe what others say and do: repaying a favour, for example
  5. Distraction: By creating a sense of urgency, e.g., an item will be more expensive if you don’t act now, a scammer can distract a person from the signs of a scam.

The Emotions of Social Engineering

Emotional responses are those that are deeply ingrained in us all. The use of persuasion and emotional manipulation in phishing campaigns was explored in a 2018 study published by the American Psychological Society. The researchers looked at “emotional arousal as a fraud tactic”. The study found that people of all ages responded to both positive and negative persuasion messages and made poor decisions when responding. The study states that “emotional arousal can influence susceptibility to misleading information and that this effect occurs in both older and younger adults.” This behaviour plays neatly into the fraudster’s hands and phishing messages often contain a component that elicits an emotional response as seen in the examples above.

How to Stay Safe from Social Engineering

Social engineering is dangerous because it uses our natural behaviour to get us to click a malicious link or download an infected attachment. But phishing fraudsters also adjust techniques and tools to ensure continued success. The shifting patterns of phishing, coupled with a sophisticated manipulation of targets, make this insidious cybercrime types one of the most difficult to deal with. No single solution exists to prevent phishing success. Instead, a mix of Security Awareness Training and technical solutions are needed to detect and prevent a phishing attempt.

The Ultimate Guide to Phishing

Other Articles on Cyber Security Awareness Training You Might Find Interesting