Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

5 Examples Of Social Engineering Attacks: Learn How Social Engineers Trick Their Way In

5 Examples Of Social Engineering Attacks

about the author

Share this post

Explore in the article five famous examples of social engineering attacks and discover how these tactics deceive individuals. Humans are inherently social beings, enjoying mingling, communication, work, and shared activities. This sociability, rooted in trust, facilitates cooperation and coexistence within human groups.

However, these very social traits are also exploited by cybercriminals aiming to cause harm. Social engineering attacks capitalize on these vulnerabilities, employing deception and impersonation to manipulate individuals into actions that serve the scammer’s agenda.

This is borne out by the 2023 Verizon Data Breach Investigations Report (DBIR), which found that 82% of breaches involve a human element.

Here is a look at how social engineering attacks happen and what you can do to prevent your staff from being socially engineered.

How Do Social Engineering Attacks Happen?

According to a recent report, the average organisation experiences 700 social engineering attacks per year. Social engineering attacks come in many forms and evolve into new ones to evade detection.

The remit of a social engineering attack is to get someone to do something that benefits a cybercriminal. For example, trick a person into revealing financial details that are then used to carry out fraud.

Social engineering is not just carried out using digital methods. Social engineers will turn to any tactic to build the structures needed to trick people. This can include using the telephone or walking into an office and chatting with the staff.

Current favourite social engineering tricks include:

Pretexting and tailgating: attackers will pretend to be a co-worker or person in authority, e.g., a police officer. They will use this guise to establish trust with a target via a digital method, phone, or in person. Once trust is established, the scammer will attempt to extract information, such as personal data or financial details.

In addition, tailgators often carry out physical attacks on companies, finding ways to enter a building, slipping in unnoticed or even invited. Once inside a building, they can use readily available tools, such as RubberDucky USB used by legitimate penetration testers, to steal data, including login credentials.

Phishing: phishing comes in various flavours, including email, phone calls, social media posts, and text messages. Phishing attack messages encapsulate social engineering tactics, using pretense, trust, and the urge to click to encourage recipients to divulge personal information, such as passwords and credit card details.

A UK Gov study into cyber security found that the vast majority (83%) of businesses who identified a cyber attack said that phishing was the primary vector of the attack.

Spearphishing is the targeted form of phishing that takes social engineering to the greatest heights of success. Spearphishing emails are hard to differentiate from legitimate emails because scammers go to great lengths to make them look realistic, often forming trusted relationships with their target. Spearphishing is behind 93% of cyber attacks, according to the 2018 DBIR.

Baiting: this social engineering attack uses enticement or fear of missing out (FOMO) to encourage certain behaviours. For example, an employee may be offered free gifts if they provide personal or company information or passwords.

Why Are Social Engineering Attacks Effective?

Human beings have evolved to act and behave in certain ways to establish strong and cohesive social structures. Elements such as trust are vital components of coherent societies. Without trust, relationships fail.

Scammers understand human behaviour and the need to build trusted relationships. They also understand how to manipulate people by pretending to be a trusted person or building trust.

Other human behaviours such as the urge to do a good job, not get into trouble, or not miss out on a good thing are also abused by cybercriminals. All these natural actions we carry out daily in our home and work lives are open to exploitation by cybercriminals intent on stealing data and accessing networks to carry out malicious acts.

5 Examples of Social Engineering Attacks

Examples of social engineering are regularly in the press, but here are five to give you a flavour of how social engineering works:

Marriott Hotel: a hacking group used social engineering tactics to steal 20 GB of personal and financial data from a Marriott Hotel. The hackers tricked a Marriott Hotel associate into giving the hacking gang access to the associate’s computer.

US Department of Labor (DoL): this involved a socially engineered attack stealing Office 365 login credentials. The attack used sophisticated phishing based on cleverly spoofed domains that looked just like the legitimate DoL domain. The emails seemed to be from a senior DoL employee inviting them to submit a bid for a government project. Clicking the bid button took the employee to a phishing site used to steal credentials.

Zoom users: a phishing campaign targeting employees affected at least 50,000 users. The social engineers used fear of redundancy to encourage employees to click a link to meet with HR over Zoom. Clicking on the link took the employee to a fake Zoom login site designed to steal passwords.

FACC (Austrian aircraft manufacturer): FACC lost around 42 million euros when the company became a victim of a sophisticated Business Email Compromise (BEC) scam. The CEO of the company had his email account spoofed and then used to send an ‘urgent’ email request for a funds transfer. This email tricked an account payable employee who accommodated the request, paying the money into the scammer’s account.

Crowdstrike callback: even security vendors are feeling the force of social engineering. Crowdstrike has become an unwitting pawn in the social engineer’s game. Scammers are using the trusted brand of Crowdstrike and other security vendors to send phishing emails to employees. The email contains details of a possible malware infection and a phone number to call to remove the installed malware. If the employee reaches the number, they are tricked into giving the attacker access to their computer.

How to protect against social engineering attacks

Social engineering is successful because the technique manipulates our everyday actions. This makes it difficult for employees to spot that they are part of a social engineering attack.

Social engineering needs to be part of the conversation around security awareness, and security policies should reflect this. However, there are practical ways to ensure that employees are up to speed with the tricks that social engineering scammers play:

Make social engineering part of your security culture:

  1. Engage staff in regular updates on social engineering and how it works.
  2. Make sure that social engineering is part of your regular Security Awareness Training.
  3. Include social engineering in security awareness month posters and send newsletters to staff about the issues caused by social engineering.

Deploy phishing simulations: use an advanced simulated phishing platform to train staff on what phishing emails look like and to test their response to a phishing email. Tailor these emails to different roles in your organisation and base the simulations on known tactics used by scammers.

Penetration test your company and staff: set up various test scenarios to see how well staff respond to potential social engineering attempts. This can include tests to see how easy (or hard) it is to gain entry to the building.

Also, test out staff and their response to unknown individuals. For example, pose testers as cleaners or contractors and see how far they can get in extracting information about your company or asking for access to a computer.

5 Examples Of Social Engineering Attacks: Learn How Social Engineers Trick Their Way In
phishing French img

FAQ on Cyber Security Awareness Training Against Social Engineering

What is the importance of security awareness training in defending against social engineering?

The importance of security awareness training in defending against social engineering lies in its ability to equip employees with the knowledge and skills necessary to recognise and respond to such threats. This training helps reduce the risk of security incidents by teaching staff about the latest social engineering tactics and how to avoid falling victim to them. By fostering a culture of vigilance and informed behaviour, organisations can prevent costly breaches and ensure the safety of their digital assets. Security awareness training is a proactive measure to build a resilient defence against ever-evolving social engineering threats.

How can I improve cyber security awareness in my organisation?

Improving cyber security awareness involves implementing a comprehensive security awareness training programme. Start by selecting a robust security awareness training platform that offers engaging and relevant content. Ensure that the training covers various aspects of cyber security, such as recognising phishing attempts, secure password practices, and safe internet usage. Regularly update the training materials to address emerging threats and conduct periodic assessments to measure employees' knowledge. Additionally, encourage a culture of open communication about cyber security and provide ongoing education to keep employees informed about the latest threats and best practices.

Other Articles on Cyber Security Awareness Training You Might Find Interesting