Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

How to Spot the Signs of a Social Engineering Attack

signs of a social engineering attack

about the author

Share this post

Knowing how to spot the signs of a social engineering attack can help prevent these types of attacks from being successful and protect your organisation’s sensitive data and systems.

Why go through the hassle of smashing down a door when you can ask someone to hand over the key? This scenario is the analogy that describes why social engineering has become the most used cyber attack technique.

The 2021 Verizon Data Breach Investigation Report has noted an upward trend in the use of social engineering since 2017. Another report identified a 270% increase in social engineering-based cyber attacks in 2021.

It is so difficult to spot the signs of social engineering because it works by manipulating the day-to-day behaviour of our daily lives. So how can an employee know if they are a target of a social engineering scam?

What Is Social Engineering?

Understanding the various elements used during social engineering helps people to spot the signs of a social engineering attack.

Cybercriminals are always looking for ways to access sensitive information or manipulate a business process to harm. These harms vary, including Business Email Compromise (BEC) scams and malware infection.

Both of these types of cyber attacks are on the increase: BEC scams cost global businesses more than $43 billion in the five years to 2021, with a 65% increase in losses between July 2019 and December 2021; research found that 71% of companies were victims of a malware malware attack in 2021. Sophisticated and complex social engineering scams are behind these increases.

Social engineering exploits human behaviour, so individuals carry out actions that benefit the fraudster. In other words, fraudsters get individuals to do their dirty work for them unwittingly. The tactics used by scammers during a social engineering attack are based on manipulating behaviour, deception, and psychological tricks. This manipulation is helped by a lack of knowledge on behalf of the individual target.

Social engineering is a subtle, intelligence-led attack method. Researchers Abid, et al., have identified the typical lifecycle stages of a social engineering attack:

  1. Information gathering: reconnaissance to identify patterns of behaviour, apps used, and business processes that can be exploited. This allows a level of trust to be established with the target and intelligence to exploit that trust.
  2. Developing relationship: this trust is used to develop relationships in preparation for the next stage.
  3. Exploitation: the malicious task is carried out, for example, clicking on a link in a phishing email or activating a bank transfer of money.
  4. Execution: the last stage where the hacker receives money or gains access to login credentials to install ransomware or access sensitive information.

With the stages of a social engineering attack in mind, how can you spot a social engineering attack before it’s too late?

Five Signs You Are Being Socially Engineered

Some of the most obvious signs are also the most difficult to spot as they masquerade as regular events. However, the art of spotting the unexpected or when something is just ‘not right’ is something that regular Security Awareness Training helps to establish.

Here are five typical signs of social engineering:

An Unexpected Attachment or Link

Phishing attacks and smishing (mobile phishing) often contain either an attachment or a link to a malicious website. The email itself will contain typical behavioural motivators, such as urgency, emotional pressure, curiosity, fear and threats, and other concerning statements, such as a security threat. The phishing attack will encourage the recipient to open an attachment or click on a link using these emotional pressures.

Think before you click, before you open an attachment. Does the message look legitimate? Check for signs of phishing, such as ‘does the email address of the sender match the expected domain name? Is the language and grammar of the email a little off?

Check out the MetaCompliance Ultimate Guide to Phishing for more phishing email tell-tale signals.

An Unusual Request

Fraudsters may give themselves away by asking for something a little unexpected. This is especially noticeable if the fraudster is impersonating another person in the business, perhaps a CFO or CEO.

BEC scams, for example, may involve employees in the accounts department being sent a spear phishing email that appears to be from a C-level executive asking to make an immediate and urgent money transfer. Other phishing emails may ask the recipient to open a voice recording attachment, and so on.

If a request seems out of the ordinary and unusual, stop and think, could this be a scam? Then, perform a simple check – call the person who supposedly sent the request and ask if it is legitimate.

An Urgent Request or Demand

Urgency is a prime example of a tactic used to manipulate human emotions. If an urgent request also looks like it has come from upper management or the C-level, then take a moment to check the request’s legitimacy.

Business Email Compromise (BEC) often involves the emotional manipulation of employees who work in the finance department. For example, a BEC fraudster will attempt to pressure an employee to wire money using a threat of loss of business if they don’t act quickly.

Double-check the request, and call the person who supposedly made the request.

An Offer Too Good to Be True

Cybercriminals sometimes use blackmail or coercion to extract information, especially during the information gathering stage of a social engineering attack.

Think twice if you receive an offer of money or a prize for sharing company or personal information as it could be an attempt to hack your acccount.

A Request on Social Media From Someone You Don’t Recognise

In the six months to June 2021, LinkedIn removed over 66 million spam and scams on the platform, with 232,000 removed after a user complained. Hackers create fake social media accounts and then reach out to make connections. Fraudsters use social media to collect information and build relationships with targets and targets’ contacts.

If you receive a connection request on a social media platform, check out the requestor’s profile and look for signs that it may be fake. For example, do they have a complete profile and work history, do they have legitimate recommendations, etc.?

Social engineering works and will continue to do so until we learn to spot the signs. Security Awareness Training that incorporates education in social engineering tactics empowers employees with the knowledge to stop scammers from exploiting their behaviour.

Ultimate Guide to Phishing

Other Articles on Cyber Security Awareness Training You Might Find Interesting

duckduckgo vs google EN

DuckDuckGo vs Google – 5 reasons why you should give up using Google!

You were not aware that DuckDuckGo is a search engine? Well, now you know. Since its founding in 2008, DuckDuckGo has made it its mission to develop a search engine that does not store or share personal data, quite unlike Google. Google’s business model is based less on data protection and more on personalised advertising. Without the storage of personal data, Google would virtually lose the air it breathes. However, Google is still the most used search engine, and there are reasons for that. Google does have one weakness, however, and that is data protection.
Read More »
dataprotection vs informationsecurity EN

Information Security vs Data Protection

Is this an issue for our ISO or our DPO, or is it much the same in either case? Who exactly is responsible for this incident, and is there a need to report it at all? In order to discuss the similarities and differences between information security and data protection, the first step is to define the two areas.
Read More »