UK: 0844 854 9218 | International: +44 (0)1488 580017
Whilst technical measures and understanding play a vital part in the arsenal of cyber security defences, without social engineering awareness, this will never be enough. Technology can only protect an organisation to a certain extent; ultimately, people are both the first line of defence and the easiest target for attackers. So, what do we mean by social engineering? Social engineering exploits human psychology rather than system weaknesses, using manipulation and deception by cyber criminals to gain unauthorised access to information or systems.
Common examples include phishing emails that mimic trusted brands to harvest login credentials, pretexting calls where attackers impersonate IT staff to extract sensitive data, or tailgating incidents in which an unauthorised person gains physical access to secure areas by following an employee through a door. Each of these relies on human trust, curiosity, or haste—traits that cannot be patched with software.
The BBC has numerous case examples of cyber breaches on its webpages. Many people think that they are too clever to be caught out by email and telephone scams, but in fact, fraud is becoming more sophisticated. Chris Hadnagy, a renowned security expert, explains that there is a psychology behind social engineering which involves the parent-child relationship. Children are the little people who get us to do things we never thought we’d do. These principles are applied by the scammer. They can build a rapport, creating trust, and often inject a sense of urgency into the scenario. This releases certain chemicals in the brain that allow victims to take an action they perhaps shouldn’t take.
Social engineering fraud has been identified by the international police agency, Interpol, as one of the world’s emerging fraud trends. The last 2 years show that there has been an increase in this type of fraud, with reported losses in 2015 doubling to nearly £675 million. The growth of the internet has helped with this trend because cyber criminals have access to more information online about their targets. Hackers can buy hacked company data and research their victims’ profiles.
Emma Watson, a British businesswoman who was setting up a children’s nursery, received a phone call from her bank’s fraud team. They told her that they had stopped an unusual transaction on her account and because she had been compromised, she had to transfer her money into some other accounts they had set up in her name. She said that they were completely professional, it was a clear line, and they knew her name. They were also reassuring, and in fact, as it turned out the bank wasn’t calling at all. Emma transferred £100,000 into the fraudsters’ accounts online. This is one such example and unfortunately, one of many. More information can be found on Vishing and smishing: The rise of social engineering fraud – BBC News.
“We need organisations to take steps to secure their systems, to secure their businesses,” says Richard Horne CEO of the National Cyber Security Centre (NCSC).
To address this challenge, a specially designed Cyber Security Escape Room has been developed and can provide an engaging and highly effective form of experiential learning. By immersing participants in realistic, scenario-based challenges, employees are encouraged to apply critical thinking, collaboration, and situational awareness to solve problems under pressure.
The hands-on nature of the Escape Room experience allows participants to see first-hand how social engineering tactics operate in practice, reinforcing key security behaviours in a memorable way. This interactive approach not only strengthens knowledge retention but also helps to embed a proactive, security-conscious mindset across the organisation, turning awareness into genuine behavioural change.
Author: Beverley Lewis, Cyber Security Co-ordinator, The Surrey Cyber Security Cluster
