Social engineering is a term used by the National Cyber Security Centre (NCSC) to describe how cybercriminals manipulate people into revealing sensitive information or taking actions that help attackers gain access to systems and data.
For example, criminals might trick someone into opening a malicious email attachment, sharing confidential details, or installing harmful software. According to the NCSC and Action Fraud, many cybercrime cases involve individuals unknowingly- or sometimes even knowingly- allowing access to emails, networks, and other critical systems.
A common mistake many small business owners make is underestimating the risk. You might think, “We’re too small for cybercriminals to target” or, “We don’t have anything worth stealing,” or even, “Cyber security is too expensive.” But that is exactly what attackers want you to believe. Social engineering works by exploiting trust, fear, or a lack of awareness- making everyone a potential target.
Here at Wentworth Alexander Insurance Brokers, we are proud experts in Cyber Insurance. Read on below as we discuss the impact of social engineering attacks and how they could affect a business.
What Are Common Misconceptions Of Social Engineering?
“We’re Too Small For Cybercriminals To Target”
That couldn’t be further from the truth. Cybercriminals don’t just target large corporations- they’ll go after any opportunity to steal data, financial details, or anything else they can use for profit. Small businesses are often seen as easy targets because they typically have fewer protections in place.
Hackers often focus on the path of least resistance, targeting businesses or individuals with limited awareness of cyber threats. Instead of launching a single, high-risk attack to steal a large sum of money, they may carry out widespread, untargeted attacks that yield many smaller gains. These attacks won’t make headlines, but are just as dangerous, especially when they go unnoticed for weeks or months.
What Can Small Business Owners Do?
- Educate your team on the risks of phishing emails, suspicious links and requests for sensitive information.
- Use strong passwords, multi-factor authentication and antivirus software to create a barrier against attackers.
- Ensure regular backups are taken of your data so that you can recover quickly in the event of a data breach or ransomware attack.
- Flag any unexpected emails, login attempts or payment requests immediately so they can be dealt with appropriately.
Taking a proactive approach and being aware of the risks is the best way to avoid becoming an easy target.
“We Don’t Have Anything Worth Stealing”
This is a common misconception, but the truth is, that every individual and business has data that cybercriminals can exploit for financial gain. They don’t just look for the obvious targets such as credit card numbers or bank account details- they are after anything they can use. Household bills, passport details, photos, social media accounts, online purchase history, family information, and even login credentials are all valuable to hackers.
For small businesses, the risk is equally as significant. Even if your business seems ‘too small’ to be targeted, it likely holds sensitive information, such as employee personal details, salary records, and connections to suppliers or customers. These links can be leveraged to access larger targets or infiltrate other systems.
What Does This Mean For Your Business?
Cybercriminals are opportunities. Even the smallest vulnerability can become an entry point. Therefore, protecting your data, no matter how insignificant it may seem is critical.
Simple steps such as regularly updating passwords, using secure connections, and training employees to recognise phishing attempts can make a big difference.
Remember, any data has a value- don’t make it easy for hackers to take it.
“Cyber Security Is Too Expensive”
While some cybersecurity measures may come with a price tag, addressing social engineering- the human side of cybercrime- can often be done at little to no cost. Focusing on awareness and good habits can significantly reduce your vulnerability.
Start with employee awareness and teach your team how to recognise and respond to common social engineering tactics, like phishing emails or suspicious requests for information. Simple initiatives like training sessions, phishing simulations, or regular reminders about best practices can go a long way in creating a security-first mindset within your business.
Try encouraging the use of strong, unique passwords, adding an extra layer of security with multi-factor authentication, and making it a priority for employees to install updates promptly.
Simple yet robust protocols for handling sensitive data, verifying unusual requests and managing access can reduce risks. For example, always confirm financial requests via a secondary method such as a phone call.
Cybercrime isn’t always the work of a sophisticated hacker group. Many attackers will exploit basic errors and oversights which are preventable with proper awareness and processes. Cybersecurity doesn’t have to break the bank- small, smart actions can make a big difference in protecting your business.
Types of Social Engineering Attacks
Cyber Criminals use social engineering to manipulate individuals into revealing sensitive information or granting access to systems. These attacks often exploit trust, curiosity, or urgency. Below are some of the most common types:
Phishing
Phishing is a widespread, untargeted attack where criminals attempt to steal valuable information through emails or text messages. These messages often contain links to fake websites or attachments that install malware on a device.
More advanced variations include:
- Spear Phishing – A highly targeted attack focused on a specific individual, often using personal details to make the message seem legitimate.
- Whaling – A phishing attack targeting high-profile individuals like CEOs or executives, aiming for greater financial or data-related gain.
Baiting
Baiting lures victims with the promise of a reward for taking an action that benefits the attacker. This can be digital or physical:
- Clicking on a “Claim your £25 discount” link, which then installs malware.
- Finding a USB stick labelled “CONFIDENTIAL” and plugging it into a computer, unknowingly infecting the system.
- Entering personal details on a fake competition page for a “holiday of a lifetime.”
Pretexting
Pretexting involves criminals crafting a believable scenario to gain trust before requesting sensitive information.
A scammer may pose as a solicitor, claiming the victim is the beneficiary of a will. They then request personal details to “verify identity,” leading to identity theft or financial fraud.
Vishing (Voice Phishing)
This is phishing over the phone, where criminals create a sense of urgency to trick victims into sharing information.
Such as a voicemail claims you must “call back immediately to avoid a £80 parking fine.” The victim, fearing financial loss, complies- handing over bank details.
Quid Pro Quo
This scam offers an exchange, making it appear beneficial to the victim.
For example, a fake IT support call requests login credentials in exchange for “fixing” a non-existent issue.
Tailgating
Tailgating is a simple yet effective physical security breach, where an unauthorised person follows an employee into a restricted area by taking advantage of politeness or weak security measures.
Contact Spamming
Attackers hack an email or social media account and send messages to the victim’s contacts, often containing malware-infected links. Recipients are more likely to engage because the messages come from a trusted source.
Watering Hole Attacks
Cybercriminals compromise a legitimate website commonly visited by a target group. When users access the site, they unknowingly download malware, which can then spread across networks.
The Human Element
These attacks succeed because they exploit human behaviour- trust, urgency, curiosity, or fear. Scammers often use familiar branding, such as GOV.UK, well-known retailers, or banks, to appear credible.
How To Minimise The Risk of Social Engineering Attacks On Your Business
The best defence against social engineering is awareness- both at a business level and as individuals. Cybercriminals rely on deception, urgency, and human error to gain access to sensitive data, making education and vigilance essential.
A single mistake- whether accidental, careless, or intentional- can have severe consequences, from financial loss to full system lockdowns due to ransomware. Here’s how you can protect yourself and your business:
Employee Training & Awareness
- Educate your employees on what social engineering looks like, including phishing, pretexting, and baiting.
- Conduct regular refresher training and phishing simulations to reinforce awareness.
- Encourage a “zero-trust” mindset- question unexpected requests for information, even if they appear to come from trusted sources.
Implement Strong Security Measures
- Use multi-factor authentication in case a password is compromised. MFA adds an extra layer of security before access is granted.
- Restrict USB port access on company devices to reduce the risk of malware from infected drivers.
- Use unique, complex passwords and encourage password managers to reduce the risk of credential theft.
Be Skeptical of Unsolicited Messages
- If it sounds too good to be true, it probably is. Did you enter a competition for a free holiday or a sports car? If not, don’t click the link.
- Government agencies and banks won’t text or email you unexpectedly. If you receive an urgent message requesting personal details, always verify it directly through official channels.
- Cybercriminals often create a sense of panic to rush people into acting without thinking. Always confirm financial transactions through a second method, such as a phone call.
Secure Business Processes
- Restrict employee access to sensitive data based on role requirements.
- Establish clear protocols for verifying identity before sharing information.
- Regularly back up data and test recovery plans to minimise damage from potential breaches.
- Install antivirus software to protect your systems from most forms of attacks.
Final Thoughts
Cybercriminals exploit trust, fear, and curiosity. Staying informed and implementing basic security measures can significantly reduce your risk. The more you and your employees understand social engineering tactics, the harder it becomes for criminals to succeed.
In 2025, the business landscape is dynamic and threats are ever-changing. Cyber insurance provides an extra layer of protection, helping businesses recover from the financial and operational damage caused by cyber-attacks. While strong security measures reduce the risk, no system is completely foolproof. A cyber insurance policy can cover costs associated with data breaches, ransomware attacks, and fraud, including legal fees, forensic investigations, business downtime, and customer notifications.
Cyber insurance ensures that if an attack does occur, your business has the support needed to recover quickly and minimise disruption.