What is Social Engineering?
With the wealth of information about business and people available online, it is little wonder that criminals can and do use it for malicious purposes.
What is phishing?
Phishing is a form of social engineering. It involves sending messages that appear legitimate but are designed to manipulate people into taking an action; that might be clicking a link, opening an attachment, sharing information, or making a payment.
Phishing targets people, not systems.
What does phishing usually look like?
Phishing messages are designed to blend into normal work and daily life. Things to look out for, include:
- Something that sounds too good to be true (free chocolate for a year? unexpected pay rise?)
- A sense of urgency ('action required', 'account suspended', 'payment overdue')
- Requests that break routine (new bank details, unusual login prompts)
- Messages that appear to come from trusted sources (colleagues, suppliers, senior leaders, known brands)
- Slight inconsistencies (unexpected tone, unusual sender address, small spelling or formatting errors)...however, AI is making it even easier for criminals so you can't always rely on spelling and formatting.
Don't think it's just your inbox that's under fire; phishing attempts can arrive via email, text messages (smishing), phone calls or voicemails (vishing), collaboration tools like Teams, or social media.
Why phishing works
Phishing continues to work so well because it exploits normal human behaviour:
- Most people want to be helpful and efficient
- We all try to respond quickly to urgent requests
- Familiar names and brands make us feel comfortable
- It's 2026, we have a lot going on so we're busy and distracted
Strong technical controls can reduce risk, but they can't remove it entirely.
85% of businesses and 86% of charities experienced a breach or attack in the last 12 months1
Phishing is one of the most common starting points for data breaches, ransomware incidents, fraud and financial loss, and account compromise. Many serious cyber incidents begin with a single message that looks routine.
How to avoid being fooled
Good phishing awareness focuses on pause and verification, not blame.
Here's what you should do:
- Take a moment before clicking links or opening attachments in emails or text messages
- Verify unexpected requests through a second channel (e.g., search for the company online and call the number on their website)
- Report suspicious messages rather than ignoring them (your IT team will find the report useful for building up a pattern)
- Treat unusual urgency as a warning sign (24 hours to make an expensive decision, that's a red flag)
Cyber criminals will take the path of least resistance, and manipulating human behaviour is the easiest. Everyone is responsible for not falling victim to social engineering.
Read more...
Phishing on Microsoft Teams: What you need to know
There has been a recent uptick in the number of phishing campaigns happening over Microsoft Teams. Though there is a lack of publicly available information on attempts that have happened in the UK, Microsoft has issued an urgent alert warning of a highly sophisticated phishing campaign attributed to the well-known threat actor group Storm-0324.
How to prevent data breaches caused by human error
Human error contributes to up to 95% of data breaches, according to a recent 2024 study by Mimecast. Despite sophisticated cybersecurity tools, a single misdirected email, weak password, or accidental data exposure can lead to severe financial and reputational damage.