9 social engineering tactics businesses need to watch out for

3 minute read

9 social engineering tactics businesses need to watch out for

Topics: IT Managed Services IT Security

By Calligo on 19 December 2019

Organizations are routinely deploying a wide variety of IT security technologies, including of course anti-virus, malware, ransomware and SPAM, but also increasingly sophisticated solutions such as behaviour analytics and intelligent threat detection. But despite these, even coupled with the most robust of processes and controls, their networks and data still remain vulnerable. This is because no software or policy can mitigate the most prevalent and notorious network weakness: their employees.

Cybercriminals prey on human nativity and curiosity, coupled with employees’ typical lack of cyber awareness: a technique called “social engineering”.


Social engineering, in the context of cybercrime, is the use of psychological manipulation to convince users to provide confidential and/ or personal information or click on a link that would either infect their network with malware or take them to a malicious site.


Types of Social Engineering:



Probably the most well-known type of social engineering attack. Over the years, cybercriminals have started created increasingly convincing communications, whether appearing to come from someone in the company, a supplier, or even banks. These communications will often require you to make a payment, click a link to an infected page, open a malicious attachment or even visit a dummy page impersonating a known brand and ask you to “log in”.



A whaling attack is a subset of phishing, specifically targeting high profile individuals or company executives due to their ability to authorise more impactful actions, high value networks and their access to finance systems. This is also referred to as CEO Fraud


      Spear phishing:

Spear phishing is when cybercriminals single out a specific organization or individual to gain access to sensitive data.



Similar to phishing emails, SMiShing uses SMS or popular messaging apps such as WhatsApp to trick people into giving away personal information or infecting your mobile phone, and often spoof financial institutions, government, payment apps such as PayPal, popular online shopping companies, as well as utility companies.



This social engineering attempt can either be online or offline. Baiting online often works in the form of “clickbait”, purporting to offer something appealing such as free music or movie downloads, event tickets, corporate discounts etc., but where the links are actually dangerous. It is similar offline where the malware may be delivered by infected USB sticks or other hardware that the cybercriminal convinces you to install, often remotely.



Vishing is voice-based phishing attacks. Often someone poses as a manager or executive of the company, calling in anger or panic and creating urgency, putting the user into a stressful situation. In August 2019, it was reported that a fraudster used AI to impersonate an executive’s voice to convince the employee to make a series of payments.



An offline tactic of social engineering, also known as piggybacking. A common type of a tailgating attack is when a person impersonates a delivery driver or engineer who enters the building and gains access to restricted areas of the business. From our experience, it is more prevalent than many believe, especially for shared office spaces.


      Social Media:

With the increasing tendency for people to document their personal lives across social media platforms such as Twitter, Facebook and Instagram, hackers now have access to a wealth of personal information. Answers to security questions are often personal, such as relatives, schools and maiden names, which are often found on social media profiles. Similarly, the more easily-guessed passwords are based on personal information. Other scams have even included targeted scams, such as impersonating a lost or injured relative over social media and requesting financial help.



A cybercriminal will purchase domains with URLs very similar to popular and well-known brands, relying on the fact users will make typos when entering a URL. Unfortunately, these fake sites can deliver malware onto a device simply by just landing on it, or look so authentic that they ask for login and payment details.




Related Content



How to protect your Microsoft 365 data

Discover the Microsoft 365 IT security features that seem to automatically actively protect your data, but do not. 


The Top 9 SME IT Security Horrors

The top cybersecurity threats facing SMEs, based on our observations of client networks and their vulnerabilities.



Zero Trust - the real
"New Normal"

Calligo's Chief Information Security Officer, Mark Herridge, has written this blog to discuss why organizations need to adopt an "Zero Trust" approach when it comes to their data security and what steps they need to take to protect their data.


Multi-Factor Authentication

Our team has extensive experience in deploying Duo multi-factor authentication - which can be utilized across any device and application - to secure networks of all sizes all across the globe