Social engineering remains the most pervasive form of cyberattack for one reason – humans are easier to hack into than most machines. Exploiting our psychological, personality or behavioural weaknesses, cybercriminals can dupe us to get unauthorised access to systems or gain financial rewards by deceiving their victims. Social-engineering attacks can be carried out through various channels, including emails (phishing), phone calls, SMSs, social media, chat apps, gaming platforms, and video conferencing.
The main reason social engineering is so effective is that it keeps evolving. There isn’t a clear or consistent pattern, meaning that, like the attacks themselves, we need to keep adapting in our response to them. We can’t rely on technology alone to help us because of the human element involved in social engineering. Moreover, the rapid advance of artificial intelligence has significantly altered the digital landscape. The rise of deepfakes, convincingly real images and videos artificially generated, has further exacerbated the potential for misinformation and manipulation.
Tools of the trade
Scammers excel at exploiting human emotions and cognitive biases to achieve their goals. They often use impersonation, where they gain your trust by pretending to be someone familiar or instilling fear, prompting you to act impulsively. This tactic is particularly effective, as it can lead you to make quick decisions, like clicking on a link or sharing sensitive information. Another common strategy is creating a sense of urgency or using the principle of scarcity to pressure you into taking immediate action. Finally, they may also leverage the concept of authority, posing as a figure of authority to manipulate you into compliance.
If you analyse the data, certain personality types and demographics are more prone to social-engineering threats than others. For instance, those who are easily distracted and impulsive may be easier to fool than others. Those who are sleep-deprived, stressed, and constantly multitasking may also fall prey to scams quicker than those who are calmer, attentive, and attuned to their own inner state.
These tactics have huge implications for businesses. The most obvious consequence of social engineering attacks is financial loss to your organisation, data breaches in which sensitive information is stolen, privacy violations, and potential business disruptions. The effect of a major security breach can be devastating to a company’s reputation, eroding customer trust and possibly leading to legal liabilities.
Defending your organisation
Given that the stakes are so high, what can organisations do to protect themselves from social engineering attacks?
Firstly, there are technological solutions to consider, such as email filters, which can detect and block phishing attempts before they reach employees. Phishing-resistant Multi-Factor Authentication is also a good idea as it adds a layer of security, making it harder for attackers to gain unauthorised access. Companies can also implement user-behaviour analytics to monitor and analyse employees’ activities to detect anomalies that could indicate a compromised account.
But technology alone is not enough. Companies need to invest in the right cybersecurity training, cultivating a human-centric security culture and mindful security practices.
In my research, I’ve demonstrated that the validated benefits of mindfulness can positively impact 23 out of 33 identified factors that make humans vulnerable to social engineering, including cognitive, psychological, behavioural, and situational factors. A mindful approach promotes a deeper level of awareness, encouraging employees to avoid multi-tasking and pause to notice their internal and external environment before reacting. It also develops key mental attributes, such as concentration, resilience, self-regulation and clarity.
For this to happen, a transformative shift in organisational culture is needed, fostering intentional slowing down, with executive support promoting employee wellbeing over immediacy. Integrating mindfulness concepts into training programmes, such as emotional phishing awareness training for frequent clickers and advocating a zero-trust mindset, can help enhance cybersecurity campaigns and awareness efforts.