Don't fall for the hook: how social engineering threatens YOUR data

In today’s digital world, data is one of our most valuable assets (1). From names and addresses to passwords, financial details or confidential business data, we trust organisations to keep our information safe. But there’s a growing threat that doesn’t rely on breaking through digital defences such as hacking or coding, rather on human interaction and exploiting human vulnerabilities. It’s called social engineering and it’s one of the easiest ways for cybercriminals to get hold of sensitive data.

What is social engineering?

Social engineering is a type of cyber-attack that relies on tricking people into giving away confidential information (2). Instead of trying to break through firewalls or crack passwords, attackers simply ask, and often, they get what they want. Attackers deceive individuals into sharing confidential information by manipulating basic human trust and curiosity. Examples include:

• Phishing emails for example, messages that appear to come from trusted sources like your bank or a familiar service, asking you to verify or update your details.

• Fraudulent phone calls such as impersonators posing as IT support, claiming they need your login information to fix a problem (similar to what happened in the recent M&S cyber-attack).

• Suspicious text messages that prompt you to click on links leading to fake websites designed to capture your data.

• In-person impersonation where someone pretends to be a contractor, service provider or delivery person to gain unauthorised access to premises and the information it contains.

  
  

It’s not about sophisticated coding or technical hacks. Rather, it’s about taking advantage of our natural willingness to help or our occasional distraction. It’s about manipulating people, not systems. And because we’re human, naturally helpful, trusting, or just distracted, social engineering often works.

Why it matters

The main reason social engineering is so dangerous is that it bypasses many of the technical protections organisations put in place. You can have strong passwords, firewalls, and encryption, but if someone voluntarily gives a password to an attacker, all those protections can be useless because a simple moment of misplaced trust can open the door to significant data exposure.

And when that leads to a data breach, where personal or sensitive data is lost, accessed, or shared without permission including being leaked or misused in any way, the consequences can be far-reaching. This threat affects organisations of all sizes; from multinational corporations to local businesses, schools, emergency services and local authorities. Data breaches resulting from such tactics can lead to financial setbacks, reputational damage, and a loss of customer trust.

So, if an organisation relies on personal data to any extent, they’re at risk. And if you’ve trusted that company with your information, your data could be compromised.

What does UK law say?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18), organisations have a legal duty to:

• Keep personal data secure

• Prevent unauthorised access

• Ensure staff are trained in data protection

If social engineering leads to a breach, the organisation may have failed its legal duty. The Information Commissioner’s Office (ICO) can investigate and issue fines, and the affected individuals may have the right to compensation.

According to Article 32 of the UK General Data Protection Regulation (GDPR), and Section 40 of the Data Protection Act 2018 (DPA18) organisations must implement appropriate technical and organisational measures to ensure data security. That includes staff awareness training, incident response plans, and access controls — all of which help reduce the risk of falling for social engineering attacks.

How to stay protected

Staying protected involves adopting a few key practices:

1. Be cautious of unexpected requests. Whether it’s by email, phone, or in person; if something feels off, it probably is.

2. Verify identities. Don’t share sensitive information without confirming the identity of the person asking.

3. Look for red flags. Poor spelling, unusual requests, pressure to act quickly, or generic greetings (e.g., “Dear Customer”) could be signs of attempted social engineering attacks.

4. Verify links and attachments before clicking. Hover over links to check the destination URL. This will show you where they lead. Be cautious with unexpected attachments; make sure you have up to date anti-virus that scans attachments, and if in doubt, query it further. If the correspondence looks to be from a certain organisation – call them and check if it is in fact from them.

5. Report suspicious activity. If you notice anything out of the ordinary, alert your data protection officer, IT team, or manager immediately. If you suspect your data has been compromised, reach out to the company who you believe has been compromised – ask them for assurances.

6. Regularly train staff on how to spot and respond to social engineering attempts. Stay updated on the latest social engineering techniques and participate in awareness programs to keep your team informed.

Final thoughts

Social engineering is one of the most common causes of data breaches in the UK and it’s also one of the most preventable.(3)

Social engineering exploits our human nature. It’s all about subtle manipulation tactics that bypass digital defences. By staying informed and exercising caution every time you interact with online or offline communications, you can significantly reduce the risk of falling victim to these attacks. Remember, protecting data isn’t just about technology, it’s also about nurturing a culture of constant vigilance.

It’s not just about technology, it’s about people. Everyone has a role to play in protecting data.

So, think before you click, pause before you share, and always verify unexpected requests.

There’s always more to learn about creating an environment where security is everyone’s responsibility. If you're interested in exploring further how interactive training sessions or even periodic simulated social engineering exercises could help reinforce these best practices, reach out to us and see how we can help!