Cyber Security July 16, 2026 4 MIN READ

Social engineering: the cyber-attack that targets people, not technology

Social engineering attacks are increasing. Discover how cybercriminals exploit trust, AI and human behaviour, and how your business can stay protected.

Social engineering: the cyber-attack that targets people, not technology

What would you do if your Managing Director called you and urgently asked you to approve a payment before the end of the day? The voice sounds familiar. They mention a real client, refer to a recent meeting and explain why it can’t wait. Everything feels genuine. Except it isn’t.

Cybercriminals don’t always try to break into systems by exploiting technical weaknesses. Increasingly, they’re exploiting something much easier: people.

Known as social engineering, these attacks rely on manipulating trust, curiosity, urgency and emotion to persuade someone to reveal sensitive information, transfer money or provide access to systems. As businesses strengthen their technical defences, people have become one of the most valuable targets.

Why are people the real target

“Social engineering is the human side of cyber-attacks,” explains David Dewey, Director at Ask4Support. “A threat actor is looking to exploit a person rather than a piece of technology.”

The starting point for many attacks is open-source intelligence (OSINT). Every employee leaves a digital footprint through LinkedIn profiles, company websites, social media accounts, online forums and publicly available records.

A LinkedIn profile may reveal someone’s role, responsibilities and colleagues. Social media posts can disclose hobbies, travel plans, locations or attendance at industry events. Individually, these details seem harmless, but together they allow cybercriminals to build a surprisingly accurate picture of their target.

Armed with this information, attackers can create highly convincing identities and believable scenarios. They may pose as suppliers, customers, recruiters, charity representatives, IT support or even trusted colleagues, all to make the interaction feel authentic enough that the target doesn’t question it.

Why AI is making attacks more convincing

Social engineering isn’t limited to phishing emails. Attacks now take place over the phone, through messaging platforms, video calls and even face-to-face. Artificial intelligence has accelerated this trend dramatically. Voice cloning technology is now inexpensive and widely accessible. Criminals can replicate someone’s voice using short recordings found online, making fraudulent calls far more convincing than ever before.

“We’re now at a point where somebody can record a voice, use AI to replicate it, and generate entirely new conversations that sound authentic,” says David Dewey. “That’s changing the landscape of social engineering significantly.”

Businesses are also seeing attacks through collaboration tools such as Microsoft Teams and messaging platforms including WhatsApp.

For example, an employee might receive a Teams message that appears to come from the IT department asking them to re-authenticate their Microsoft 365 account following a security update. The branding looks correct, the language is professional, and the request seems routine. However, the login page is fake, and the employee has unknowingly handed over their credentials to cybercriminals.

The consequences can be significant. A single successful social engineering attack can lead to financial loss, data breaches, ransomware incidents, business disruption and lasting reputational damage.

Building your human firewall

Technology remains an essential part of any cybersecurity strategy, but it cannot prevent every attack. Firewalls, antivirus software and email filtering are important, yet they cannot stop someone from being persuaded to trust the wrong person. That’s why businesses need to build human resilience alongside technical security.

Regular security awareness training helps staff members recognise common tactics and feel confident challenging unexpected requests. Staff should be encouraged to verify communications independently, particularly when money, sensitive information or system access is involved.

Simple warning signs can include unexpected urgency, requests to bypass normal procedures, slight variations in email addresses or messages that ask someone to act without following established approval processes.

Creating a culture where people feel comfortable questioning unusual requests is one of the most effective ways to reduce risk.

As David Dewey explains, “You should never trust anyone automatically. You should always verify. That’s one of the most effective ways to reduce the risk of social engineering.”

Reducing your risk of social engineering

At Ask4Support, defending against social engineering is part of a wider cybersecurity strategy that combines technology, processes and people. From security awareness training and multi-factor authentication to identity verification procedures and Zero Trust security principles, businesses can significantly reduce their exposure by building both technical and human defences. Get in touch with a member of the team to find out more

Talk to us

Got a question about anything in this article?

Send us a message and one of the team will come back to you, usually within the hour during business hours.

Your details are safe with us. See our privacy policy.

Get in touch today

Got an IT challenge
to talk through?

Our team is always happy to help: no pressure, no jargon, just honest advice. Call us on +44 1491 712 344 or email [email protected].