Social Engineering: Why You Might Not Know Your Colleagues as Well as You Think

Nov 9, 2022

Let’s cast our minds back to 9-5 office working days, water cooler debates, and quick chats in the break room. We worked side-by-side with colleagues, usually seeing the same faces multiple times a week. With set routines and clear safety policies and procedures in place, it was hard to ‘miss’ noticing anything untoward happening.

Not anymore. While traditional offices were never Fort Knox, they were places with fixed, clearly defined security perimeters. Now, as more and more organisations move to a distributed workforce, colleagues that may have once regularly rubbed shoulders are working hundreds or even thousands of miles apart. The traditional perimeters of protection are dissolving.

The Unexpected Email

Remote and flexible working is bringing great benefits and new opportunities for people worldwide. But new ways of working have also been a boon to many cybercriminals. As the workforce becomes more physically disparate, the number of face-to-face interactions between employees has significantly reduced. This distance provides criminals with new opportunities to socially engineer.

For example, an employee might receive an email from a colleague making an unusual request. The email address is correct, but the tone is slightly out of character. In the past, the employee would simply walk to their colleague’s desk or office and ask if everything was OK. But as almost all interaction now happens online, uncertainty and the benefit of the doubt could lead to the employee handing over sensitive data that falls into the hands of a phishing attacker.

The Art of Phishing

Phishing is no longer just an email security problem. It’s an increasingly sophisticated, targeted, and ruthless method of attack, targeting an ever-widening range of communication and productivity applications and services. For example, popular cloud-based collaboration and file-sharing services such as Microsoft Teams, Slack, and Google Docs are now being used by criminals as an initial point of penetration into a business. This attack vector relies on implied trust: victims are familiar with the platform and access it daily, so they are more likely to go through the motions and keep their defences down.

Social engineering attacks in workplaces are also becoming more human-centric. This is evident by the rise in highly effective spear phishing campaigns – attacks that are targeted at a specific person or organisation rather than a wider audience of potential victims. Spear phishing uses advanced social engineering techniques to craft an effective campaign based on gathered intelligence about a target, usually to steal login credentials. Once in, the attacker can access a treasure trove of sensitive data, moving undetected and undeterred until they have accomplished their objective.

Even in hybrid workplaces – where employees divide their time between the office and home – there are many potential weak points for criminals to probe. Particularly in larger businesses, it’s easy to assume that someone ‘new’ is who they say they are if you haven’t met face to face. It has also become much harder to verify a person’s identity by sight alone. Even a moving image on a video call doesn’t give the complete picture. Bad actors can – and will – play on these gaps and uncertainties.

Continuous Education

The security risks of remote working are clear, but the answer isn’t to turn back the clock or build bigger walls. Instead, organisations can safely leverage the benefits of flexible working models by partnering with a trusted IT solutions and services provider to meet their unique security needs.

With the right support, organisations can put in place a zero-trust security framework that is not reliant on perimeter security, instead requiring each user, application, and device to individually pass an authentication test each time they access network resources. This enables a dispersed workforce to work and collaborate just as efficiently but with the peace of mind of knowing that the person they’re engaging with is who they say they are.

Cybersecurity awareness is also key to overcoming the risks of remote working. Continuous education builds employees’ knowledge and understanding of evolving security threats and essential cyber hygiene practices. Ideally, employees should be trained on cybersecurity once a quarter or more, with intermittent ‘live fire’ training exercises and regular reminders to stay diligent.

An organisation’s cybersecurity is only as strong as its weakest employee. This is why every single member of staff, regardless of role, needs to understand the potential impact a social engineering attack will have on the business, and take the necessary steps to reduce risk and remain vigilant. And while each employee must shoulder their share of responsibility, building this culture of security should be something that is driven from the top.

With these proactive and protective measures in place, businesses can continue to reap the benefits of remote and flexible working whilst keeping the social engineers at bay.


Learn more about how your firm can benefit from our comprehensive IT and cybersecurity services.

Contact Us