Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Educating Employees About Social Engineering

Social Engineering | Top 5 tips to Beat the Hackers

about the author

Share this post

Cybercriminals have increasingly applied the ‘human factor’, aka social engineering, to great effect when carrying out a cyber attack. Several pieces of research show that this is not just hearsay and that social engineering is a successful cyber attack technique: data from PurpleSec’s security research, for example, found that 98% of cyber attacks are based on social engineering.

Cybercriminals have made our employees the front line of cyber attacks: targeting them using malicious emails; tricking them with spoof phone calls, and generally manipulating behaviour.

By educating our employees about social engineering tactics and techniques, a business empowers them to fight back against fraudsters. But certain best practices must be followed to ensure a successful program of social engineering education.

Here is the MetaCompliance guide to educating employees about social engineering:

What is Social Engineering?

Social engineering, in the context of cyber security, is a technique or series of techniques, used to manipulate a human being into doing something beneficial for a cybercriminal.

There are many tricks to the social engineer’s trade, and these can change over time as cybercriminals optimise their tactics. The result of social engineering is to trick employees (or the public) into handing over sensitive data, such as login credentials, or wire money to a fraudster, or make a mistake such as clicking a phishing link.

Social engineering is typically a stepwise technique, that involves:

  • Surveillance: Information gathering is a key component of a socially engineered cyber attack. Personal and business information on target employees is collected, targets are typically those working in areas such as accounts payable or IT administration.
  • Grooming the target: The information gathered during surveillance is used to build relationships with the target employee. Some fraudsters will even call the employee to create a friendly link with them, grooming them for exploitation.
  • Exploiting the mark: This is a key part of the socially engineered cyber attack, building upon the relationship developed using the gathered information. This relationship is exploited to execute the attack, for example, receiving a username and password over the phone or opening an infected email attachment.
  • Taking the hack to completion: The exploitation stage lays the ground to carry out the core part of the cyber attack. An experienced social engineer will be able to walk away from the cyber attack knowing that it will take some time for the employee or company to realise they have been exploited.

Examples of Social Engineering

Social engineering comes in many forms that include both low-tech, high-tech and often, hybrids of both. Some examples show the types of ways that our employees are socially engineered:

Massive Social Engineering Attack Against Google and Facebook

Business Email Compromise (BEC) is a scam that uses social engineering to trick an employee into sending a company payment to the fraudster, often involving large sums of money.

In 2019, a massive BEC scam stole around about $100 million from companies, including Google and Facebook. The scammers created a fake company with a similar name to a legitimate company that the target companies dealt with. From there they sent out spear-phishing emails to specific employees and agents of the victim companies.

To gain knowledge on which employees to target, fraudsters typically use surveillance techniques to understand how to best manipulate the behaviour of the target employee.

Microsoft 365 Scam

Brands such as Microsoft 365 are often used to socially engineer and trick employees.

A recent attack involving Microsoft 365, was created to steal employee login credentials. In this cyber attack, the fraudsters used techniques to evade email gateways, so the phishing emails were able to end up in a target employee’s inbox, looking like a seemingly legitimate Microsoft 365 email. The phishing email used a subject line about a “price revision.” and contained an Excel spreadsheet file as an attachment. The trick was that the “spreadsheet” was, in fact, a disguised .html file. The file redirected anyone opening it to a website that then requested they enter their Microsoft 365 login credentials.

5 Best Practices in Teaching Employees About Social Engineering

Once you are ready to educate your employees about social engineering it is worthwhile using these five best practices:

Best Practise One: Understand the Complex Web of Social Engineering

Build a knowledge base of social engineering tactics and techniques. This will form the basis for your education package. Social engineering is based on human psychology so understanding how fraudsters manipulate human behaviour is fundamental to preventing a successful cyber attack based on this method.

Therefore, training employees to recognise a social engineering attempt is more complex than education around phishing; however, phishing simulations should be part of a wider social engineering training program.

A comprehensive program of social engineering education should also include how these scams work and the types of behaviour or situations they manipulate, for example, trust, urgency, relationships, etc.

Best Practise Two: Security Awareness Training +SEE

General Security Awareness Training packages should always include education on social engineering. Security hygiene and general phishing awareness are all part of mitigating a successful social engineering attempt. Add social engineering education (SEE) to your wider Security Awareness Training programme to make social engineering tricks visible to all.

Best Practise Three: Smart Learning

Humans all tend to learn best when they are taught using interactive techniques. Research has identified certain criteria for effective learning:

  1. Make the lessons brief but informative:Build upon these and repeat them regularly for optimal learning.
  2. Interleaving or switching between ideas as you learn, creates natural breaks between sessions, helping to reinforce ideas. Make sure you also point out connections between different areas of cyber security and social engineering tactics to help employees understand the complexity of these types of attacks.
  3. Use ‘concrete examples’ to make the learning stick in the employee’s mind.

Best Practise Four: Rinse and Repeat

Social engineering, like other cyber security attack methods, is being continuously optimised by cybercriminals. Make sure that you carry out regular training sessions on social engineering as part of your wider Security Awareness Training program. Automate your security awareness campaign to improve and optimise training.

Best Practise Five: Make your Workplace a Social Engineering Zero-Tolerance Zone

By building the confidence of your workforce in detecting and preventing a socially engineered cyber attack your organisation will build a culture of security awareness.

This culture will cement your workforce against cyber attacks, even if the social engineering is complex and plays upon employee fears, behaviour, urgency, and relationships. This culture will extend to their home life too, making their general security better and helping to de-risk home working environments too.

In cyber attacks that use social engineering techniques, the human being is the security vulnerability. By empowering your workforce with the knowledge to detect social engineering attempts you empower your business and your employees.

Risk of ransomware

Other Articles on Cyber Security Awareness Training You Might Find Interesting