Social Engineering | What do we do when a scam is convincing?

We all encounter a scam at some point during our personal and professional lives. The question is, what do we do when the scam is so convincing, we accidentally fall victim?

It can happen to even the most security conscious of us. If we do become a victim, we might feel embarrassed about not being able to spot it. However, simply clicking on a link is no cause for panic. It may be that the link is simply requesting login details and would not cause any damage toyour device or system unless you interact with the landing page. Nevertheless, as a business, it is still necessary to carry out precautionary checks just to be sure nothing malicious has been installed. In order to do this successfully, it is essential that you engender a culture where staff are encouraged to report anything suspicious, including where they may have accidentally clicked on a link. 


At work, many people might feel reluctant to report things because they are worried about the consequences. Besides, if nothing happens when a suspicious link is clicked then no harm done right? But it is not always noticeable at that moment in time. Increasingly sophisticated attackers may not activate malware for days or even years later. If unchecked, a cyber criminal can lurk on the device for as long as they need to, gathering information, user habits and general business routine. They may then use this information to facilitate a much larger attack, timing it perfectly to have the biggest impact on the business.

With that in mind, it is clear as to why all incidents of Social Engineering attempts should be reported. Even if no action was taken, sharing knowledge and raising awareness will prevent others from falling victim to the same scam. It is said that a business who adopts a positive culture towards reporting cyber crime, is much stronger in its overall security. By gathering immediate reports, you can be proactive in your approach towards protecting your business from further threat, as opposed to malware festering until it is too late. The success rate of a cyber criminal would be greatly reduced, and your business will be secure once more. Thus, there is no downside to encouraging staff to report accidental clicks- we are all human at the end of the day.

Naturally, it is preferable that incidents do not happen at all, which is why regular training is imperative to ensure that the majority of reports you receive are those of attempts and not actions. There are plenty of training tools online and companies who run simulations, so your staff can make mistakes in a safe environment and learn from it.

Create procedures for staff to follow so they know exactly who to report to, how to deal with the fraudulent content and any immediate actions that should be taken should they accidentally interact with the scam- such as running antivirus. These procedures should not just be for cyber related incidents but for physical scenarios as well. Tailgating is one method used to gain access to the premises, allowing theft of equipment and data. For a glossary of Social Engineering techniques, click here. Once any attempt of fraud has been verified internally, it is important to report it to Action Fraud for further investigation. You should also forward the suspicious email to , NCSC’s Suspicious Email Reporting Service, who will take measures to protect many more people and businesses.

Social Engineering is an incredibly effective approach used by cyber criminals, but it is exceptionally easy to prevent if everyone works together: communicate your incident response procedures, encourage reporting and above all train your staff!