Book a Demo
Demo Centre

Emma Woods

Why Your Employees Are Falling For Social Engineering Attacks

From phoney emails with harmful links to fake calls asking for sensitive information, social engineering attacks are increasingly targeting your employees. But why are they so successful?
Stressful upset desperate handsome curly man in brown sweetshirt working using laptop and having headache


Social engineering is nothing new. For as long as people have walked the face of the Earth, con men have crafted new ways of attack through sophisticated social hacking. But there’s one minor difference in how these attacks are delivered in the modern day, and it all comes down to the surge of online communications.

Attackers have a breadth of new ways of exploiting human flaws through technology, and modern-day employees are feeling the brunt of it. But why do social engineering attacks work so well? And why are employees so easily persuaded into parting ways with highly sensitive data?

Well, it all comes down to a combination of human nature and social norms - and there are five psychological factors in particular that make employees an easy picking…



  1. Curiosity

  2. Naivety

  3. Reciprocity/Social Obligations

  4. Overconfidence

  5. Narcissism 



#1 Curiosity

Our curiosity is targeted every single day. Our email inbox is laden with click-baity subject lines, and so too are the articles and social posts we try hard to scroll past. Social engineering relies on this - and attackers know we’re a sucker to dodge the bait.

Even though employees are becoming increasingly aware of fake websites and harmful downloads waiting on the other side of these links, natural curiosity proves a strong force. After all, if we don’t click the link, how do we really know what the cast of “Saved By The Bell” are up to these days?




#2 Naivety

Regardless of what you might think after a Monday morning commute, people generally tend to be good and trustworthy in everyday life. This gives businesses a problem.

Most employees don’t come into contact with malicious actors very often, which makes it hard to imagine that the link they’ve received or the request they’ve been sent is of a sinister nature.





" Did you know...?

Cyber criminals are more likely to use social engineering, rather than hacking into your network."




#3 Reciprocity/ Social Obligations

Online attackers know that a favour can go a long way, as most of us feel indebted to return the gesture - but that isn’t always a good thing.

As a good example, a study from just a couple years back showed that nearly half of people would give up their password when given a chocolate just before being asked for it. While this same technique is used all the time for social engineering, it’s unlikely you’ll be getting any chocolates in exchange...



Free 2019 Information Security Awareness and GDPR Posters 


#4 Overconfidence

Overconfidence is another human trait that social hackers take advantage all the time, and c-level employees are known to be favourites of this type of attack.

Spear phishing, whaling and business email compromise (BEC) attacks are becoming more common, with the experience that execs gather over the years often adding to the false sense of confidence when replying to legitimate-looking requests. Below is a perfect example of a whaling email an employee received:


Screenshot 2018-11-28 at 10.31.13



#5 Narcissism

Parallel to the growing use of social media is the growing trait of narcissism. Millennial's, especially, are now accustomed to a desire for more friends and a desire to know (and to have known) where everyone is and what they're doing at any given time.

This kind of information is gold for a social engineering attack, with the narcissistic nature of social media often being used as a go-to resource for scoping a target.




combat employee social engineering?


There’s no denying the difficulty in changing employee behaviour. How do you get your employees to even care about the threat of social engineering? Let alone learn the risks and retain/ use that information.

Building a strong cyber security culture might sound like an impossible task, but there are ways to make this job much less of a dread. Automated security awareness training is an increasingly utilised approach that enables businesses to not only educate and protect their business, but to also achieve this without draining their time and money.


Social engineering is just one of the key threats that awareness programs can cover in depth, and learner progress is often tracked to ensure that this information isn’t just going in one ear and out the other. To get a better idea of how these programs work, get instant free access to the usecure security awareness training platform for a play around (no card details needed).


Social Engineering awareness kit