I frequently share insights on the significance of Cyber Awareness Training and its critical role in helping organisations defend against cybercrime. Cyber awareness training is a vital aspect of contemporary security strategies for everyone. It provides employees with the essential knowledge and skills needed to identify, respond to, and reduce cyber threats. This training is particularly effective in combating social engineering.  It is arguably the quickest and cheapest measure an SME can implement to shore up their defences.

While many people are now familiar with the term social engineering, they may not fully understand its meaning. In the context of cybersecurity, social engineering involves manipulating, influencing, or deceiving individuals to gain unauthorised access to IT systems or to steal personal and financial information. It employs psychological tricks to lead users into making security errors or divulging sensitive data. The most prevalent form of social engineering is phishing.

Social engineering heavily relies on the six Principles of Influence identified by Robert Cialdini, a behavioural psychologist and author of “Influence: The Psychology of Persuasion.” These six principles are: Reciprocity, Commitment and Consistency, Social Proof, Authority, Liking, and Scarcity. Simply put, what these criminals seek is information, login credentials, passwords, names, phone numbers, and more. They are profiling your organisation to identify vulnerabilities, such as who manages accounts payable or whether you have an IT support company under contract that they could impersonate. In addition to phishing, they utilise various forms including vishing (voice phishing), smishing (SMS phishing), and simply calling to ask questions.

A rising threat that criminals are increasingly adopting is help desk social engineering tactics. In these schemes, attackers call an organisation’s IT help desk while posing as a legitimate employee, trying to convince the help desk agent to reset passwords or multi-factor authentication (MFA) for a specific account.

In recent years, these techniques have been used to access single sign-on (SSO) accounts and cloud-based application suites. Multiple criminals adopted this approach in 2024, targeting academic and healthcare institutions; in these cases, attackers utilised compromised identities to extract data from cloud-based software as a service (SaaS) application or alter employee payroll information.

It is important to keep in mind that profiling isn’t about technology.  Profiling uses social engineering techniques before it starts scanning your network for vulnerabilities.

Let’s now look at a scenario which we have entitled, “The Helpful IT Contractor”

Reconnaissance (Profiling the Target)

An attacker spends time gathering information about a mid-sized company:

• Reviews employee profiles on LinkedIn
• Identifies the IT helpdesk structure
• Finds names of recent hires and projects
• Notes that the company recently adopted a new cloud platform

The attacker now knows enough to sound convincing.

Initial Contact (Pretexting)

The attacker calls the finance department pretending to be:

“Hi, this is Alex from IT support. We’re fixing an issue with the new system rollout.”

They:

• Use real employee names to build trust
• Mention the actual cloud migration project
• Create urgency: “We need to resolve this before payroll processing today”

Exploitation Attempt

The attacker asks the employee to:

• Confirm their login details “for verification”
• Install a “security patch” (malware)
• Or approve a multi-factor authentication (MFA) request

If successful, the attacker gains:

• System access
• Credentials for lateral movement
• Potential access to financial systems

How This Can Be Detected

Red Flags

• Unexpected calls asking for credentials
• Urgency or pressure (“must be done now”)
• Requests that bypass normal IT procedures
• Slight inconsistencies (email domain, phone number, tone)

Technical Indicators

• Unusual login attempts (time/location anomalies)
• Multiple MFA push requests
• New software installation outside standard processes

How to Stop the Attack

People Controls

• Train staff to:

• Never share passwords or MFA codes
  • Verify identity via official channels
  • Challenge unusual requests—even from “IT”
  • Encourage a “pause and verify” culture

Process Controls

• Enforce strict IT support procedures:
• No credential requests via phone/email
• All changes logged through a ticketing system
• Require call-back verification using known numbers
• Implement approval workflows for sensitive actions

Technology Controls

• Multi-factor authentication (with number matching, not just push)
• Endpoint protection to block unauthorized installs
• Email and call filtering systems
• Identity monitoring (detect unusual behaviour patterns)

Example of a Successful Defence

An employee receives the call but:

• Refuses to share credentials
• Reports the incident to IT/security/line manager
• IT confirms no such request exists
• Security team blocks the attacker’s number and flags related activity

Attack stopped before any damage.

Key Takeaway

Social engineering works by exploiting trust, urgency, and human behaviour—not technical vulnerabilities.  The strongest defence is a combination of:

• Aware people
• Clear processes
• Enforced technology controls

Cyber Awareness training isn’t a nice to have, it’s essential  Your staff can be a very effective first line of defence, or they can be your biggest weakness.  Such training is an iterative process; it should be done on induction and then at regulator intervals through the year.  It is not a fire and forget process.

This training doesn’t need to be costly; it can be delivered face-to-face, online, or through automated means. At H2, we offer all these options! Regardless of your choice, please consider this training an essential component of your strategy.

If you’d like more information on this topic, let’s chat!