top of page

Social engineering: What it is and how to avoid being a cybercrime victim

When we talk about cyber resilience, it’s not just IT systems that are vulnerable to criminal exploitation. Individuals are capable of being ‘hacked’ too, and it is often our personal information which allows these attacks to be so successful. Offenders are becoming ever more adept in targeting people’s confidential information, gleaning such data as passwords and bank details through very straightforward methods.


Who is following you on social media?

A good social engineer may take weeks or months getting to know a company through a variety of ways. Scouring the major social media sites and business websites for bits of personal information about you are easy wins. Unsecured, public profiles are the most useful, but even if you keep your privacy settings on high, there’s no guarantee that a family member or close acquaintance might not have shared information about you on their profiles.


And there are other sources of information: hackers will use public electoral role records available on people finding websites and also records held within Companies House, these may help identify where subjects have lived or currently live. There is also an organisation’s own website, which may provide information on roles, contact details, logos and partners.

Other information may be collected by researching organisations you’re affiliated with, for example, local charities or perhaps you sit on a local board. Personal details send strong signals about your interests and the types of appeals that might be most effective on you.

Cybercriminals will use the information they have been able to gather through social engineering and contact individuals by email, telephone, text or social media message. They will pose as a legitimate organisation to lure them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Once they have these, they can then steal data, compromise accounts, commit fraud or even sell the data onto other criminals.

 Having a digital presence comes with risks

One of our member businesses contacted us to discuss options for additional preventative measures it could take due to the expansion of its digital footprint. The company has great awareness that cyber threats are increasing, and hackers are looking to find the weakest link to gain knowledge and information on corporate individuals to impersonate them.

The company also made the extremely crucial point that it was important to make its employees aware of their individual digital footprint by means of publicly available information. The WCRC’s Corporate Discovery service provided our member with a detailed report on all senior managers and board members, outlining their digital footprint. By identifying the weaknesses this allowed them to remediate any high-risk information sharing and provided guidance and feedback for its employees to help them stay secure.


According to the Cyber Security Breaches Survey 2024, phishing accounted for 84% of the reported cyber-attacks by small businesses and for 83% of charities in the last 12 months. We’ve explored some of the methods that cybercriminals can employ, and there are recommended measures from the National Cyber Security Centre (NCSC), which you can apply to improve your business’s resilience against this form of attack:


  1. Adjust your privacy settings on social media. Encourage connections and family members to do the same. This will reduce the surface of publicly available information that may be investigated by people with malicious intent.

  2. Ask yourself: Do I really need to post this? Then ask yourself: What information am I giving out? Evaluate the information you are sharing and how it could be used by a cybercriminal.

  3. Check and crop pictures – these can often reveal information you hadn’t meant to share publicly.

  4. Set up multi-factor authentication (MFA) and ensure you have a strong and unique password.

  5. Be wary of cold calls – one method we have seen recently is the criminal posing as being from an IT provider.

  6. Opt out of people-search sites

  7. Finally, be aware of your digital footprint - Remember, you can use Digital Footprint Portal | Malwarebytes to check your digital footprint and Have I been Pwned to see if you have been subject to any data breaches that may have revealed passwords and other details.


If the WCRC’s Corporate Discovery service sounds of interest, please contact us to organise a chat about how it could further strengthen your business security. Alternatively, sign up to be a core member today and have immediate access to resources and tools that walk you through some really practical cyber security basics.





The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page