Introduction
A lot of cyber attacks don’t start the way people expect them to. We often imagine a dramatic ransomware attack or a moment where suddenly everything stops working. That often isn’t the case, and if it is, the attack most likely started a while before.
Most attacks start with something small: an email, a phone call, or a request that looks like part of someone’s usual day-to-day role. And that’s why they’re so difficult to spot.
The short answer is
Most cyber attacks don’t start with a technical vulnerability. They start with a person being asked to do something that feels routine. Social engineering works because it takes advantage of how people naturally work, communicate, and make decisions under pressure, which is why awareness, processes, and culture play such an important role in cyber security.
Why SMEs are targeted
We speak with many organisations who still believe they won’t be the victim of a cyber attack because they’re a small business. It makes more sense for cyber criminals to attack big businesses and make more money, right? In reality, SMEs are often much easier to get into – and thinking you won’t be targeted is one of the reasons why. The main reason though, is simply the way SMEs operate. People are busy, decisions are made quickly, and there’s lots of trust between teams and even clients. Those distinctly SME traits are the same things make it easier for somebody to come in and ask for something that sounds reasonable.
What is Social Engineering?
The attacks mentioned above all fall under ‘social engineering’. This is where cyber attackers, instead of hacking into your business themselves, manipulate you or your staff to do it for them, often by doing a regular task that you’d usually do. Examples of social engineering are:
- Making an ordinary request feel urgent
- Pretending to be a colleague or a client (especially one with seniority)
- Speaking in a way that makes them feel familiar
- Creating enough pressure that it’s easier to act than stop and check
None of these techniques are complex; they’re just reliant on you doing your job like you always do.
Why it’s tricky to spot
The reason they’re difficult to spot, is the same reason they’re effective; they’re seemingly quite ordinary tasks. A password reset request, a client needing information quickly, a supplier needing information about an order. They’re all normal situations that don’t ring alarm bells. The regularity of these situations is what makes these attacks so difficult to spot in the early stages.
Additionally, once access is gained, usually nothing obvious happens. There are often no signs that anything is wrong or the business has been breached, but behind the scenes the hacker maybe be looking at how everything fits together: getting an understanding of your systems, access and processes, and where their attack will have the biggest impact.
So, to reiterate the earlier point, by the time there’s drama, the attack is well underway.
The Marks & Spencer Attack
The 2025 Marks & Spencer attack is a textbook example of the above. The breach began in February 2025 with an attacker impersonating an employee and contacting a third-party helpdesk. Using information that was publicly available, they were able to pass a verification check and request a password reset. At this point, nothing seemed out of the ordinary.
After gaining access, the attackers reportedly spent around two months inside their systems harvesting credentials, mapping systems and learning where an attack would have the greatest impact.
In mid-April customers nationwide began experiencing glitches including being unable to pay for items. By April 25th all online shopping had been suspended, and the catastrophic scale of the attack became clear: customers’ personal data had been stolen, and the impact on the company’s operations meant it was without stock for several weeks. The financial impact is estimated at ~£300 million in losses and a market value drop of over £1billion.
As we can see, this is a hugely impactful attack that stemmed entirely from successful social engineering.
What this means for your business
Social engineering changes the way businesses need to think about cyber risk because it’s not enough to stop something at the perimeter.
Unfortunately, there isn’t a tool that can solve this: the solution is understanding how people work and make decisions and building your approach around that. This means:
- Helping your people recognise when something isn’t quite right
- Having processes that hold up under pressure
- Ensuring your people have the confidence and space to challenge what might be a legitimate request
- Ensuring that taking short cuts and breaking process isn’t the norm
- Ensuring that cyber security training meets people where they are
- Having visibility of how your employees actually work
Of course, cybersecurity tools still matter and play a role in preventing cyber attacks, but social engineering highlights that protecting your business is about much more than implementing tools.
Conclusion
The biggest takeaway here is that cyber attacks don’t always look like cyber attacks. Social engineering doesn’t rely on breaking systems, it just relies on your team doing their normal jobs. For SMEs, this highlights an important shift in thinking. Cyber security isn’t just about technology; it’s also about behaviours, processes and creating a culture where your people feel comfortable pausing, checking and challenging requests. Because, unfortunately, with social engineering, the difference between a normal day and a major incident can just be a single conversation.
Want to keep in the loop?
Sign up for our Newsletter and get helpful articles like this one delivered straight to your inbox.
FAQs
What is social engineering in cyber security?
Social engineering is a technique where attackers manipulate people into taking actions that help them gain access to systems, data, or accounts. Rather than targeting technology directly, they target human behaviour.
Why are SMEs targeted by cyber criminals?
SMEs are often targeted because they tend to operate quickly, rely heavily on trust between teams, and have fewer resources dedicated to cyber security than larger organisations.
What are common examples of social engineering?
Common examples include phishing emails, password reset requests, impersonating colleagues or suppliers, and phone calls designed to create urgency or pressure.
Why is social engineering so effective?
Social engineering works because the requests often appear completely normal. Attackers take advantage of routine business processes and situations that people encounter every day.
What can businesses do to reduce social engineering risks?
Businesses should combine cyber security training, clear processes, verification procedures, and appropriate security tools. Just as importantly, employees need the confidence to pause, question unusual requests, and challenge anything that doesn’t feel right.
Can cyber security tools stop social engineering attacks completely?
No. Security tools are important, but social engineering attacks specifically target people. Reducing risk requires a combination of technology, training, processes, and awareness.