Spot the Scam: Recognising Phishing and Social Engineering Tactics

In an increasingly interconnected world, the reliance on digital communication has grown,
and with it, the threat posed by cybercriminals. Phishing and social engineering have emerged as two of the most effective tactics used to exploit both individuals and businesses. These scams come in various forms, from the well-known phishing emails to more sophisticated attacks such as vishing and quishing.

The prevalence of these scams can be attributed to their ability to prey on human psychology, manipulating emotions like fear, urgency, and trust. By recognising these tactics and understanding how they operate, you can better protect yourself and your business from falling victim to their traps. In this article, we will explore the most common phishing and social engineering methods, explain how they work, and offer practical steps to stay safe.

What is Phishing?

Phishing is a type of cyberattack that relies on deceptive emails, messages, or websites to steal sensitive information such as passwords, financial details, or even personal identity information. Despite years of warnings, phishing remains highly effective because scammers are constantly improving their techniques to make their communications look legitimate.

The fundamental goal of phishing is to trick the recipient into believing the communication is from a trusted source. These attacks can be highly convincing, often imitating well-known brands, financial institutions, or even government agencies. Below are some of the most common types of phishing attacks.

Types of Phishing

Email Phishing
One of the most widespread forms of phishing, email phishing involves sending fraudulent emails to a large number of people, hoping that at least a few will take the bait. These emails typically impersonate trusted organisations like banks or online services and contain messages designed to prompt action.

Example: You receive an email claiming that your Amazon account has been suspended due to suspicious activity. The email provides a link where you can “verify your account.” The link takes you to a fraudulent website that looks exactly like Amazon’s login page. If you enter your credentials, they are immediately stolen.

Signs of Email Phishing:

Generic greetings like “Dear Customer” instead of addressing you by name.
Urgent language pressuring you to act quickly (e.g. “Your account will be suspended unless you respond immediately”).
Suspicious attachments or links.

Spear Phishing
Spear phishing is a more targeted form of phishing, where the attacker personalises the email to a specific individual or organisation. These emails are usually crafted with great attention to detail, often including the target’s name, position, or other personal information, making them much harder to detect.

Example: A senior accountant at a company receives an email that appears to be from their CFO, asking for an urgent wire transfer. The email uses familiar language and refers to an ongoing project to make the request seem authentic.

How to Spot Spear Phishing:

Double-check the sender’s email address. Fraudulent emails often use a slight variation of a legitimate address.
Look for requests that seem unusual or out of character, even if they appear to come from someone you know.
If you’re unsure, always verify the request by contacting the person directly via phone or in person.

Clone Phishing
In this variation, the attacker creates an almost identical copy of a legitimate email that you have previously received. The attacker clones the original message but replaces the attachments or links with malicious ones.

Example: You received a legitimate email last week with an invoice from a supplier. Today, you get what seems like the same email, but the attachment has been replaced with malware. Because the email looks identical to the previous one, you may be tempted to open it without thinking twice.

How to Recognise Clone Phishing:

Look for small differences in the email’s language or layout, as attackers often miss minor details when cloning.
Always be cautious with attachments and links, especially if you weren’t expecting them.
Use a trusted antivirus program that scans attachments before you open them.

Whaling
Whaling is a highly targeted form of spear phishing, typically aimed at high-profile individuals within an organisation, such as CEOs or CFOs. These attacks are designed to steal sensitive corporate information or authorise fraudulent financial transactions.

Example: A CEO receives an email that appears to be from the company’s legal department, requesting confidential financial details in relation to a lawsuit. The email is crafted to be convincing, using legal jargon and mimicking the company’s internal communication style.

Defending Against Whaling:

Implement multi-factor authentication (MFA) to add an extra layer of security for high-level executives.
Train senior staff to recognise phishing tactics and encourage them to question unexpected requests for sensitive information.
Ensure that high-value financial transactions require multiple levels of approval.

What is Social Engineering?

While phishing often relies on digital communication, social engineering encompasses a broader range of tactics, many of which involve direct interaction with the target. The aim of social engineering is to manipulate individuals into revealing confidential information or performing actions that compromise their security. The success of social engineering lies in exploiting human emotions, such as trust, fear, and curiosity.

Common Social Engineering Techniques

Pretexting
Pretexting is a form of social engineering where the attacker fabricates a scenario to obtain sensitive information from the target. The scammer will often impersonate someone the victim knows or trusts, such as a co-worker, IT support, or a government official.

Example: An attacker calls an employee, pretending to be from the company’s HR department, and asks for personal details to “verify” their records. The employee, trusting the authority of HR, complies, unaware that they’re speaking to a scammer.

How to Spot Pretexting:

Be cautious when someone asks for personal or sensitive information over the phone or via email, even if they claim to be from a trusted source.
Verify the person’s identity by contacting them through official channels, such as a company phone directory.

Baiting
Baiting is a technique where the attacker offers something enticing to lure the victim into compromising their security. This can come in the form of free downloads, media files, or even physical devices left in public places.

Example: A USB drive labelled “Confidential: Company Financials” is left on a table in your office lobby. Out of curiosity, an employee plugs it into their computer to see what’s inside, unknowingly introducing malware into the company’s network.

Preventing Baiting Attacks:

Educate employees about the dangers of using unknown USB drives or downloading unsolicited files.
Install security software that can detect and block malware from external
devices.

Quishing (QR Code Phishing)
Quishing is a newer form of phishing that involves the use of malicious QR codes. Scammers may distribute these QR codes via emails, posters, or other forms of media, encouraging victims to scan them with their phones. Once scanned, the victim is taken to a fraudulent website designed to steal personal information or install malware.

Example: You receive a flyer advertising a “free meal” at a popular restaurant if you scan the QR code to download the voucher. When you scan it, you are taken to a fake website that asks for your credit card information to claim the offer.

How to Defend Against Quishing:

Be cautious when scanning QR codes from unknown sources or unsolicited messages.
Use a mobile security app that can scan and verify QR code links before you visit them.

Vishing (Voice Phishing)
Vishing, or voice phishing, involves attackers making phone calls to their victims, posing as legitimate institutions like banks, government agencies, or tech support. They typically use scare tactics to convince the victim to share sensitive information over the phone.

Example: A scammer calls, claiming to be from your bank’s fraud department. They inform you of “suspicious activity” on your account and request that you confirm your account details and security PIN. In reality, they are gathering the information to steal your identity.

Signs of a Vishing Attack:

Callers pressuring you for immediate action or using scare tactics.
Requests for sensitive information like passwords, account numbers, or PINs.
Caller ID spoofing to make it appear as though the call is coming from a
legitimate organisation.

Smishing (SMS Phishing)
Smishing uses text messages as a vector to deliver phishing attacks. These messages often claim to be from trusted sources like banks, government bodies, or delivery services, urging the recipient to click on a link or provide information.

Example: You receive a text message stating that a parcel could not be delivered and that you need to click a link to reschedule the delivery. The link takes you to a fake website designed to steal your personal and financial information.

How to Avoid Smishing:

Be wary of unsolicited text messages, especially those containing links or requests for sensitive information.
Always navigate to official websites by typing the address into your browser, rather than clicking on links in text messages.

How to Recognise a Scam: Key Red Flags

Phishing and social engineering attacks are increasingly sophisticated, but there are still
some common signs that can help you spot them:

Unfamiliar Senders: If you receive an email, text message, or phone call from someone you don’t recognise, especially if they are asking for sensitive information, take a step back and evaluate the situation. Scammers often impersonate people you trust, so verify their identity before acting.
Suspicious Links: Hover over links in emails or messages before clicking them. This will reveal the actual URL you’re being directed to, which may be different from the displayed link. If the URL looks suspicious, don’t click it.
Spelling and Grammar Mistakes: Many phishing emails and messages are poorly written, with noticeable spelling and grammar errors. While some attackers have improved their writing skills, it’s still common to spot these mistakes as a sign of a scam.
Unusual Requests: Be cautious of emails, messages, or phone calls requesting urgent action, especially if they ask for personal or financial information. Always verify the request with the supposed sender through official channels.

Protecting Yourself and Your Business

While phishing and social engineering attacks continue to evolve, there are several proactive
steps you can take to protect yourself and your organisation:

Employee Training: Regularly train your employees on the latest phishing and social engineering tactics. Ensure they understand the importance of vigilance and encourage them to report suspicious activity.
Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security, requiring users to provide two or more forms of authentication to access sensitive accounts. This can help prevent attackers from accessing accounts, even if they’ve stolen a password.
Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches. Many phishing attacks exploit vulnerabilities in outdated software.
Incident Response Plan: Develop a robust incident response plan that outlines the steps to take if a phishing or social engineering attack occurs. This will help minimise damage and recover quickly from any breaches.
Email Filtering and Firewalls: Use advanced email filtering tools to block phishing emails before they reach your inbox.

Conclusion

Phishing and social engineering attacks continue to be among the most effective cybercriminal tactics because they exploit the most vulnerable part of any security system—human psychology. By recognising the signs of these scams and implementing proactive security measures, you can significantly reduce the risk of falling victim to these attacks.

As cyber threats continue to evolve, awareness and education are critical. The more you know about phishing and social engineering tactics, the better equipped you’ll be to spot the scam before it’s too late. Empower your team, stay vigilant, and take action to protect both your personal and business information from cybercriminals.

Photos by Bernd 📷 Dittrich Zanyar Ibrahim ThisisEngineering Todd Cravens stephen momot on Unsplash

cyber threat intelligence sme cybersecurity SOS Intelligence

Case Study: Real-Life Phishing Incident – What Went Wrong and How to Prevent Similar Attacks

Cyberthreats Infographic – what you need to know

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.