Social Engineering: How Hackers Manipulate People, Not Just Systems

Social engineering is one of the most effective tools in a hacker's playbook - and it doesn't require any technical skill to work. It simply relied on tricking people. In cyber security terms, social engineering is the act of manipulating individuals into handing over confidential information, clicking malicious links, or granting unauthorised access to systems.

In this blog, we'll break down what social engineering is, why it's a growing threat, and what happens when SMEs don't factor it into their cyber security strategy - using real-life examples.

What is Social Engineering?

Social engineering attacks are based on psychological manipulation - tricking people into doing something they shouldn't, like clicking a dodgy link or giving up a password.

The most common types include:

• Phishing - Fake emails or messages that appear legitimate (often mimicking a trusted company or colleague)
• Spear Phishing - A more personalised phishing email, tailored with specific information about your business or staff
• Vishing and Smishing - Video or SMS phishing where fraudsters pretend to be banks or IT support
• Pretexting - The attacker pretends to be someone with authority to gain trust and information
• Baiting and Quid Pro Quo - Offering something tempting (like a fake USB drive or free software) in exchange for access
• Tailgating - A physical breach where someone follows an employee into a secure premises without permission

These attacks work not by cracking systems, but by exploiting human behaviour: trust, urgency, or fear. Even the most cautious employees can fall for a cleverly crafted ruse.

Why Social Engineering Can't Be Ignored

For SMEs - especially in cities like Manchester - social engineering is a serious threat. And it's on the rise.

• It's the Number 1 entry point: The UK Government reports that 84% of cyber attacks on businesses start with phishing. If you're not training your staff to spot it, you're leaving the front door wide open
• SMEs are top targets: Hackers often see smaller businesses as easier prey - fewer defences, less staff training, and weaker internal processes. Just because you're not a household name doesn't mean you're safe
• The costs are huge: A single attack could result in data theft, system lockouts, business disruptions or major financial loss. Worse still, the reputational damage can linger long after the breach
• It's evolving fast: Criminals are now using AI to write better scam emails, impersonate voices, and create more convincing pretexts. What looked suspicious 5 years ago now looks completely normal

Even if your business has antivirus software and firewalls, none of that will protect you if someone on your team is fooled by a convincing email or phone call.

Real-Life Big Name Scams

Let's look at how these attacks have played out in real scenarios:

CEO Voice Scam - UK Energy Firm

An employee at a UK energy firm received a call from what sounded exactly like their CEO. The voice requested a £200,000 transfer to a supplier. The employee complied, only to later discover the call had been faked using AI voice cloning. The attackers deepfaked the CEO's voice and pulled off a highly convincing fraud.

$100 Million Scam - Google and Facebook

Both tech giants fell for a phishing scam where attackers posed as a real hardware supplier and sent fake invoices. Over $100 million was paid out before the fraud was discovered.

Phished From Within - Twitter

In 2020, hackers used social engineering to gain access to Twitter's (now X) internal tools by pretending to be IT support. Once in, they hijacked high-profile accounts. The breach wasn't caused by a system flaw - it was a manipulated employee.

And it's not just large organisations who have been hit - here's a few examples of companies just like yours; and we've dealt with them:

North West Construction Company's CEO Impersonated

An accounts clerk at a Manchester-based construction SME (around 50 staff) received an email apparently from the MD requesting urgent payment to a supplier to secure materials. The tone and email signature matched previous emails. They transferred £22,000. It was only when the real MD walked in a few minutes later that they realised something was wrong.

Lesson: There was no internal payment verification procedures. After the incident, they introduced a simple two-step sign-off process for payments, and trained their staff in spotting phishing emails.

Phishing Attack on a Law Firm

A 30-person North West-based law firm received a phishing email that looked like a Microsoft 365 attempted login prompt. One solicitor entered their password, which gave the attackers access to sensitive client files. The criminals then sent fraudulent emails to clients requesting payment to a new bank account.

Cost: Over £75,000 was lost before the fraud was caught. Several clients left, citing loss of trust. The firm took six months to recover.

What Happens if You Don't Address It?

• Financial Loss: Fake invoice scams, payroll redirection, and fraudulent transfers are common. Many SMEs lose £8,000+ per incident, with little chance of recovering the funds
• Business Disruption: If a phishing email delivers ransomware, your systems could be locked for days - or longer. No email, no systems, no work
• Legal and Regulatory Issues: If customer data is exposed, you may need to report it under GDPR - potentially facing investigations or fines
• Reputational Damage: Customers expect you to protect their data. A breach could severely damage trust

How to Defend Against Social Engineering

At Apex Computing, we believe the best protection is a layered approach: combining employee awareness, smart processes, and strong technology.

Security Awareness Training

Training your team is your first line of defence. We use KnowBe4, a leading platform for interactive security training and phishing simulations. Our clients see real improvement - staff stop clicking suspicious links, and start reporting them instead.

"Criminals are using social engineering to greater effect... education is essential," says our MD, Daniel.

Simulated Phishing Campaigns

We can run fake phishing tests to see who clicks - without risk - and use the data to tailor your team's training. This turns your workforce into a human firewall.

Policies and Verification Checks

We help you put in place clear rules and processes. For example, any email requesting a payment or password reset should trigger a verification step - like a phone call or second sign-off.

Cyber Security Tools

We offer managed endpoint protection, email filtering, and multi-factor authentication. These tools catch suspicious activity before it causes harm.

Cyber Essentials Certification

We can guide your business through the Cyber Essentials (or Plus) certification process - helping you meet government standards and win trust with clients.

Why Apex?

We work with SMEs across Greater Manchester acting as a support who isn't just there to sell software; we become your cyber security partner. Our Apex Cyber Security Sphere bundles together training, monitoring, detection, endpoint protection, and advisory support - all managed by our in-house team.

Whether you're unsure if your team would spot a phishing email or you've already experienced a scare, we'll work with you to tighten your defences without the jargon.