The Human Hack: Key Lessons from our Social Engineering Sessions - Cyber and Fraud Centre

Last week, the Cyber and Fraud Centre-Scotland hosted two engaging events exploring social engineering: a Cyber Byte and Cyber Nyte. The sessions brought together expert panellists from around Scotland to unpack the real risks posed by social engineering, and how organisations can defend themselves. This blog highlights a few key takeaways from the sessions.

What is Social Engineering?

Social Engineering is the manipulation of people to gain access to systems, data, or money-usually by impersonating someone trustworthy. Rafe Pilling of Secureworks highlighted that one of the most effective techniques used by criminals because it targets human instincts, not just software vulnerabilities.

Throughout both sessions, the panellists stressed that anyone can be caught off guard, from an employee rushing to respond to an urgent email, to someone clicking a link from a “colleague” that turns out to be a scammer.

How to spot it

Common red flags include:

Messages with urgent demands (“Please pay this invoice immediately”)
Unexpected file attachments or links
Requests that bypass usual checks and processes

Luiz Simpson of Bridewell highlighted that attackers often research their targets beforehand-using Linkedin, social media, or company websites to craft convincing messages. These scams are becoming increasingly believable due to tailored messaging and lack of errors.

The impact of AI

One of the key themes of both sessions was AI. Jai Aenugu of Tech Force noted that cyber criminals are using AI and deepfake tools to make scams even more convincing.

Flawless phishing emails: Panellists mentioned AI-generated emails are now written with natural language and correct branding, making them nearly indistinguishable from genuine messages.
Voice cloning: Criminals are using AI to clone voices and impersonate senior leaders or suppliers over the phone. Speakers gave examples where staff received phone calls from what sounded like a trusted executive, only to discover it was a scam.
Fake chatbots: Panellists explained how attackers are creating spoofed versions of live chat support, tricking users into giving away credentials or payment information.

From the regulator

In our Cyber Nyte session, Rebecca Roberts of Burness Paull discussed the regulatory expectations around social engineering, after returning from a secondment working with the ICO. The Information Commissioner’s Office (ICO) expects organisations to take reasonable and proactive steps to protect data-especially when the root of a breach is phishing or manipulation.

All panellists also mentioned that relying solely on software is not enough. If a breach occurs, the ICO will look at staff training records, response protocols and overall risk management.

Third party risks

A growing concern is social engineering attacks through supply chain or third-party providers.

Cieran Smith of Kubenet discussed how criminals exploit trust between organisations-spoofing supplier emails or inserting themselves into financial conversations. Panellists further advised reviewing contracts or ensuring third parties are included in cyber risk assessments.

Final thoughts: Shaping a culture

The biggest takeaway from these sessions was around the importance of a no blame policy. All panellists agreed that creating a healthy culture around reporting is key to mitigating potential risk. By encouraging awareness, investing in a strong culture and adapting to new threats, we can all minimise social engineering threats.

02.07.25

General