
Cyber Security and Other Current Vacancies
Like everyone else in the cyber community we at the Cyber and Fraud Centre – Scotland are gutted to hear the news affecting everyone at…
Last week, the Cyber and Fraud Centre-Scotland hosted two engaging events exploring social engineering: a Cyber Byte and Cyber Nyte. The sessions brought together expert panellists from around Scotland to unpack the real risks posed by social engineering, and how organisations can defend themselves. This blog highlights a few key takeaways from the sessions.
Social Engineering is the manipulation of people to gain access to systems, data, or money-usually by impersonating someone trustworthy. Rafe Pilling of Secureworks highlighted that one of the most effective techniques used by criminals because it targets human instincts, not just software vulnerabilities.
Throughout both sessions, the panellists stressed that anyone can be caught off guard, from an employee rushing to respond to an urgent email, to someone clicking a link from a “colleague” that turns out to be a scammer.
How to spot it
Common red flags include:
Luiz Simpson of Bridewell highlighted that attackers often research their targets beforehand-using Linkedin, social media, or company websites to craft convincing messages. These scams are becoming increasingly believable due to tailored messaging and lack of errors.
One of the key themes of both sessions was AI. Jai Aenugu of Tech Force noted that cyber criminals are using AI and deepfake tools to make scams even more convincing.
In our Cyber Nyte session, Rebecca Roberts of Burness Paull discussed the regulatory expectations around social engineering, after returning from a secondment working with the ICO. The Information Commissioner’s Office (ICO) expects organisations to take reasonable and proactive steps to protect data-especially when the root of a breach is phishing or manipulation.
All panellists also mentioned that relying solely on software is not enough. If a breach occurs, the ICO will look at staff training records, response protocols and overall risk management.
A growing concern is social engineering attacks through supply chain or third-party providers.
Cieran Smith of Kubenet discussed how criminals exploit trust between organisations-spoofing supplier emails or inserting themselves into financial conversations. Panellists further advised reviewing contracts or ensuring third parties are included in cyber risk assessments.
The biggest takeaway from these sessions was around the importance of a no blame policy. All panellists agreed that creating a healthy culture around reporting is key to mitigating potential risk. By encouraging awareness, investing in a strong culture and adapting to new threats, we can all minimise social engineering threats.