Secure & resilient

Phishing and social engineering: why it works

Phishing doesn't target your systems, but your people. Here's how to make your team resilient.

All articles

An attacker rarely needs to crack your systems these days. It’s far easier to mislead your people. That’s what social engineering is about: not playing the technology, but the person. Phishing is its best-known form, a message that looks just real enough to get someone to do something they shouldn’t have.

The good news: you don’t have to be afraid of this. You just have to help your people recognise it. And that’s very doable.

Why it works

Social engineering works because it plays on how people are wired. We’re inclined to trust as long as nothing’s clearly suspicious. Attackers know that, and use a few simple levers:

  • Authority. The message looks like it’s from your boss or the finance team, with a request that brooks no argument. “Transfer this before noon.”
  • Urgency. Something has to happen now, or things go wrong. “Your account will be blocked in 15 minutes.”
  • Fear. A threat is put in front of you. “Your account has been breached, click here to prevent worse.”
  • Temptation. Something nice beckons. “Click here to claim your credit.”

The clever part is that these messages look like perfectly ordinary work communication. That’s what makes them hard to spot, unless you know what to look for.

The tricks you’ll see now

Gone are the days when bad spelling warned you. With the help of AI, the tricks have become a lot slicker:

  • Fake websites. A page with the same logo, the same colours and almost the same link as the real one, built to coax out your login details.
  • Misleading links. A link that looks trustworthy but sends you somewhere else. One click can be enough.
  • Shortened links. Handy in daily use, but you can’t see where they lead. Better to preview a link before you click.
  • Cloned voices. With AI, someone’s voice can be imitated. A “colleague” or “family member” calling with an urgent request for money or a password sounds real, and that’s exactly what makes it dangerous.

At a wholesaler or a finance department, you often see this as invoice fraud or a fake request “on behalf of the director” to make a quick payment. Not because your people are foolish, but because it looks genuine.

How to make your people resilient

You don’t defend against this with one button, but with clarity and a few habits everyone understands and keeps up:

  • Make it discussable. Show how these tricks work. People who recognise them fall for them less.
  • Verify when in doubt. If it’s about money, data or login details, check the request through a different, trusted channel, just call the known number.
  • Allow yourself to slow down. A message that claims urgency can wait a moment. A short pause prevents a hasty slip.
  • Turn on multi-factor authentication (MFA). Even if a password is stolen, that extra step keeps the door shut.
  • Make reporting easy. The sooner something odd is reported, the faster you can stop it.

Each takes little effort, and together they make a big difference. With us this is part of the management as standard: we keep the technology sharp and help your people become more resilient, because they’re your most important defence.

A few questions we often get

What’s the difference between phishing and social engineering?

Social engineering is the umbrella approach: manipulating people instead of systems. Phishing is its best-known form, usually by email. Other forms run via phone, text or even a cloned voice.

How do I recognise a phishing message?

Watch for unexpected urgency, an unusual request (especially around money or login details), and senders or links that aren’t quite right. When in doubt: don’t click, verify through a channel you trust.

Can you arrange this for our people?

Yes. We can make awareness part of the management, tailored to your business, not a one-off mandatory session, but something that sticks.


Want to know how resilient your organisation is? The free security scan also touches the “people and awareness” part. Or book an intro call, and we’ll look together.

Questions about your own IT?

Take the free scan and see how your own IT is doing, instead of leaving it at general knowledge. Want to talk it through? A no-strings intro call is always an option.

Free and no-strings, no sales pitch.