Back 
According to Netskope’s recent “Year in Review” Cloud and Threat Report, the most common way cyber attackers gained access to organisations in 2023 was through social engineering.
While a favourite tactic of cyber criminals, at its heart, social engineering isn’t about someone breaking code while hunched over a glowing keyboard. It relies on individual human vulnerability, tricking people into opening the door for the attacker to walk through.
Identifying soft spots
While most people may believe they would never fall for such attacks, the truth is, we can all become more prone than others at different times. Anyone experiencing heightened emotions can easily be tricked into making security mistakes, providing unauthorised access to sensitive information, or even giving away sensitive information themselves.
Take Valentine’s Day for example. Romance scams are a serious business, with reported victim losses hitting a staggering $1.3 billion in 2022 in the US, and £92.8m in the UK in 2023. Like romance itself, these scams are not limited to February 14th—but that’s when victims can be most vulnerable.
Someone looking for love could be savvy enough to ignore unsolicited messages from a fake dating profile 364 days of the year but, if the Valentine’s hype has made them feel particularly lonely, perhaps they are more likely to respond. Even those with a special someone can experience heightened emotions around Valentine’s Day. If you’re excited about celebrating a milestone in your relationship, or you’re expecting to receive a surprise, you may be more likely to click on that $100 gift card offer without first checking that it’s from a legitimate source.
While love, loneliness, and excitement are easily recognisable emotions to take advantage of, anything affecting someone’s emotional life can make them vulnerable. Recently, with businesses across the technology sector continuing to announce mass layoffs, employees of tech businesses may feel uncertain about job security. This makes tech workers more susceptible to HR or job offer-related phishing links.
Controlling the risk
Organisations can defend against these attacks in a number of ways. The risk inevitably increases with the use of non-business apps on corporate devices, so some may choose policies that completely block access to personal apps—such as dating apps – on business devices. The recent rise in AI, for example, has seen many enterprises contemplate blocking ChatGPT and generative AI tools on their systems. However, outright blocking all non-business apps can create a stifling culture, limit innovation, and portray a lack of trust in the workforce.
Enterprises can instead implement a light touch method that relies on intelligent tools, along with security teams routinely scanning HTTP/HTTPS traffic, with a more agile approach that moves to the cloud, in a single-pass architecture. Multiple security controls can be used, such as cloud access security broker (CASB), secure web gateway (SWG), threat and data loss prevention (DLP).
They should also focus on education and raising awareness, coaching users to be alert in the moments before they click a link or access an unauthorised application. To help people understand their personal vulnerability, it’s important for personal risks to be highlighted, not just the impact on the business. Using examples of how attacks can impact—and stem from—people’s personal lives can help them better understand how they might be targeted.
Encouraging partnership
Whatever an organisation chooses to do, it’s impossible to prevent employees from ever clicking a nefarious link, and the biggest risk is often when users hide cyber incidents, especially those resulting from social engineering attacks where they might feel personally responsible.
If you’re compromised, reducing the time taken to mitigate the attack is crucial, so blaming victims of attacks is the wrong way to go. The key is to foster a culture of collaboration where the workforce is part of the process, rather than instilling a culture of fear. Educating employees in a climate of partnership can go a long way to reduce the risk of cyber criminals taking advantage of human vulnerability, helping to avoid heartbreak this Valentine’s Day and beyond.
To find out more about Netskope Threat Labs research into cloud threats like social engineering read our latest Cloud and Threat Report “2023 Year in Review.”
Read the blog