Someone calls your IT helpdesk. They sound calm, professional, and helpful. They know the name of an employee. They say there's been a problem with a login and they need a password reset. The helpdesk agent — trained to be helpful, under pressure, dealing with dozens of requests a day — resets the password. The caller hangs up. They now have access to the entire network.
No hacking tool. No technical exploit. Just a phone call.
This week we covered a cyber attack on a medical equipment supplier that rippled into NHS hospitals. And last Friday we talked about one-time passcodes and why no legitimate company will ever call and ask you to read one out. Both stories share a root. That root is social engineering — and it's the most important concept in cybersecurity that most people have never heard of.
So what actually is social engineering?
Social engineering is the art of manipulating people rather than machines. Instead of looking for a flaw in software or breaking through a firewall, an attacker finds a flaw in human behaviour and exploits that instead.
It works because humans are wired to be helpful, to trust authority, to respond to urgency, and to avoid conflict. These are not weaknesses — they are the qualities that make us good colleagues, good neighbours, and good people. But they can be turned against us by someone who knows how to use them.
The core tactics appear in many forms. A caller pretends to be from your bank and creates enough urgency that you share information you normally wouldn't. An email appears to be from your boss, asking you to transfer money or click a link — immediately, before end of day. A text says your parcel couldn't be delivered and asks for a small fee to rearrange it. A pop-up on your screen warns that your computer is infected and urges you to call a number. In every case, the attacker isn't picking a lock. They're convincing someone to open the door.
A real example: the phone call that cost hundreds of millions
In April 2025, someone called the IT helpdesk of one of the UK's most recognisable retailers. They claimed to be an employee. They answered enough security questions to sound convincing. They asked for a password reset. The helpdesk granted it.
That single phone call was the beginning of one of the most disruptive cyber attacks ever to hit a major UK business. Attackers used the access gained through that conversation to move through the company's systems over several weeks, eventually deploying ransomware that shut down online shopping entirely for more than six weeks. The company's chairman later told a Parliamentary committee that the entry point was, in his words, "a euphemism for impersonation." The financial cost ran to an estimated £300 million in lost profit.
The attackers did not break through the company's technical defences. Those largely held. They walked in through the front door because a person — doing their job, trying to be helpful — was deceived by someone who had done their homework.
How do you spot it — and protect yourself?
Urgency is the biggest warning sign. Attackers create pressure because pressure short-circuits careful thinking. Any message — by phone, email, or text — that tells you to act now, immediately, before it's too late, deserves a pause rather than a response. Legitimate organisations can wait five minutes while you check.
Verify independently before you act. If someone contacts you claiming to be from your bank, your broadband provider, or even your own IT team, hang up and call back on a number you already have — from their official website or the back of your card. Do not use a number the caller gives you.
Familiarity is not the same as identity. An attacker who knows your name, your account number, or the last four digits of your card is not necessarily who they claim to be. That information is widely available through previous data breaches and social media. Knowing details about you does not make a caller legitimate.
If something feels off, it probably is. Trust that instinct. Ask a colleague. Slow down. No genuine organisation will penalise you for taking a moment to verify a request. Any caller who reacts badly to being questioned is telling you something important about themselves.
For businesses and schools: the most effective protection is making it culturally normal to stop and question unusual requests — even from apparent authority figures. The helpdesk agent who was deceived in the example above was not careless. They were doing their job. The answer is not blame. It is better processes and clear permission to say: "I'd like to verify this before I proceed."
Should you be worried?
Social engineering is the starting point for the majority of serious cyber attacks. Verizon's 2025 Data Breach Investigations Report found that the human element was involved in around 60% of cybersecurity breaches. That figure has stayed stubbornly consistent for years.
But worry is not the right response. Awareness is. Once you understand how these tactics work — the urgency, the authority, the familiarity — they become much easier to spot. The attacker's power depends on you not knowing what they are doing. The moment you recognise the pattern, the spell breaks.
The good news is that the same qualities that make us vulnerable — helpfulness, trust, willingness to act — are also what make us effective at defending against these attacks when we are informed. An alert, aware person is genuinely one of the best defences an organisation has.
🧠 The Human Factor
| Technology involved | No technical exploit required — social engineering targets people and processes, not systems |
| Root cause | Attackers exploit predictable human behaviours: trust, helpfulness, response to authority, and urgency. The technology is just the prize at the end |
| What was at risk | In the real example: full network access, customer data, six weeks of online retail operations, and £300 million in lost profit |
| Prevention | Independent verification before acting on any unsolicited request; a culture where questioning unusual requests is encouraged, not penalised; clear helpdesk processes that require identity verification before any credential reset |
References and sources
- M&S chairman oral evidence to the UK Parliament's Business and Trade Sub-Committee on Economic Security, 8 July 2025
- M&S vs Co-op: How Two 2025 Cyber-Attacks Ended So Differently — MTI (September 2025)
- Verizon 2025 Data Breach Investigations Report — verizon.com
- National Cyber Security Centre guidance on social engineering — ncsc.gov.uk
- Unit 42 Global Incident Response Report: Social Engineering Edition, Palo Alto Networks (2025)
Last updated: 26 March 2026 We update breaking stories as new information becomes available.