Understanding Social Engineering Fraud?

Do you know the difference between vishing and phishing? Would your team be able to spot a Social Engineering scam? In the last few months, we have seen several successful cyber attacks on Early Years. From nursery owners receiving calls from “HMRC” requesting immediate payment of an overdue debt. To criminals infiltrating email accounts and sending payment requests. All of these crimes come under the umbrella term of Social Engineering Fraud, where unwittingly you let the criminals in and they are able to defraud you of money.

What is Social Engineering Fraud

Put simply Social Engineering is the hacking of people. It is a way of manipulating people into sharing information or influencing individuals into making a mistake to leave the business compromised and open to exploitation. It isn’t necessarily complex or sophisticated. Fraudsters use confidence tricks and pressure to encourage individuals to do something they might not ordinarily do.

Understanding the Types of Social Engineering Fraud

There are many different types of Social Engineering activities. Here are some that your staff need to be aware of:


The most common form of Social Engineering fraud and according to cyber industry research, 81% of businesses have seen an increase in phishing in the last year. Phishing attacks are untargeted and usually sent en masse. They can be text messages or emails. They usually look like they are from a reputable company. Their purpose is to entice the recipient to visit a website that introduces malware onto the device. You have most likely received one from the Post Office, a delivery company or a bank.


The voice version of phishing. Victims get an urgent call or voicemail requesting payment of an overdue debt. With some using AI to make these much more believable. You’ve probably had one of the robot voice ones claiming to be HMRC.
However, vishing is getting more sophisticated and the voices are more realistic. Criminals can also spoof phone numbers by making it look like you are receiving a call from someone in your phone book. Add a bit of crackling to make it sound like it’s a bad line and you might just fall for it. This form of attack is usually targeted at a high-profile person in your organisation.

Fake CEO Fraud

This occurs when fraudsters impersonate a senior executive by gaining access to their emails. Once they are in, the criminals ask a member of the finance team or a relevant manager to make an unusual, urgent and/or highly confidential payment. These attacks often take place when the senior person is out of the office and uncontactable e.g. on holiday / at an event. This information is often available to the fraudsters on social media.

Mandate Fraud

Is where third-party fraudsters purport to be legitimate supplier/payment recipients and ask your team to change supplier bank details on your system. Often these requests are made on professional-looking headed paper with logos etc. Frequently they contain the fraudster’s telephone number on the instruction, to intercept any calls to query the matter. Payments owed to the supplier are then made to the new bank account. Often it is only when the legitimate supplier questions their non-payment that the fraud is discovered.

What’s the cost to a business, if they fall victim?

According to research from our insurer, Aviva, for a quarter of all cyber victims, the cost was over £10,000. An attack can sometimes cost millions. Even for moderate-sized businesses, claims data shows that 10% of the Cyber claims in 2023 were valued in excess of £50,000.

It’s not just the financial cost. Almost a third of businesses that experienced a cyber-attack also suffered operational disruption, with one in five hit by a loss of data and being locked out of systems. As you can imagine, these attacks are lucrative business to fraudsters and because they are relatively simple to set up and replicate they’re being seen in all areas of the economy in all business types and sizes.

So what can you do to protect your business?

  1. Train your staff to look for fraud. Remind staff to be as vigilant with business data as they are with their own. When looking for phishing attacks, urgent language, spelling and grammar errors are often an easy-to-spot giveaway. There’s lots of training available online https://ncsc.gov.uk/ is a great place to start.
  2. Make sure you’re using security – Your IT provider will be able to help with cyber-security, but you need to make sure everyone is using it right. That means ensuring that Multi-factor Authentication is being used on all systems that allow it. Ensuring that all devices have installed the latest updates as these often contain fixes to gaps that criminals could exploit. Plus check you have policies in place to reinforce these behaviours.
  3. Have good habits – Don’t reuse passwords, all passwords should be complex, unique and not easy to guess. Don’t store them on your laptop. If you can’t remember all your passwords consider a password manager. Check what you’re sharing on social media, does it give criminals information that could be used to manipulate i.e. you’re on holiday with a poor phone signal? Or does it give clues to your password i.e. your children’s or pet’s names’ or your wedding anniversary?
  4. Be prepared – Make sure you have a backup of all your data so that should you lose everything you won’t have to start from scratch, back up regularly and securely, again your IT Provider will be able to help with this. Ensure your business continuity plan includes what to do if criminals infiltrate your systems, can you still open, if you can’t access your IT? Finally, make sure you have cyber insurance in place. Not only would insurance help your business recover after an attack financially, insurers have the expertise to help with the investigation. Forensic Cyber Analysts will examine how entry was gained, they will search the dark web for any leaked information and help you with reporting what is needed to regulators such as The Information Commissioner’s Office. Taking the stress off your hands.

    Finally, be on guard and trust your instincts. We usually sense when something isn’t right, so encourage staff to use that instinct. Don’t open documents that you weren’t expecting and don’t blindly follow instructions on screen or received via email without checking their authenticity. Things might take a bit longer but as a business owner myself I’d rather my team checked an unusual payment, rather than just paying it because it’s less inconvenient.

    If you want to talk more about the risks that nurseries face, please don’t hesitate to get in touch.