Social Engineering Scams in 2025: How Hackers Are Tricking Employees

The Human Weak Link: Why Cyber Attacks Are Getting Personal

Social engineering scams in 2025 are no longer just about tricking systems — they’re about tricking people. Hackers are now using tactics like phishing, impersonation, and even AI-generated deepfakes to manipulate employees into handing over access, credentials, or sensitive information.

This year alone, several high-profile UK organisations have been caught out by social engineering scams in 2025 - including Marks & Spencer, which is still grappling with the fallout of a major cyber incident. The attack, now linked to the Scattered Spider hacking group, began in April and is expected to continue through to July 2025, with estimated losses of £300 million in operating profit. Read our full breakdown of the M&S cyber attack here →

But M&S isn’t alone. 2025 has already seen attacks on public services, major supply chains, and government-backed platforms - and in one case last year, a deepfake video call led to a £20 million transfer. These incidents show just how dangerous and advanced social engineering tactics have become, and why your employees need to be your first line of defence.

What Is Social Engineering?

Social engineering meaning is the psychological manipulation of people into performing actions or revealing confidential information — often without realising it.

Common social engineering tactics include:

• Phishing: Fake emails asking for passwords, payments, or sensitive details
• Business Email Compromise (BEC): Messages impersonating leadership or suppliers
• Vishing (voice phishing): Scam phone calls pretending to be internal staff
• Deepfakes: AI-generated video or audio impersonating real people
• Smishing: Scam texts appearing to be from banks, couriers, or HMRC

Real Case Studies (UK, 2024–2025)

1. Marks & Spencer – Scattered Spider Attack (April–July 2025)

M&S continues to deal with the fallout of a major cyber attack that forced them to suspend online orders and impacted their supply chain. The attack has been linked to Scattered Spider, a hacking group known for using social engineering tactics to impersonate staff and trick IT helpdesks. The result? Disruption that may cost the retailer over £300 million, with online sales in fashion, home and beauty “heavily impacted”.

Lesson: Social engineering can target any employee, not just execs — even helpdesk staff can be exploited.

2. Legal Aid Agency – Sensitive Data Breach (April 2025)

The Legal Aid Agency, part of the UK’s Ministry of Justice, confirmed a significant breach in April 2025 that exposed data of legal aid applicants dating back to 2010. Compromised information included names, dates of birth, criminal records, and financial details. Though not all details have been released, initial investigations suggest social engineering was likely involved, prompting a shutdown of online services and a national response.

These attacks also highlight the importance of aligning your security approach with recognised standards. Explore our cybersecurity compliance services to strengthen your policies and reduce risk exposure.

Lesson: Public bodies are just as vulnerable as private firms — and personal data is a valuable target. Even non-financial organisations must train staff to recognise scams.

3. Arup – Deepfake Video Scam Leads to £20m Loss (Early 2024)

So this case study isn’t from 2025, but it’s crucial to be aware of it - British engineering firm Arup lost £20 million after an employee was tricked into attending a fake video call with deepfake avatars of the company’s senior leadership. The scam used AI-generated video and audio to mimic internal executives, ultimately leading to an authorised fund transfer. By the time the deception was uncovered, the funds were unrecoverable.

Lesson: Deepfake technology is now highly convincing. Businesses need strict verification processes, especially for high-value requests and fund transfers.

How to Defend Against Social Engineering Scams

Technology can help protect you from social engineering scams, but real security starts with your people. Here's how to build cyber-awareness into your workplace:

1. Run Regular Cyber Awareness Training

Train staff to spot suspicious emails, links, calls, and messages. Cover:

• Red flags like urgency, misspellings, or odd phrasing
• How to verify unusual requests internally
• How to report attempted scams quickly and confidently

Tip: Use real case studies like M&S or Arup to make it relevant and memorable - or explore structured cyber awareness training for employees to build long-term resilience.

2. Implement Simple Reporting Channels

Create a clear, no-blame reporting process for staff to flag suspicious activity. It should be easy to use and encouraged regularly.

3. Verify Before Acting on High-Risk Requests

• Use two-person approvals for payments
• Verify sensitive requests via known contact methods (not reply-all or random numbers)
• Restrict admin access where not needed

4. Invest in Email and Threat Protection

Deploy anti-phishing tools that scan for impersonation attempts, suspicious attachments, and known attack patterns.

Don’t Let People Be Your Weakest Link

From M&S and the Legal Aid Agency to Arup’s deepfake disaster, social engineering continues to be one of the most effective ways hackers breach businesses.

The takeaway? Cyber resilience isn’t just about your systems - it’s about your staff. With cyber awareness training and verification processes in place, you can turn your people from your biggest vulnerability into your strongest defence.

Need Help Training Your Team?

At UK IT Service, we help London-based businesses stay ahead of evolving cyber threats - with staff training,phishing simulations, and proactive cybersecurity solutions tailored to your size and sector.

Get in touch today to protect your business, your people, and your profits.