Social engineering attacks, also known as ‘human hacking’, are becoming increasingly sophisticated, with cybercriminals finding new in-roads to harvest sensitive data.

Author: Johnty Mongan


Techniques such as phishing and spear phishing are responsible for the majority of social engineering cyber-attacks. They are designed to manipulate employees to share personal data or credentials, which could be used to target an organisation directly. These types of attacks are commonly considered to be the most disruptive types of attacks that organisations face1.

Organisations are responding, but so are cybercriminals

Businesses have begun to strategise against social engineering attacks and systematically prevent the leak of sensitive data or the installation of malicious applications. Controls such as Multi-Factor Authentication (MFA) and Endpoint Detection & Response (EDR) solutions have proven to reduce the risks of a phishing campaign being successful.

However, as organisations become more cyber aware, cybercriminals raise their game. A 2023 report by IBM stated that only one-third of breaches were identified by the organisations’ internal security teams and tools2, while recent surveys completed by the UK government’s National Cyber Security Centre and IT security company, Mimecast, provide further insight to the current threat landscape:

95% of data breaches are thought to be caused by human error3.

75% of companies have experienced an increase in email-based threats4.

32% of UK businesses detected a breach or attack in the preceding 12-month period5.

Types of advanced social engineering attacks

These are the main types of advanced attacks we are seeing as cybercriminals try to stay one step ahead of common security controls.

Pass-the-cookie attacks

In a pass-the-cookie attack, the attacker can access web applications without knowing a user ID or password, and also without the one-time passcode from a Multi-Factor Authentication (MFA) system.

If malware is installed, it will capture when a user is authenticated to a website using their credentials and MFA code, once their session is created in the form of a ‘session cookie’ which stores user settings and authentication information.

The attacker can copy the session cookie and attempt to log in to the website using the active session. As long as the session stays open, it gives the attacker trusted access if they provide the session cookie — negating the need for any user authentication. Essentially, stealing a session cookie is like stealing a master key, allowing the attacker access to sensitive data and the opportunity to plant further malware and exploit vulnerabilities.

SMS forwarding and SIM swapping

SMS forwarding means redirecting text messages from one phone number to another. SIM swapping is replacing a SIM card in a mobile device to gain unauthorised access to the victim’s phone number and associated accounts.

In order for such attacks to be successful, attackers must first gather personal information of a victim to impersonate them. The aim is to fool the mobile provider into swapping the mobile number to a new SIM card. If successful, the attacker will receive all of the victim’s text messages. If they have successfully captured their credentials, the attacker can access the MFA code to authenticate the login.

QR Code Injection (Quishing)

QR code injection is a relatively new social engineering technique whereby malicious actors manipulate QR codes to redirect users to malicious websites or execute unauthorised actions on their devices. If the attack is successful, the victim will attempt to log in to a portal and their credentials will be harvested.

The recent increase in QR code attacks causes concern for security administrators because these attacks typically bypass anti-phishing filters, which primarily detect malicious links or attachments. The simplicity of a QR code in an image format means they can easily go undetected.

How can organisations respond to the threat?

  • Employee training: An organisation’s people have the potential to be its best line of defence or its biggest weakness. If your employees know how to detect the red flags and — just as importantly — how to report their suspicions quickly and easily, the risks posed can be drastically reduced. Simulated drills can test employees’ resilience, honing their real-world defence capabilities.
  • Next-generation anti-phishing solutions: Advanced anti-phishing techniques can be employed, such as Optical Character Recognition (OCR) or image capture technology to scan a QR code within the email and validate the link before the user receives it.
  • Strengthening MFA controls: SMS has been identified as the weakest method of Multi-Factor Authentication. Encouraging users to use an MFA application such as Microsoft Authenticator, Duo or Google, or the use of a hardware token instead of relying on SMS can help provide greater protection.
  • Geolocation and browser fingerprinting controls: These controls can be enabled to protect against stolen cookie sessions. This will ensure only legitimate users from approved locations can log in using the authorised devices.

How Gallagher can help

Raising cyber awareness and vigilance is a low-cost but high-reward solution to social engineering threat vectors. Many organisations benefit from the Secure Humans cybersecurity training webinars hosted by Gallagher’s Cyber Defence Centre. To find out more about these sessions or to speak to us about improving your cybersecurity controls in response to the changing risk landscape, please contact our Cyber Risk Management team.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.