Following last year’s socially engineered cyber attacks against big name UK retailers, has the cyber threat come full circle? Cyber criminals first started out using social engineering and exploiting human vulnerabilities to access company systems before moving on in recent years to the adoption of more technical ways of exploiting network and software weaknesses. But as the attacks by the group Scattered Spider reveal, social engineering has made a comeback. “The cyber story of 2025 told us that as technical cyber controls such as firewalls and anti-malware have improved and system defences strengthened, criminals are turning back to social engineering,” says Hiscox’s Cyber Line Underwriter – Tim Andrews. “The good news is, that despite the extent of these social engineering attacks, together with incidents like the October cloud computing outages which were ultimately limited in their impact, we haven’t yet seen a catastrophic cyber event but the likelihood of such an occurrence in the next few years should not be discounted.”
Exploiting human vulnerabilities
Social engineering never went away but as the recent attacks on UK retailers reveal, its use as an attack method by cyber criminals returned to prominence in 2025. The UK's Cyber Security Centre defines social engineering as the use of "psychological manipulation to trick users into making security mistakes or giving away sensitive information”. In practice, that can mean anything from a phishing attack which uses emails to trick people into revealing confidential information, to its cyber attack siblings such as smishing (using SMS texts) or vishing (voicemail). Other social engineering methods include pretexting, which is based on a false story to gain trust, or baiting where an attacker entices the victim with an offer or reward for giving away information or installing malicious software.
In the recent attacks on British businesses, one retailer was compromised by a social engineering attack where the attackers secured entry by pretending to be an employee from the retailer and persuading a third-party supplier to reset access credentials. It’s understood that the same criminal group was also behind the attack on a major UK automotive business which put it out of action for over a month and is believed to be the costliest cyber hit on the wider UK economy in history at close to £2 billion, with the UK government asked to step in to help secure the company’s supply chain with a financial support package.
Double down on training and security protocols
With Hiscox’s Cyber Readiness Report 2025 finding that for more than one in five (22%) organisations, employees (via social engineering) are the most likely points of entry for breaches or ransomware attacks, the ongoing threat of a social engineering attack means businesses and organisations need to double down on their human layer of cyber security. “Employee training and awareness of these threats is obviously critical as is a reassessment of security protocols,” says Andrews. “We have talked to many clients recently who have, for example, made significant changes to their help desk processes meaning if an employee reports the loss of their multi-factor authentication (MFA) token which they use to access the system, they may no longer request a new one without supplying more robust face-to-face identity verification. In addition, help desks will now often seek confirmation from an employee’s manager before issuing a new token or security credentials.”
Minimise the blast radius
Neither should employees be granted unfettered access across an organisation’s computer systems, adds Andrews. “It’s almost impossible to fully secure a system from human fallibility, while there is also the risk of malicious intent from an employee seeking to make financial gain by granting access to hackers. It means that employees should only have access to those systems and data that they need, and their authority levels must also be appropriate for their roles and seniority, so if there is a successful hack, the blast radius can be minimised.”
No cyber cat event…
Minimising the possibility of a social engineering attack could not only prevent the devastating consequences of a successful cyber intrusion on a single company but could also stop the possibility of an incident proliferating and leading to a cyber catastrophe event, although recent issues show that it’s not necessarily the actions of a hacker that could lead to a more systemic issue paralysing websites and systems worldwide. A global outage in 2024, for example, was not the result of a malicious attack but rather a faulty software update which meant many thousands of a cyber security firm’s customers, and up to 8.5 million devices, were impacted. In 2025, cloud computing outages hit the operations of businesses across the UK bringing down thousands of websites and affecting the operations of a wide range of businesses from social media sites to banks. The causes of these outages ranged from faulty automation software to configuration issues.
The continuation of events like these suggests that a cyber catastrophe event in the near future remains a possibility. “We saw some sizable incidents in 2025 but fortunately, systems were up and running relatively quickly to avoid them becoming more systemic problems and triggering a cat event,” says Andrews. “But given the few-to-many concentration of software and data storage suppliers to their customers and their interconnectivity, the likelihood of something either resulting from a cyber attack or a malfunction causing widespread disruption for a longer period of time will be an ongoing threat throughout 2026 and beyond.”
Can the purchase of cyber insurance still be optional?
Despite the return of social engineering and the threat of a cyber catastrophe event, are businesses doing enough to combat the threat? “It is still surprising that many firms do not buy cyber insurance as part of their cyber risk management approach,” says Andrews with the UK’s 2025 Cyber Security Breaches Survey finding that more than half (55%) of businesses in the UK are not insured against cyber risks. “While larger businesses are more likely to buy cyber cover than smaller organisations, estimates suggest a significant proportion of the FTSE100 still don’t have cyber insurance. It’s not just the benefit of the financial support that cyber insurance brings but also the ready 24/7 access to the specialist forensic, legal and technical services available that can help minimise the impact and ongoing business interruption of an attack,” says Andrews. “The ongoing threat of cyber crime to businesses and organisations, likely to grow as the criminal use of AI ramps up, means a review of overall cyber risk management and crisis response approach is critical, with a particular focus on human vulnerabilities, while insurance should also be an important consideration in how it can play a crucial part in those plans.”
