Social engineering risks: Why IT teams are a growing target

Cybercriminals are evolving and so are their targets. While finance teams and C-suite executives have historically drawn the focus of social engineering campaigns, IT teams are now firmly in the crosshairs.

With privileged access to systems, networks and sensitive data, IT personnel represent a critical vulnerability point. A recent high-profile incident involving Marks & Spencer offers a stark reminder of how these risks are playing out in real time - and what firms must do to respond.

.

The M&S cyber attack: A case study in manipulated trust

In May 2024, Marks & Spencer was the subject of a sophisticated phishing campaign that leveraged social engineering tactics to infiltrate the company's internal systems. But this was no broad-stroke attack. The perpetrators targeted specific IT service desk employees, impersonating senior internal users and trusted third-party vendors. Using convincing language and spoofed credentials, attackers were able to trick staff into escalating privileges and resetting credentials.

The attack resulted in the unauthorised access of internal collaboration tools, email systems and sensitive operational data. While no customer data was exposed, the incident caused significant disruption to internal workflows and eroded trust within the organisation. More importantly, it underlined a growing trend: attackers are no longer just seeking data, they’re exploiting the people who protect it.

.

Why IT teams are uniquely vulnerable

IT personnel sit at the intersection of access and authority. They frequently respond to high-urgency requests, troubleshoot under pressure, and are often expected to take decisive action without delay. Attackers exploit this dynamic by crafting realistic scenarios, such as a senior exec locked out of an account, or an urgent configuration issue flagged by a vendor.

Add to this the expanding remote support environment, where verification protocols are often relaxed in favour of speed, and the conditions are ripe for manipulation. Sophisticated attackers will scrape LinkedIn, social media and public vendor documentation to build believable backstories that increase the likelihood of success.

.

Mitigation strategies: Building a human firewall

Technical controls will only go so far if your IT teams aren’t trained to spot manipulation. Defending against social engineering requires a layered approach that addresses both human and system vulnerabilities. This approach should include:

• Zero trust verification – Encourage teams to validate identities through independent channels. No password reset or access escalation should be actioned without cross-verification.

• Scenario-based training – Generic phishing simulations aren’t enough. Use real-world social engineering scenarios, like those used in the M&S breach, to raise awareness and sharpen instinct.

• Role-specific policies – Implement stricter controls for accounts with elevated privileges, including multi-person approval for key actions and just-in-time access provisioning.

• Threat intelligence integration – Equip teams with the latest insights into attacker behaviour and emerging impersonation tactics. Prevention starts with awareness.

The bottom line

Social engineering is no longer just a broad-spectrum threat. It’s being personalised, weaponised and aimed squarely at your most trusted teams. For firms relying on internal IT or outsourced support, vigilance must be cultural, not just procedural.

A1 helps businesses implement people-first cyber resilience strategies tailored to real-world risks. Want to know how to protect your internal teams from social engineering? Get in touch today.