- ✓Malware is a broad category of malicious software that includes viruses, worms, trojans, ransomware, spyware and adware, each designed to achieve different objectives on a target system.
- ✓Phishing attacks exploit human psychology rather than technical vulnerabilities, using deceptive emails, messages or websites to trick users into revealing credentials, clicking malicious links or downloading harmful software.
- ✓Social engineering is the art of manipulating people into taking actions or revealing information they should not, and it represents one of the most persistently effective attack vectors despite being entirely non-technical in nature.
- ✓Technical defences such as email filtering, endpoint protection and multi-factor authentication significantly reduce the risk from malware and phishing, but they must be combined with user education and security-aware culture to be fully effective.
- ✓Recognising the tell-tale signs of phishing and social engineering attacks, including urgency, requests for credentials, unexpected attachments and slightly wrong domain names, is a skill that every digital professional should possess.
Listen to the full episode inside the course. Enrol to access all 80 episodes, plus assignments, tutor support and Student Finance funding.
Start learning →Alex: Welcome back to The Study Podcast. Today we're continuing with Unit 3 on cyber security, and Sam and I are looking at the specific types of cyber threats that organisations and individuals face most commonly. Sam, let's start with malware, because it's probably the term people are most familiar with.
Sam: Malware is an umbrella term for any software that is designed to cause harm to a system, network or user. It covers a very wide range of specific threat types. A virus is malware that attaches itself to legitimate files and spreads when those files are opened or executed. A worm is similar but spreads automatically across networks without needing user interaction. A trojan appears to be something legitimate, like a useful tool or a game, but conceals malicious functionality.
Alex: And ransomware, which has been all over the news.
Sam: Ransomware is particularly destructive. It encrypts the files on an infected system, or sometimes an entire network, and then demands payment in cryptocurrency in exchange for the decryption key. Major ransomware attacks have shut down hospitals, disabled critical government systems and caused billions of pounds in damage. The NHS was significantly affected by the WannaCry attack in 2017, which was a stark illustration of the real-world human consequences of cyber attacks.
Alex: Let's move on to phishing. How does it actually work?
Sam: Phishing exploits human psychology rather than technical vulnerabilities. An attacker sends a message, typically an email but increasingly a text or a social media message, that appears to come from a trusted source. A bank, a government department, a familiar brand. The message typically creates urgency or anxiety, saying your account has been compromised, you owe money, there's been suspicious activity. It then directs you to a fake website that looks identical to the real one, where you enter your credentials and hand them directly to the attacker.
Alex: And spear phishing is a more targeted version of this?
Sam: Yes. Spear phishing is personalised to a specific target, using information gathered from social media, LinkedIn or other public sources to make the message more convincing. An attacker might reference your employer, your colleagues' names, a project you've been working on. This level of personalisation makes spear phishing significantly more effective and more dangerous than generic phishing.
Alex: What about social engineering more broadly? Because I understand that covers a lot more than just phishing.
Sam: Social engineering is the broader category: it's any technique that manipulates people into taking actions or revealing information they shouldn't. Phishing is one form. Pretexting is another, where an attacker creates a fictional scenario to gain trust, perhaps claiming to be an IT support person who needs your password to fix a problem. Vishing is voice phishing carried out over the phone. Tailgating involves physically following someone into a secure area by staying close behind them as they use their access card.
Alex: What are the most effective defences against all of this?
Sam: A layered approach. Technical controls like email filtering, multi-factor authentication and endpoint protection reduce the risk significantly. But because social engineering exploits human behaviour rather than technical vulnerabilities, user education is essential. People need to understand what these attacks look like, what the tell-tale signs are and what to do when something feels wrong. And organisations need to create a culture where people feel comfortable reporting suspicions without fear of being mocked or blamed.
Alex: Critical knowledge for every digital professional. Thanks, Sam. We'll look at information assurance next.