Defending Your Business Against Social Engineering
Social engineering is manipulation. Instead of attacking your software, attackers target your people. They exploit trust, urgency, fear, and helpfulness to get employees to hand over credentials, transfer money, or grant access they shouldn’t.
A convincing email from a “vendor” with an updated bank account. A phone call from “IT support” needing your password to fix an urgent issue. A text from the “CEO” requesting a wire transfer while they’re “in a meeting.” These attacks work because they target human nature, not technology.
Common Social Engineering Techniques
Phishing – Fraudulent emails that mimic legitimate senders to steal credentials or deliver malware. Still the most common attack vector.
Spear phishing – Targeted phishing aimed at specific individuals, using personal details gathered from LinkedIn, company websites, or previous breaches.
Vishing – Phone-based social engineering. Callers impersonate banks, tech support, government agencies, or colleagues.
Pretexting – Creating a fabricated scenario to justify a request. “I’m the new IT contractor and I need the admin password to finish the server migration.”
Business email compromise (BEC) – Impersonating executives or business partners to request wire transfers, gift card purchases, or sensitive data.
Baiting – Leaving USB drives loaded with malware in parking lots or common areas, hoping curiosity leads someone to plug them in.
Tailgating – Following an authorized person through a secured door without using their own credentials.
Why Technical Controls Aren’t Enough
Email filters catch a lot of phishing, but they can’t catch everything. A well-crafted spear phishing email from a compromised legitimate account will bypass most technical defenses. Phone calls bypass email security entirely. In-person social engineering bypasses all digital controls.
Your people are the last line of defense, and they need to be prepared.
Prevention Strategy
Employee Training
- [ ] Train all staff on social engineering tactics with real-world examples
- [ ] Run quarterly training sessions, not just annual compliance modules
- [ ] Use interactive exercises and role-playing scenarios
- [ ] Share anonymized examples of attacks your organization has received
- [ ] Foster a culture where questioning unexpected requests is encouraged and expected
Verification Procedures
- [ ] Require out-of-band verification for financial transactions (call back on a known number, not the one in the email)
- [ ] Establish code words or verification questions for phone-based requests involving sensitive information
- [ ] Never process unusual payment requests (especially changes to banking details) without independent confirmation
- [ ] Create a policy: no sensitive information shared via email or phone without verification
For suspicious emails, employees can forward them to ForwardToSafety.com to verify whether they’re legitimate before responding.
Technical Layers
- [ ] Enable MFA on all accounts (stolen credentials become useless without the second factor)
- [ ] Deploy email authentication (SPF, DKIM, DMARC) to reduce spoofed emails
- [ ] Use a password manager to eliminate password reuse
- [ ] Implement DNS filtering to block known malicious domains
- [ ] Deploy email security software with anti-phishing and impersonation detection
Physical Security
- [ ] Require badge access for all secured areas
- [ ] Train employees to challenge unrecognized people in restricted areas
- [ ] Implement visitor sign-in and escort policies
- [ ] Prohibit unknown USB devices on company machines
- [ ] Secure sensitive documents in locked storage
Reporting
- [ ] Create a simple, fast reporting process for suspicious contacts
- [ ] Never penalize employees for reporting (even false alarms)
- [ ] Follow up on every report and share results when appropriate
- [ ] Track and analyze social engineering attempts to identify patterns
Quick Response Checklist
If you suspect a social engineering attack:
- [ ] Stop – don’t provide any more information or take any further action
- [ ] Record – note what was requested, by whom, and how they contacted you
- [ ] Verify – contact the supposed sender through a separate, trusted channel
- [ ] Report – notify your IT/security team and manager immediately
- [ ] If credentials were compromised – change passwords and check for unauthorized access
- [ ] If money was transferred – contact your bank immediately to attempt a recall
The Key Principle
When in doubt, verify. A two-minute phone call to confirm a request is real costs nothing. Falling for a social engineering attack can cost everything. Train your team to treat verification as normal business practice, not as an insult to the person making the request.