SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Protect Yourself Against Social Engineering Attacks Blog Feature
Dan Groner

By: Dan Groner

Print/Save as PDF

How to Protect Yourself Against Social Engineering Attacks

Penetration Testing

With so much business now being done online and digitally, much—if not most—of organizational security concerns focus on beefing up technical controls. But, in fact, the human element of cybersecurity is often where the most impactful failures occur.

That’s why fortifying your people against cyber threats is just as critically important, particularly because the level of sophistication of social engineering attacks continues to evolve. These types of attacks—which are often creative and very convincing—are dangerous, and given that, as cybersecurity experts, we’ve helped many organizations protect themselves by simulating these kinds of attacks to find weaknesses affecting their policies, procedures, and personnel, we now want to offer some basic insight.

In this article, we’ll delve into what social engineering is and the different forms it can take, as well as some strategies that can get you started in protecting your organization so that you can ensure all aspects of your comprehensive cybersecurity are reinforced.

What is Social Engineering?

 

Social engineering is defined in the dictionary as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes,” but here’s how these kinds of attacks have worked in the past:

First, the attacker will make initial contact with their intended victim in some way, usually posing as a trusted entity or service provider, and usually claiming either that:

  • There’s a problem with the target’s account;
  • The target has won a (fake) prize or reward; or
  • Action from the target is needed to avoid negative consequences.

The attacker will often also use urgency and fear tactics to prompt an immediate response, which usually takes one of either of these two forms:

1. Deceptive Links or Phone Numbers: The attacker may then offer a website or phone number for their victim to use, and while they often appear legitimate at first glance, they actually lead to systems controlled by the attacker that are designed to collect sensitive information or infect the target’s device with malware.

2. Request for Information: Depending on their scheme, the attacker may instead just ask for their target’s personal information—things like account credentials, Social Security numbers, or credit card details—and, when the target acquiesces, the attacker harvests that data for fraudulent purposes, such as identity theft or bank transfers.

More recently though, these types of attacks have expanded to target organizations as well as individuals—using these tactics, advanced threat actors gain an initial foothold into an organization’s network before leveraging for something or selling their access to another threat actor to deploy ransomware.

You may be thinking that you’d never give away information like that—and nor would anyone in your organization—but these attacks are more complicated than you may assume. In fact, performing social engineering is a lot like being a good salesman:

  • Just like salesmen qualify a potential target by identifying what they may buy, in social engineering, attackers consider what information they want and what their target is more likely to provide.
  • Just like salesmen often need to overcome initial objections that may come from the buyer, so too do malicious social engineers who may face similar pushback—e.g., salesmen may offer a discount if the price is too high, while attackers may express understanding if the target refuses their initial ask before asking for less.
  • Just as salesmen empathize with potential buyers to generate trust with them and close the deal, so too do social engineers—and attackers—in order to succeed in getting targets to take action on their behalf.
  • Just as salesmen accumulate experience regarding what works and what doesn’t for future pitches, so too do malicious social engineers, gather data to elevate their methods in perfecting successful scams.

Different Types of Social Engineering Attacks

 

Social Engineering activities can materialize in several different forms:

Social Engineering Attack

Form

Phishing

Email

(If these emails are sent to a recipient that the attacker has previously researched and targeted for a specific reason, it’s called spear phishing. If they’re sent to prominent individuals of an organization like management and executives and use carefully crafted business language, it’s called whaling.)

Smishing

Text Message 

(Smishing is short for "SMS phishing”)

Vishing

Voice-based phishing (generally in the form of a phone call.)

Physical

In-person manipulation

(E.g., getting someone to hold a door open for them, tailgating an employee to enter a building, or posing as someone else at a security checkpoint)

 

5 Strategies to Help Protect Your Organization Against Social Engineering Attacks

No matter what form the social engineering attack takes, the threat actor will usually pose as a legitimate entity, like your bank, a government agent, or a service provider. And if they’re attacking your organization, they may pose as an employee, IT personnel, a vendor, or a customer to worm their way in.

While everyone should train themselves to be individually wary, when it comes to protecting your employees from falling victim to these attacks, we can offer five basic strategies to get you started.

1. Conduct Regular Employee Training

 

First and foremost, you must implement regular training programs to maintain awareness of this threat among employees as well as to educate them about social engineering tactics and how to recognize and respond to them effectively.

These trainings should be just one facet of a “culture of security” you should prioritize within your organization so that, beyond social engineering, your personnel both understand the importance of protecting sensitive information and feel empowered to report security incidents or concerns without fear of retribution.

2. Deploy Technology Solutions

 

There are a few tools that can specifically help against social engineering attacks:

  • Email Filters, Anti-Malware Software, and Intrusion Detection Systems: These can all help identify suspicious activities and prevent unauthorized access to systems and data.
  • Access Controls: You should limit access to sensitive information through a principle of least privilege and a—e.g., only give employees access to the information and resources necessary for their jobs—so that should one fall victim to a social engineering attack, the potential impact will be reduced (as they’ll only be able to access so much).
  • Multi-Factor Authentication (MFA): Given that the multiple forms of authentication required provide an extra layer of security, integrating MFA into all your communication channels should help prevent unauthorized access even if credentials are accidentally compromised through social engineering.
  • Monitoring Systems: You need a robust solution that tracks user behavior and detects anomalies that may indicate a social engineering attack in progress.
  • Response Plans: If you haven’t already devised an Incident Response Plan for dealing with cybersecurity issues, do so and make sure to add a procedure to quickly address and mitigate potential social engineering threats.

3. Implement Strong Verification Policies

 

It may sound like a given, but you don’t just need technical controls and procedures for handling sensitive information—you also need policies to instruct and guide your employees in interacting with unknown individuals.

Make sure to establish and communicate protocols for verifying identities, sharing information, and reporting suspicious activities, particularly where sensitive information is concerned.

4. Perform Regular Security Audits and Assessments

 

Adhering to a security standard and having your compliance regularly audited will identify emerging vulnerabilities and weaknesses in your organization's systems and processes so that you can take preventive measures accordingly.

And while that will also help uncover potential areas that social engineers may exploit, you also have the option to have a specific social engineering campaign performed by an experienced penetration tester that can test how your employees will respond to such a targeted attack.

5. Stay Informed and Updated

 

New social engineering scenarios emerge all the time, so it’s important to keep abreast of the latest tactics and trends so that you can add them to your security awareness training and regularly update security policies and practices to accommodate evolving threats.

Moving Forward

 

Though only one of many different types of security threats, social engineering is unique in that it doesn’t attempt to breach your organization through a gap in your technical safeguards—rather, it targets your people, making it incredibly important that you implement specific measures to protect all personnel from these deceptive scams.

Now that you understand a bit more about how they work as well as where to start with safeguards, you may be interested in having a sanctioned social engineering campaign performed to pinpoint even more clearly where your people need help. To learn more about these exercises, you can contact us, but also make sure to check out our content that sheds light on other threats and strategies:

About Dan Groner

Dan is a Senior Penetration Tester at Schellman based in Washington. Prior to joining the firm, Dan held roles as a Core Pen Tester and Security Consultant, where he gained experience in various types of penetration testing, including those necessary for compliance initiatives. Now at Schellman, he remains focused on helping organizations discover vulnerabilities and delivering remediation and quantifiable solutions to ensure positive security refinement for clients.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.