How Not to Fall Victim to Social Engineering

25 Jan 2021

    Humans are emotional beings, and social engineering is a very effective way to take advantage of that. What’s more, social engineering attacks such as phishing or spreading malicious links don’t usually require highly specific technical skills on the side of the attacker. Forcing thousands of users to give up sensitive information or perform harmful actions has so far proven to be rather easy! Don’t be fooled – even when your business is small, you might still become a target.

    You've likely heard about spam or phishing – two examples of how emotional reactions of users might be misused. Spam is mostly sent in emails, but it can also be delivered via instant messages, voice mail, SMS, and social media. Spam itself is not a method of social engineering in the true sense of the word, but it might include phishing, spear phishing, vishing (which is the phone call version of phishing), smishing (which uses SMS, aka texting) or spreading malicious attachments or links. 


    Why SMBs should care about social engineering


    Phishing is one of the most frequently used forms of social engineering. In this case, the attacker pretends to be a trustworthy entity, requesting sensitive information from the victim. But there is much more to watch out for. The world of social engineering is fairly varied – let’s take a look at other types of attacks.


    Spear phishing

    A targeted form of phishing toward a specific individual, organization, or business. Typical phishing campaigns don't target victims individually – they are sent to hundreds or thousands of recipients.


    Vishing and smishing

    Social engineering techniques similar to phishing but using platforms other than email. In the case of vishing, sensitive information is gained via fraudulent phone calls, whereas smishing uses SMS text messages. This form of social engineering most often attempts to redirect the victim to a website where the data is harvested. The SMS text message itself is not well suited for extensive data collection, but cybercriminals might also ask the victim to send sensitive data in a direct SMS reply.



    Scareware is software that uses various anxiety-inducing techniques to force victims into installing further malicious code on their devices. For example, fake antivirus products trick users into installing specific software to remove the problem. But instead of fixing your system, the software will infect your system or completely destroy it.




    The technique of impersonation is the same as in the physical world. Cybercriminals contact employees, typically posing as the CEO, and try to manipulate the victims into taking action – ordering and approving fraudulent transactions, for example.



    Technical Support Scams

    Tech support scams are fake technical support services offered via phone calls or a web scam. Attackers strive to sell fake services and remove nonexistent problems or install a remote access solution into victims’ devices and gain unauthorized access to their data. This practice has become much more common since the COVID-19 pandemic began and more employees started working from home and using their own computers.⁠




    Sextortion is an email scam scheme that attempts to blackmail victims using baseless claims and accusations. Read more on how it works and how to stay safe.



    (Cyber) Scams

    Cyber scams are combinations of various techniques mentioned above.



    How to protect your business from social engineering

    Now that you know the techniques of social engineering, how can you recognize them? There are a few signals that could help. Does the text contain mistakes, wrong grammar, and a sense of urgency? Is there something odd about the sender's address? Is someone you don’t know asking for your personal information or a password? Do you feel that the message is trying to prompt you into acting unquestioningly? Does the offer in the email sound too good to be true? Because it probably is. Remember, any request for sensitive data is suspicious.


    Anyway, you can do more to protect your business from social engineering. Here are several tips on how to stay one step ahead of attackers.


    1. Train your employees

    Since social engineering techniques rely on the low cybersecurity awareness of their targets, regular cybersecurity trainings are important for the whole company – whether for top management, IT, or other departments. During the training, try to include real-life scenarios. Only then will your employees be able to imagine particular situations and learn from them. Your employees should be aware of an understandable security policy and know what steps to take when they come into contact with social engineering.


    Educate your teams about ybersecurity threats with ESET Cybersecurity Training


    2. Have your passwords under control

    A strong password policy is a must-have. Scan for weak passwords that could potentially be misused by attackers. Also, consider using another layer of security by implementing multifactor authentication.


    3. Use appropriate security solutions 

    Another way to improve your security could be by implementing technical solutions to tackle scam communications. Then spams or phishing messages could be detected, quarantined, neutralized, and deleted. Enhance your protection by using tools that allow IT admins full visibility and the ability to detect and mitigate potential threats in the network.


    Keep in mind that the more you know about cyber risks, the more you are aware of the necessary prevention. Thanks to that, your data will be protected – and so will your business. 

    Read also

    It’s high season for phishing – here’s how to spot fraudulent emails before they cause any harm

    It’s high season for phishing – here’s how to spot fraudulent emails before they cause any harm

    Your employees have probably already received emails that appear to come from a bank or other popular online service, requesting that they “confirm” their account credentials or credit card number.This is a common phishing technique – if they click on the link in the email, they give access to hackers and their malicious intentions. Unfortunately, phishing lures are constantly changing – and they’re sometimes hard to recognize.

    Impersonation: When an Attacker Is Posing as the CEO

    Impersonation: When an Attacker Is Posing as the CEO

    You have probably heard about social engineering – psychologically manipulating people into involuntarily revealing sensitive information. Let's take a look at impersonation, another non-technical attack technique used by cybercriminals to pretend to be trustworthy people while trying to manipulate others (e.g., to order and approve fraudulent transactions). How do you recognize when you are contacted by a cybercriminal instead of your colleague?

    Cyber blackmail and sextortion scams: What employees need to know

    Cyber blackmail and sextortion scams: What employees need to know

    Blackmail is a common practice among cybercriminals. Although most of the threats are usually fake, many employees lack enough knowledge and are easily taken in. Therefore, it’s crucial to constantly raise awareness and talk about online scams – including sextortion.

    Want to Build a Cyber-Aware Culture? Find a Way to Pass on Knowledge Without Scaring Employees

    Want to Build a Cyber-Aware Culture? Find a Way to Pass on Knowledge Without Scaring Employees

    Cybersecurity education could be compared to taking an exam. You learn something to prepare for the test, but if you don't use that knowledge again for a long time, you forget it. This is often the case with cybersecurity training for employees, which takes place once or twice a year. Education should be an ongoing process for best results.