How to Protect Your Business from Social Engineering Attacks

Social engineering is a broad term for techniques to trick someone into doing something they wouldn’t normally do so an attacker can gain information or access computer systems to commit a crime.  

The most common form of social engineering is phishing. Email is the “front door” for most organizations. Attackers know that most people receive so many emails about so many different topics; even the most cyber-aware employees can let their guard slip from time to time.   

How to spot phishing emails

Phishing refers to fraudulent or fake emails designed to trigger an emotional response to impair someone’s decision-making. Under pressure, they are more likely to reveal information such as a password or even be tricked into doing something they wouldn’t normally do. Phishing attacks usually happen via email but can also be through text messages, WhatsApp, or even phone calls.

An attacker using phishing or other social engineering techniques is seeking to make someone feel emotional or under pressure and may claim to be a reputable source. Your employees should always be cautious if there is a sense of urgency or if they are being asked to do something they wouldn’t normally do, such as logging in differently or transferring money.  

Common themes that are used in scams can include: 

• Asking the victim to use their business credentials to log in via a web page to access something, such as a file that has been shared. 
• Asking the victim to download and install an important update, such as a security patch. 
• Collecting a prize or some other unexpected financial gain. 
• Scare tactics such as an overdue invoice and the threat of turning off a service. 
• Requests to donate to a charitable organization, often following a humanitarian crisis such as an earthquake. 
• Email attachments, which can be hiding viruses or malware. 

The best way to protect against phishing is to make sure your employees know to expect it and know where to report it. Remember—there is no such thing as over-reporting! It’s far better to hear about nine false positives but catch the one malicious email.  

If in doubt: 

• Never provide personal information or information about the organization unless you are certain of who you are talking to.  
• Never provide personal information in an email or click on unknown links sent in an email.  
• If you are ever unsure, contact the company directly to verify it. 

What should you do if you or one of your employees has been a victim of a phishing attack? 

If you suspect that you’ve responded to a phishing scam with personal or financial information, take these steps to minimize any damage:  

1. Report it to your IT team and change the information that has been revealed. For example, change any passwords or PINs on the account or service that you think might have been compromised. 
2. If the details are for an external service, contact the relevant service provider directly. 
3. Routinely review your bank and credit card statements for unexplained charges or inquiries that you didn’t initiate. 
4. Contact the authorities. In the U.S., this is the National Cybersecurity Communications and Integration Center (NCCIC).  

As more services move online, it is becoming increasingly important to empower yourself and your employees with cybersecurity knowledge and what you and they can do to protect your business. Investing in resources like Security Awareness Training can empower your employees to be the business’s first line of defense. Learn more about Yeo & Yeo Technology’s Security Awareness Training solutions.