social engineering attacks SMBs

A 3-part guide to beating social engineering

We could list all the online threats for you, but we’d rather not. That list would go on forever … and then some.

The online world is spinning out of control, and the only way to truly protect yourself is to understand the risks.

In other words, you need to know what the threats are, and you need to know how to avoid them. Without this knowledge, it’ll only be a matter of time before you become a victim.

But we don’t want that for you … obviously. We want you to steer clear of online threats and keep your digital self protected. So let us give you a few helpful pointers, starting with social engineering.

1. Social engineering loves email

Social engineering is on the rise and takes a variety of forms — like malicious emails (phishing). These bad boys can take your computer and online identity for a ride, so it’s important to know how to spot one.

First, always review your emails. You might receive a message from someone claiming to be a new employee or from a familiar brand that wants to do business with you. But how can you know for sure?

“When something feels off, it probably is. But since the whole point of phishing (and its more tailored and targeted counterpart spear phishing) is to get you to do something without raising alarm bells, you need to practice skepticism even when things seem fine,” says Lily Hay Newman, writing for Wired magazine.

And remember, phishing doesn’t just happen inside the traditional inbox. Watch out for potential attackers on social media, too. Research suggests that 40 percent of Facebook accounts and 20 percent of Twitter accounts that claim to represent a Global 100 brand are unauthorized. In other words, if you’ve received a message from Mark Zuckerberg asking you to join his team, you should probably remain skeptical.

2. Social engineering exists outside your inbox

Social engineering can happen to anyone at any time — and yes, anywhere. And if you think your industry is safe, think again.

The sector that experienced the most phishing attacks in 2016 wasn’t banking or finance … but manufacturing, closely followed by IT, retail, healthcare, and accommodation.

While many social engineering attacks originate via email, you can still become the victim of a scam elsewhere — over the phone, from an ad on a website, and even in person.

“Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information,” says the United States Computer Emergency Readiness Team (US-CERT). “If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.”

3. Social engineering banks on broken procedures

That’s right. Social engineering is a master at manipulating internal policies and procedures.

Instead of hacking your system, they simply learn your policies. Afterward, they exploit the weaknesses that exist within those policies and use you as their tool of deception.

For example, let’s say a criminal knows it takes two executives to approve a vendor payment over a certain threshold. The criminal poses as a vendor, learns the names of your executives, and sends an email to you (another executive).

Within the email, it says that XYZ executive has already approved the payment, and now, they’re just waiting for your approval. To make you feel rushed, they throw the word “urgent” into the subject line.

Without second-guessing the “urgent” request, you quickly grant approval and send over the payment.


In this case, a bit of skepticism and a few extra minutes could have made this social engineering attack unsuccessful. Long story short, remain suspicious of everything online.


But of course, social engineering goes well beyond this. And it’ll take a lot more than suspicion to ward off this type of attack, and here are three reasons why.