Defending Against Common Social Engineering Attacks

Learn about the psychology behind social engineering attacks and the steps you can take to block these advanced email threats.
March 1, 2023

Social engineering is by no means a new phenomenon. As Crane Hassold, Abnormal Security’s Director of Threat Intelligence explains, “The same techniques that have been used for thousands of years to con people are the same tactics that are used today for email attacks. The only difference is that criminals use a computer to do it.”

Targeted email attacks that rely on social engineering—like credential phishing, business email compromise, vendor email compromise, invoice fraud, and account takeover—have a high potential for costly consequences.

This is why taking steps to block these threats is crucial for every organization, regardless of size.

The Fundamentals of Social Engineering Attacks

Rather than tricking targets into downloading infected attachments or clicking on malicious links, in social engineering attacks threat actors use false pretexts and manufactured urgency or implicit trust to dupe employees. This is often accomplished by posing as an authority figure or a trusted colleague—either by compromising their actual account or simply impersonating them.

Typically when we receive an email from a coworker, vendor, or member of the executive team asking for assistance with something important, our immediate response is to be helpful—not question the identity of the sender or the legitimacy of their request. This is precisely what bad actors exploit to achieve their objectives.

Socially-engineered attacks take advantage of our natural inclination to be cooperative and give the benefit of the doubt. They leverage psychological manipulation to convince employees to share sensitive data, provide login credentials, interact with malware, update bank account information, and pay fraudulent invoices.

Although social engineering may seem less sophisticated than developing and deploying malicious software, it’s frequently a more effective tactic because traditional email security systems lack the functionality to block these types of threats. By exclusively relying on text-based communication (as opposed to attachments containing malware), threat actors can more easily circumvent conventional security measures.

In short, modern cybercriminals have learned how to “hack the human”, as Hassold would say, rendering tools that look only for traditional indicators of compromise wholly ineffective against these threats.

Here are a few ways companies can defend against common social engineering attacks.

Support a Culture of Healthy Skepticism

At this point, attacks in which threat actors impersonate the CEO and ask employees to purchase gift cards are universally well-known.

But what about a phishing email that appears to be an internal announcement sent from your HR department about important updates to employee benefits? Or a financial supply chain compromise attack in which both the attorney being impersonated (who is supposedly following up on an overdue invoice) and the law firm at which he works exist in the real world?

Unfortunately, attackers have an untold number of strategies for deceiving your workforce. Accordingly, employees should be encouraged to approach some requests with a reasonable level of suspicion. They should also feel comfortable pursuing external verification via means other than email. In other words, your organization should foster an environment where the unofficial cybersecurity motto is “Better safe than sorry.”

Perform Social Engineering Penetration Testing

Social engineering penetration testing involves attempting to execute common social engineering attacks on your workforce to determine the level of susceptibility to such threats. Conducted under controlled conditions and with careful oversight, a social engineering penetration test entails sending emails that leverage the same tactics real-world attackers use and observing whether employees engage.

These exercises allow your organization to understand how employees would respond to actual threats without putting the business at risk. They enable you to assess the effectiveness of your security awareness training and evaluate how well employees are (or aren’t) complying with established security policies and protocols.

Social engineering penetration testing can also provide insight into the strength of your company’s network security controls and identify opportunities for improvement in your organization’s incident response plan.

Apply the Principle of Least Privilege

An essential aspect of zero trust security, the principle of least privilege (PoLP) dictates that every user is granted access only to the specific data, software solutions, and resources required to do their job. Additionally, even within the individual applications they use, employee access is limited to only the features needed to execute their particular tasks.

The principle of least privilege reduces your company’s attack surface and mitigates the impact of human error by decreasing the number of channels that threat actors can utilize to access sensitive data or launch additional attacks.

Adopting PoLP is less about preventing social engineering attacks and more about recognizing that, as long as advanced threats can reach employee inboxes, your organization should have strategies in place to minimize the consequences of a successful attack.

Adopt a Security Solution Designed to Block Social Engineering Attacks

Fostering an environment of reasonable skepticism, conducting social engineering penetration testing, and following the principle of least privilege are all effective ways to lower your vulnerability to and reduce the fallout from socially-engineered attacks. However, the best approach is to implement an email security platform that ensures advanced threats never reach employee inboxes in the first place.

Cloud email security technology that can identify even minor changes in behavior and content is essential since common social engineering attacks exploit established relationships and trusted email accounts. These solutions baseline known-good behavior across both employees and vendors, detect anomalies that deviate from that baseline, and then quickly remediate malicious emails to prevent any interaction from end-users.

Investing in software to prevent social engineering attacks limits your employees’ exposure to email threats and decreases opportunities for them to miscategorize an attack as a legitimate request.

For insight into the current email threat landscape and to see why your workforce should never be your last (or first) line of defense, download our latest email threat report. Or, to see how Abnormal can protect your organization from social engineering attacks, schedule a demo.

Download the Report
Schedule a Demo
Defending Against Common Social Engineering Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More