Defending Against Common Social Engineering Attacks

Learn about the psychology behind social engineering attacks and the steps you can take to block these advanced email threats.
March 1, 2023

Social engineering is by no means a new phenomenon. As Crane Hassold, Abnormal Security’s Director of Threat Intelligence explains, “The same techniques that have been used for thousands of years to con people are the same tactics that are used today for email attacks. The only difference is that criminals use a computer to do it.”

Targeted email attacks that rely on social engineering—like credential phishing, business email compromise, vendor email compromise, invoice fraud, and account takeover—have a high potential for costly consequences.

This is why taking steps to block these threats is crucial for every organization, regardless of size.

The Fundamentals of Social Engineering Attacks

Rather than tricking targets into downloading infected attachments or clicking on malicious links, in social engineering attacks threat actors use false pretexts and manufactured urgency or implicit trust to dupe employees. This is often accomplished by posing as an authority figure or a trusted colleague—either by compromising their actual account or simply impersonating them.

Typically when we receive an email from a coworker, vendor, or member of the executive team asking for assistance with something important, our immediate response is to be helpful—not question the identity of the sender or the legitimacy of their request. This is precisely what bad actors exploit to achieve their objectives.

Socially-engineered attacks take advantage of our natural inclination to be cooperative and give the benefit of the doubt. They leverage psychological manipulation to convince employees to share sensitive data, provide login credentials, interact with malware, update bank account information, and pay fraudulent invoices.

Although social engineering may seem less sophisticated than developing and deploying malicious software, it’s frequently a more effective tactic because traditional email security systems lack the functionality to block these types of threats. By exclusively relying on text-based communication (as opposed to attachments containing malware), threat actors can more easily circumvent conventional security measures.

In short, modern cybercriminals have learned how to “hack the human”, as Hassold would say, rendering tools that look only for traditional indicators of compromise wholly ineffective against these threats.

Here are a few ways companies can defend against common social engineering attacks.

Support a Culture of Healthy Skepticism

At this point, attacks in which threat actors impersonate the CEO and ask employees to purchase gift cards are universally well-known.

But what about a phishing email that appears to be an internal announcement sent from your HR department about important updates to employee benefits? Or a financial supply chain compromise attack in which both the attorney being impersonated (who is supposedly following up on an overdue invoice) and the law firm at which he works exist in the real world?

Unfortunately, attackers have an untold number of strategies for deceiving your workforce. Accordingly, employees should be encouraged to approach some requests with a reasonable level of suspicion. They should also feel comfortable pursuing external verification via means other than email. In other words, your organization should foster an environment where the unofficial cybersecurity motto is “Better safe than sorry.”

Perform Social Engineering Penetration Testing

Social engineering penetration testing involves attempting to execute common social engineering attacks on your workforce to determine the level of susceptibility to such threats. Conducted under controlled conditions and with careful oversight, a social engineering penetration test entails sending emails that leverage the same tactics real-world attackers use and observing whether employees engage.

These exercises allow your organization to understand how employees would respond to actual threats without putting the business at risk. They enable you to assess the effectiveness of your security awareness training and evaluate how well employees are (or aren’t) complying with established security policies and protocols.

Social engineering penetration testing can also provide insight into the strength of your company’s network security controls and identify opportunities for improvement in your organization’s incident response plan.

Apply the Principle of Least Privilege

An essential aspect of zero trust security, the principle of least privilege (PoLP) dictates that every user is granted access only to the specific data, software solutions, and resources required to do their job. Additionally, even within the individual applications they use, employee access is limited to only the features needed to execute their particular tasks.

The principle of least privilege reduces your company’s attack surface and mitigates the impact of human error by decreasing the number of channels that threat actors can utilize to access sensitive data or launch additional attacks.

Adopting PoLP is less about preventing social engineering attacks and more about recognizing that, as long as advanced threats can reach employee inboxes, your organization should have strategies in place to minimize the consequences of a successful attack.

Adopt a Security Solution Designed to Block Social Engineering Attacks

Fostering an environment of reasonable skepticism, conducting social engineering penetration testing, and following the principle of least privilege are all effective ways to lower your vulnerability to and reduce the fallout from socially-engineered attacks. However, the best approach is to implement an email security platform that ensures advanced threats never reach employee inboxes in the first place.

Cloud email security technology that can identify even minor changes in behavior and content is essential since common social engineering attacks exploit established relationships and trusted email accounts. These solutions baseline known-good behavior across both employees and vendors, detect anomalies that deviate from that baseline, and then quickly remediate malicious emails to prevent any interaction from end-users.

Investing in software to prevent social engineering attacks limits your employees’ exposure to email threats and decreases opportunities for them to miscategorize an attack as a legitimate request.

For insight into the current email threat landscape and to see why your workforce should never be your last (or first) line of defense, download our latest email threat report. Or, to see how Abnormal can protect your organization from social engineering attacks, schedule a demo.

Download the Report
Schedule a Demo
Defending Against Common Social Engineering Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More