Skip to main content

How To Protect Against Social Engineering Attacks

How to protect yourself and your business/organization by taking actions to ward off cyber threats and hackers.


I recently took a refresher training on social engineering and cybersecurity. It came at the right time as two days before the training, I almost fell victim to a CEO Fraud (explained below) attempt. Fortunately, I stopped myself at the last minute.

This is not the first time I receive an email trying to trick me into giving my credit card number. Hackers are getting smarter and savvier in their hateful trade.

Social Engineering

Cybersecurity is the protection of digital information stored in your cyber environment against computer-generated threats and hackers.

Social engineering means a wide variety of malicious activities done through human dealings. Social engineering implies manipulating people to act in a certain way or to divulge confidential information; actions that are not in the best interest of yourself or your business or employer. A single mistake could bring down an entire organization. Social engineering attacks take place in one step or in more than one. Ninety percent of cybersecurity breaches are due to social engineering.

Red Flags or Warning Signs

Red Flags mean signs of danger or a problem. There are several warning signs to understand.

It is essential to:

  • Identify the types of social engineering attacks
  • Identify red flags, and
  • Take actions to protect yourself and your business or your employer’s business.

Human Firewall is when you act as a fence between your organization’s internal network and criminals who are trying to get illegal access. A cybersecurity breach is when an impostor gets illegal access to the protected systems and data of a business.

Ransomware is malicious software that will allow a hacker to deny you access to your files on a device or network until you pay a ransom.

Malware is an umbrella term for various kinds of malicious software that cybercriminals use. The word ‘umbrella term’ means encompassing a wide range of items that are within a single common category.

Phishing: Acquire sensitive information such as usernames and passwords. Appears to come from a trusted contact. Hackers can phish you using text messages. Phishing is where criminals or troublemakers try to trick you into giving out sensitive information or taking a potentially dangerous action. Phishing emails are disguised to look like they were sent by contacts or organizations you trust, pushing you to react without thinking first.

Troublemakers want you to take action that gives them access to your computer and to your employer’s network. This could include giving them your username and password.

Vishing stands for voice phishing. Scam recorded message. Verify “fraudulent” charges at a fake website.

Smishing stands for Short Message Service (SMS) phishing.

Breaches: are the intentional or unintentional release of secure information to an untrusted environment. Out of all the breaches linked to social engineering and malware attacks, phishing was the main tactic used by hackers.

Social media is a hacker’s dream. Hackers look for information about you, your coworkers, and your organization from social media sites. They get to know what motivates you, and what makes you do something.

Scroll to Continue

Spear phishing: This happens when an email or electronic communications scam targets a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on someone's computer.

Business Email Compromise (BEC) : This is a type of scam targeting companies that carry out wire transfers and have suppliers abroad.

CEO Fraud: This is an email-based cyberattack designed by hackers to pose as company executives. Spoof company emails try to trick employees into sending confidential information or wire transfers. Spoof means sending messages from a bogus email address or faking the email address of another user.

Pretexting is a tool in the social engineer’s kit. It is a made-up scenario to gain your trust and makes you likely to give information or act the way he wants you to act.



The ‘Subject:’ line: The subject line can be your first indication of a red flag. Is the subject line irrelevant? Does it match the message content?

The ‘From:’ line: An email coming from an unknown address is an obvious red flag. If you know the sender (or the organization) but the email is unexpected, or out of character, it is a red flag. Also, pay attention to the ‘Reply-To:’ address. If it does not match the ‘From’: address, that is a red flag.

The ‘To:’ line: If you were included in an email and you do not know the other people it was sent to; it is a red flag.

The ‘Date:’ line: If you receive an email that you would usually get during normal business hours, but it was sent outside of normal business hours, this is a red flag.

Attachments: Any attachment you receive that you are not expecting or does not make sense in relation to the rest of the message is a red flag. Attachments that want to run scripts, or have you enter in your username and password before opening, are red flags.

Content of the email: Being asked to take some action to avoid a negative consequence is a favorite trick of hackers. So, if the sender is asking you to click on a link or open an attachment, be on alert especially if the request is made with a sense of urgency. The same is true if the email is asking you to look at a compromising or embarrassing picture of yourself or someone you know. If you have an uncomfortable feeling or it just seems odd or illogical, it is a red flag. Some additional red flags to be alert for include bad grammar or spelling mistakes as well as if the ‘voice’ in the message just sounds different.

Hyperlinks: Look for misspellings in the link, for example, Arnazon instead of Amazon. Anytime you see a link that contains misspellings to make it look like a real link, that is a red flag.

Hover your mouse over the hyperlink. If the link address is for a different website, this is a big red flag.

Each mobile device may handle previewing links differently. Please check with your mobile device’s manufacturer on how to handle previewing links. To make sure you do not accidentally click on a

Malicious link, the safest course of action is to wait until you can get on a computer to review the link.

How to Protect Your Personal and Business Presence

  • Always be wary of requests you get. Before you take any action, STOP, LOOK and THINK before you act. Contact the person making the request using their authenticated contact information.
  • Be careful of innocent conversations.
  • Don’t unintentionally reveal information about yourself or your employer.
  • Watch out for name dropping, or casually mentioning familiar names within the organization.
  • Beware of tailgaters trying to gain unauthorized access. Tailgating, or piggybacking, is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. It is a way around many security mechanisms one would think of as secure.
  • Be helpful but avoid being manipulated.
  • Watch out for shoulder surfing. This is when someone spies on the user of an ATM, computer, or other electronic devices to get their personal access information.
  • Unsecured items can be quickly stolen.
  • Be aware of your surroundings.
  • Keep important documents securely locked away when not in use.
  • Secure mobile devices and computers when not in use.
  • Anytime something is suspicious or you receive something that is unexpected STOP, LOOK and THINK before you act.
  • Report all suspicious activity using your organization’s protocol.


2021 Social Engineering Red Flags. KnowBe4.

This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.

© 2021 Liliane Najm

Related Articles