With increasingly sophisticated technical defenses for networks and computer systems, hackers often decide that it’s much easier to simply go around these perimeter defenses by attacking the end user. In 2020, Verizon found the most popular form of social engineering, phishing, was involved in 22% of reported incidents. So how can an organization help prevent social engineering attacks?

Social engineers target all the ways people communicate such as email, text, social media, voicemail, in-person conversations, and phone calls. Their strategy is to deceive someone into giving away sensitive information by simply asking or tricking them into installing malicious software that will allow them to spy on the organization. Social engineering is based on lies and manipulation and often preys on vulnerabilities in human nature, such as trust, fear, curiosity, and helpfulness.

Here are six tips to help your organization prevent social engineering attacks:

1. Be suspicious of people you don’t know who ask for sensitive information.
   To avoid falling prey to social engineers, always maintain a healthy sense of skepticism about anyone asking for sensitive information. Assume the person is a potential scammer until proven otherwise. Never give out information about other employees, remote network access, organizational practices, or strategies to any unknown individual.


2. Verify a sender’s identity before replying to any emails requesting personal information.
   Phishing is a method of fraudulently obtaining information about a computer user by posing as a trusted entity, like a bank. The most common form of phishing involves contacting users by email and asking them to verify an account by providing information to a false website that looks legitimate. Avoid phishing schemes by contacting the purported sender of the email message to confirm that this organization sent the message. Legitimate financial institutions will not ask you for confidential information or authorization credentials via email message.


3. If you receive a text from a number you don’t recognize, read it carefully.
   SMiShing occurs when a cybercriminal sends a text or SMS message to another individual requesting their personal information. These text messages could range from a simple link to a website or could be asking for specific personal information. They could ask you to verify your information for some reason or they could state you’ve won a contest that you never entered. Regardless of the message, no company or service would ever ask for personal information over a text.


4. Never let another person follow you into a restricted area.
   Tailgating occurs when one person follows another person — to enter a building or other area they normally would not have access to — after the first person has used their badge or key card. This often happens during times when many people are entering the organization at the same time. You should never let another person follow you into a restricted area, even if you have seen this person use their badge or key card before; their credentials may have been revoked and you have no way of knowing.


5. Always keep antivirus software, browser plugins, operating systems, and all software up to date with the latest security patches.
   Hackers routinely create new viruses, so it’s essential to keep the signature files for your antivirus software updated. Ensure your antivirus software also uses heuristic algorithms that allow the software to detect viruses based on their behavior, rather than a specific signature.


6. Social engineers prey on the good-mannered. Don’t be afraid to say “no.”
   If someone asks you to give them personal information access to confidential information, don’t be afraid to be direct and say no. Anyone suspicious should be denied access until you can verify their identity.

If you think you are the victim of a social engineering attack over the phone, online, or in person, if you can, try to get the person’s name and contact information and any other details. Then report the incident immediately. Remember to always verify before you reply, and you’ll defeat social engineers.