Learn How to Stop Social Engineering Attacks with Natural Language Understanding

Executive Summary

Social engineering attacks have grown in abundance as more companies adopt third-party business-critical applications. Verizon’s annual report reveals that the human element continues to be responsible for 82% of successful data breaches. Threat actors and social engineers continue to exploit this vulnerability, and damages from these attacks remain extremely costly.

By manipulating people into breaking security protocols, bad actors gain access to sensitive information and valuable resources. Leveraging various forms of attack such as spear phishing, business email compromise, and malware delivery allows them to infiltrate and exploit an enterprise’s systems.

There are ways to recognize such attacks. Suspicious attachments, poor grammar and format, and generic signatures and greetings can be indications of ongoing social engineering exploits. It is essential to educate executives and employees on how to prevent social engineering attacks, as well as the best practices for social engineering defense.

However, these simpler tactics on how to stop social engineering aren’t enough on their own. Organizations should also deploy robust software to prevent social engineering attacks — solutions that provide advanced cybersecurity functions and governance across the entire enterprise’s app instances. Only then can companies fully equip themselves against social engineering in information technology.

Social engineering is an attack vector that “relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks or physical locations or for financial gain.”

In social engineering attacks, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher, and may even offer credentials to support that identity. 

However, by asking questions, they may be able to piece together enough information to infiltrate an organization's network. If an attacker cannot gather enough information from one source, they may contact another source within the same organization and rely on the information from the first source to add to their credibility.

What are examples of social engineering attacks? Unfortunately, there are many. Here are several social engineering cyber threats that companies face every day:

  • Baiting

Attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The target then picks up the device and inserts it into their computer, unintentionally installing the malware.

  • Phishing

When a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing financial or personal information or clicking on a link that installs malware.

One of the more targeted types of social engineering threats. Similar to phishing, but tailored for a specific individual or organization. (Learn more about it here.)

  • Whaling

A specific type of spear-phishing attack, targets high-profile employees, such as the chief financial officer or chief executive officer, to trick the targeted employee into disclosing sensitive information.

  • Vishing

This is one of the types of social engineering threats that evolved from regular phishing. Also known as voice phishing, vishing involves the use of social engineering over the phone to gather financial or personal information from the target.

  • Business Email Compromise (BEC) and Business Communication Compromise (BCC)

A spear-phishing attack where a malicious actor impersonates an Executive and attempts, through social engineering tactics, to get the target to send funds, credentials, or sensitive information. The impersonation may occur through a display name change, a typosquatted email or username, or through an actual compromise of the executive’s communication channel account.

  • Smishing

A form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as web pages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number.

  • Pretexting

One party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need financial or personal data to confirm the identity of the recipient.

  • Scareware

This involves tricking the victim into thinking their computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.

  • Watering hole

The attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust with the goal of gaining network access.

  • Quid pro quo

This is an attack in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be a technical support specialist responding to a ticket. Eventually, the hacker will find someone with a legitimate tech issue whom they will then pretend to help. Through this interaction, the hacker can have the target type in the commands to launch malware or can collect password information.

  • Honey trap

In this attack, the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

  • Rogue security software

This is a type of socially engineered malware that tricks targets into paying for the fake removal of malware.

  • Pharming

With this type of online fraud, a cybercriminal installs malicious code on a computer or server that automatically directs the user to a fake website, where the user may be tricked into providing personal information.


Talk to an Expert




The first step in most social engineering exploits is for the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the organizational structure, internal operations, common lingo used within the industry and possible business partners, among other information.

One common tactic of social engineers is to focus on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or receptionist; attackers can scan social media profiles for personal information and study their behavior online and in person.

In the case of social media phishing, the attacker can often perform their target recon on the channel itself. Most often, for businesses and organizations, it’s LinkedIn. Then, they make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.

At this point, the attacker is in an excellent position to launch the attack by doing either one or both of two things:

  1. Send a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device; or,

  2. Send a link that redirects victims to a bogus website or page that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.

Both instances of social engineering cyber threats not only wreak havoc on the financials and the equipment of the company, but also causes brand and reputation damage, as well.

Moreover, social engineering attacks give birth to more attacks, as access to credentials of one employee can lead to stolen credentials from other coworkers, outside contractors, or business partners and clients. All of these highlight the significance of learning how to stop social engineering attacks before they even start.


Pillar Page Graphic Social Engineering


Threat actors continue to find new ways to perform social engineering and phishing. One of these social engineering methods is the multi-channel communication attack.

As the name suggests, multi-channel attacks involve more than one instance of communication applications. It is common in romance scams (often on Facebook) or fake job offers (usually seen on LinkedIn).

First, the threat actor establishes communication and builds trust with the victim. Either they pretend to be a pretty lady looking for a relationship (like the Bearded Barbie scam) or a recruiter looking for a ‘qualified’ individual (like the job scams perpetrated by the Lazarus group).

Then, the scammer follows up with a request to move the conversation to a different communication channel. They usually do this under the pretext of ‘privacy’ or ‘security’. In some instances, the second, “more secure” channel is a malware delivery app or tool that infects your device with malware/ransomware once downloaded or installed.

This tactic is highly effective for threat actors for two reasons:

  1. It generates commitment to continue the conversation. The victim’s willingness to move into a different channel ‘seals the deal’, indicating high interest in hearing the scammer’s message and a greater chance of them falling victim to the scam. It also helps scammers find the people they want to focus on with less effort.

  2. It helps the threat actor bypass most native security protocols. As stated above, the threat actor could request the victim download an app that’s actually a malware delivery tool. Usually, though, scammers leverage existing applications like Slack, Telegram, or WhatsApp and take advantage of the lack of centralized security protocols that govern these platforms.

While email environments have an abundance of attack detection solutions, communication and collaboration solutions do not have that luxury yet. At least, there are only a few solutions in the market that can automate attack detection and response while handling the volume and velocity of data across these channels. It makes multi-channel attacks a nightmare for security teams.

According to the Cybersecurity and Infrastructure Security Agency (CISA), here are 6 common indicators of social engineering attacks and ways to recognize them:

  1. Suspicious sender’s address

    Cybercriminals will often imitate the address of a legitimate business when sending you an email or a message. The sender's address may closely resemble one from a reputable company, but with some characters altered or omitted.

  2. Generic greetings and signature

    Usually, a generic greeting like “Dear Valued Customer” or “Sir/Ma’am”, combined with a lack of contact information in the signature block, strongly  indicate phishing. That’s because a legitimate email from a trusted organization will normally provide their contact information and address you by name and/or honorific.

  3. Spoofed hyperlinks and websites

    Spoofed links can be easily identified if you hover your cursor over any of the links in the body of the email. If the links do not match the text that appears when you hover over them, that’s an indication that the link may be spoofed. Malicious websites can also look identical to a legitimate site, but when you check the URL, it uses a variation in site’s spelling or a different domain (i.e., a government site with a .net domain instead of .gov). Moreover, cybercriminals may shorten their URLs to hide the true destination of the link.

  4. Secondary Destinations

    Some phishing attacks involve directing the victim to a legitimate document hosting site, or attacking a non-malicious document to the message. In other words, bad actors can insert a message with a link within the harmless document. This will direct the victims into the malicious site, where the actor hosts infected files or a credential skimming scam.

  5. Spelling and layout

    This is one of the most obvious indicators of a possible phishing attack — a message with poor grammar and sentence structure, misspellings, and inconsistent formatting. That’s because reputable institutions almost always have personnel  dedicated to producing, verifying, and proofreading their customer correspondence.

  6. Suspicious attachments

    Unsolicited emails requesting the user to download and/or open an attachment commonly indicate a malware attack. Too often, a cybercriminal uses a false sense of urgency or importance to persuade the user to download/open the attachment without examining and confirming first. E.g., a bad actor may pretend to be an executive and say “I need this document printed and on my desk in 10 minutes,” or something to that effect.


Talk to an Expert

Protecting the organization means establishing the best security practices on how to prevent social engineering attacks.

One key approach is to educate staff and executives on social engineering detection and security. If possible, they should be trained on how to recognize these attacks and how to respond to them. If the company doesn't offer it, several free courses are available  online. Even articles about social engineering, like this one, is a great first step already.

Next is enabling smarter password protection. Microsoft reveals that activating multi factor authentication (MFA) successfully blocks 99.9% of automated attacks and is capable of thwarting second-stage phishing attacks. This means that the more the employees exercise using MFA on their business tools, the safer they will be.

Organizations should also monitor network inbound and outbound traffic for suspicious domains, suspicious user activity, and massive movements of sensitive data, be the result of an employee clicking on a phishing link.

Finally, constant updating of security software is also important in social engineering defense. Missing patches and late updates on security software (e.g. firewalls) can lead to vulnerabilities in the system which hackers can explore. Constant updates and patches improve security and prevent at least simple social engineering exploits.

New call-to-action

Beyond Training: Technical Controls
to Stop Social Engineering

However, beyond these simple steps, adopting software to prevent social engineering attacks is still necessary. Specifically, a cloud-based security solution works best, as most social engineering attacks are perpetrated through cloud-based apps. The best thing to do in terms of social engineering prevention is to deploy a cybersecurity solution capable of the following:

Visibility_DarkEnhanced Visibility

Security teams need to be able to discover and onboard all authorized accounts for protection, inspect messaging for malicious content, track new connection requests, and archive all account activity.

Problem_DarkThreat Detection

All cloud-based communication applications need to be monitored 24/7 for suspicious activity and messaging. All fields, attachments, and links should be automatically scanned for malware, such as ransomware, and connections should be evaluated for known or suspicious bad actors. An automated social engineering cyber security solution that can establish and consolidate visibility into enterprise and employee social media communications and apply consistent analysis to detect third-party risks, including a natural language processing (NLP) solution to detect social engineering language in messages, is a must.

Incident_DarkIncident Response

Automated software to prevent social engineering attacks should include rapid detection and response capabilities for all social media threats, and a framework for security teams to respond to events that get past the automated defenses. Socially engineered malware must be quarantined in real-time at the app level, and IOC notification details sent to SOC/SIEM for evaluation. Social engineering attacks need to be correlated with EDR.



In 2020 alone, the FBI reported that social engineering attacks cost companies an average of $130,000 of damages. In 2021, it was revealed that almost 20,000 businesses lost a total of nearly $2.4 billion dollars because of BECs, which makes it one of the costliest forms of social engineering.

Now, according to Verizon’s 2022 Data Breach Investigations Report (DBIR), 82% of successful data breaches are due to social engineering. About 70% of these attacks can be attributed to phishing, while 27% involve pretexting. Both methods are commonly associated with BECs.

Furthermore, the latest social engineering stats report that about $17,700 is stolen every minute due to phishing – equal to a loss of more than $25M per day. 

The astronomical financial and repetitional cost of social engineering attacks should be at the forefront of every organizational strategy. Enterprises should be proactive in protecting themselves from social engineering attacks. Companies should not stop at merely educating their employees on best practices, though. Implementing a robust social engineering cyber security solution that is capable of the qualities listed above is the only solution to truly protecting themselves from this threat.

When it comes to ransomware, avoiding becoming a victim is better than cure. Reducing the risk of ransomware incidents should be a priority for many businesses. However, should an organization be unfortunate enough and fall prey to ransomware, the following steps should be followed:

  1. Remove The Device From The Network.
    Ransomware on one device is bad, but ransomware proliferating through a network of devices is catastrophic. Employees should be trained to immediately disconnect their device from the network if they see a ransomware demand displayed on their screen. They should also do the same if they observe anything peculiar, such as an inability to access their own files. Employees must not attempt to restart the device; it should be sent immediately to the IT department.

  2. Notify Law Enforcement.
    Ransomware is a crime. Theft and extortion rolled into one make it a law enforcement concern. Organizations should all default to immediately contacting the police cybercrime department, should they fall victim to a ransomware attack.

  3. Use Digital Risk Protection to Establish The Scope of Attack.
    In the wake of a ransomware attack, security teams need to gather as much intelligence as they can, as fast as they can. This will help both internal IT teams and law enforcement agencies formulate a response. Enterprises should strive to figure out the nature of the attack: who is behind it, what tools they used, who they targeted and why. Answering such questions can help your IT managers and network administrators figure out the extent of the attack and protect networks from future attacks.

  4. Consult with Stakeholders to Develop the Proper Response.
    Enterprises suffering a bad ransomware attack need to answer a host of questions: Can they afford to lose access to the targeted files, either because they have been backed up, or because they are not of the highest priority? Can the organization afford the ransom? Is there any room for negotiation? All stakeholders, from shareholders to legal counsel, should be consulted.

  5. Get the Post-Mortem Right.
    The best way to resist a ransomware threat is to have learnt from the last one. After an attack, enterprises should task their IT technicians, network administrators, and cybersecurity teams with a thorough review of the breach. A meticulous assessment of an organization's infrastructure, practices, and processes is required to discover flaws in security, and reinforce an enterprise against existing and future threats.

Fortunately, more companies are becoming smart enough to not give in to the threat of ransomware. As of Q4 of 2020, the average ransom payment is down by 34% ($154,108) from $233,817 in 2020’s Q3.

The dramatic decline can be attributed to the recent instances of malware attacks where, instead of being deleted, the stolen data is released publicly, even when the affected organization or individual pays. Now, more victims of cyber extortion are saying “no” to ransom payments, and are becoming smarter in their cybersecurity efforts by creating backups of their data and following best practices.

Hopefully, moving forward, more companies will proactively secure their data by following the best practices stated above and continue to resist being strong-armed by ransomware attackers. When cyber extortion loses its profitability, organizations win.



With proper communication risk protection, organizations can detect and nullify ransomware threats before they become an issue. The SafeGuard Cyber platform can keep pace with the scale and velocity of modern digital communications, and detect phishing links and other indicators of ransomware attacks across the full suite of cloud applications. Threats are instantly flagged and quarantined before an unsuspecting human target clicks on anything dangerous.

Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?