Executive Summary

Social engineering attacks have grown in abundance as more companies adopt third-party business-critical applications. Verizon reports social engineering is responsible for 93% of successful data breaches, and damages from these attacks can be extremely costly.

By manipulating people into breaking security protocol, bad actors gain access to sensitive information and valuable resources. Leveraging various forms of attack such as spear phishing, business email compromise, and malware delivery allows them to infiltrate and exploit an enterprise’s systems.

There are ways to recognize such attacks. Suspicious attachments, poor grammar and format, and generic signatures and greetings can be indications of ongoing social engineering exploits. It is essential to educate executives and employees on the best practices on social engineering defense.

However, these simpler tactics aren’t enough on their own. Organizations should also deploy robust solutions that provide advanced cybersecurity functions and governance across the entire enterprise’s app instances. Only then can companies fully equip themselves against social engineering in information technology.

Cloud Apps We Protect

zoom logo

Social engineering is an attack vector that “relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks or physical locations or for financial gain.”

In social engineering attacks, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher, and may even offer credentials to support that identity. 

However, by asking questions, they may be able to piece together enough information to infiltrate an organization's network. If an attacker cannot gather enough information from one source, they may contact another source within the same organization and rely on the information from the first source to add to their credibility.

What are examples of social engineering attacks? Unfortunately, there are many.

  • Baiting

Attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The target then picks up the device and inserts it into their computer, unintentionally installing the malware.

  • Phishing

When a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing financial or personal information or clicking on a link that installs malware.

Similar to phishing, but tailored for a specific individual or organization. (Learn more about it here)

  • Whaling

A specific type of spear-phishing attack, targets high-profile employees, such as the chief financial officer or chief executive officer, to trick the targeted employee into disclosing sensitive information.

  • Vishing

Also known as voice phishing, vishing involves the use of social engineering over the phone to gather financial or personal information from the target.

  • Business Email Compromise (BEC) and Business Communication Compromise (BCC)

A spear-phishing attack where a malicious actor impersonates an Executive and attempts, through social engineering tactics, to get the target to send funds, credentials, or sensitive information. The impersonation may occur through a display name change, a typosquated email or username, or through an actual compromise of the executive’s communication channel account.

  • Smishing 

A form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as web pages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number.

  • Pretexting

One party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need financial or personal data to confirm the identity of the recipient.

  • Scareware

This involves tricking the victim into thinking their computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker's malware.

  • Watering hole

The attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust with the goal of gaining network access.

  • Quid pro quo

This is an attack in which the social engineer pretends to provide something in exchange for the target's information or assistance. For instance, a hacker calls a selection of random numbers within an organization and pretends to be a technical support specialist responding to a ticket. Eventually, the hacker will find someone with a legitimate tech issue whom they will then pretend to help. Through this interaction, the hacker can have the target type in the commands to launch malware or can collect password information.

  • Honey trap

In this attack, the social engineer pretends to be an attractive person to interact with a person online, fake an online relationship and gather sensitive information through that relationship.

  • Rogue security software

This is a type of malware that tricks targets into paying for the fake removal of malware.

  • Pharming

With this type of online fraud, a cybercriminal installs malicious code on a computer or server that automatically directs the user to a fake website, where the user may be tricked into providing personal information.




The first step in most social engineering exploits is for the attacker to perform research and reconnaissance on the target. If the target is an enterprise, for instance, the hacker may gather intelligence on the organizational structure, internal operations, common lingo used within the industry and possible business partners, among other information.

One common tactic of social engineers is to focus on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or receptionist; attackers can scan social media profiles for personal information and study their behavior online and in person.

In the case of social media phishing, the attacker can often perform their target recon on the channel itself. Most often, for businesses and organizations, it’s LinkedIn. Then, they make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.

At this point, the attacker is in an excellent position to launch the attack by doing either one or both of two things:

  1. Send a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device; or,
  2. Send a link that redirects victims to a bogus website or page that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.

Both instances not only wreak havoc on the financials and the equipment of the company, but also causes brand and reputation damage, as well. 

Moreover, social engineering attacks give birth to more attacks, as access to credentials of one employee can lead to stolen credentials from other coworkers, outside contractors, or business partners and clients.

Pillar Page Graphic Social Engineering


According to the Cybersecurity and Infrastructure Security Agency (CISA), here are some of the common indicators of social engineering exploits. Familiarizing oneself with these will help in identifying them: 

  • Suspicious sender’s address

Cybercriminals will often imitate the address of a legitimate business when sending you an email or a message. The sender's address may closely resemble one from a reputable company, but with some characters altered or omitted. 

  • Generic greetings and signature

Usually, a generic greeting like “Dear Valued Customer” or “Sir/Ma’am”, combined with a lack of contact information in the signature block, strongly  indicate phishing. That’s because a legitimate email from a trusted organization will normally provide their contact information and address you by name and/or honorific.

  • Spoofed hyperlinks and websites

Spoofed links can be easily identified if you hover your cursor over any of the links in the body of the email. If the links do not match the text that appears when you hover over them, that’s an indication that the link may be spoofed. Malicious websites can also look identical to a legitimate site, but when you check the URL, it uses a variation in site’s spelling or a different domain (i.e., a government site with a .net domain instead of .gov). Moreover, cybercriminals may shorten their URLs to hide the true destination of the link.

  • Secondary Destinations

Some phishing attacks involve directing the victim to a legitimate document hosting site, or attacking a non-malicious document to the message. In other words, bad actors can insert a message with a link within the harmless document. This will direct the victims into the malicious site, where the actor hosts infected files or a credential skimming scam.

  • Spelling and layout

This is one of the most obvious indicators of a possible phishing attack—a message with poor grammar and sentence structure, misspellings, and inconsistent formatting. That’s because reputable institutions almost always have personnel  dedicated to producing, verifying, and proofreading their customer correspondence.

  • Suspicious attachments

Unsolicited emails requesting the user to download and/or open an attachment commonly indicate a malware attack. Too often, a cybercriminal uses a false sense of urgency or importance to persuade the user to download/open the attachment without examining and confirming first. E.g., a bad actor may pretend to be an executive and say “I need this document printed and on my desk in 10 minutes,” or something to that effect.

Protecting the organization means establishing the best security practices against social engineering attacks.

One key approach is to educate staff and executives on social engineering detection and security. If possible, they should be trained on how to recognize these attacks and how to respond to them. If the company doesn't offer it, several free courses are available  online. Even articles about social engineering, like this one, is a great first step already.

Next is enabling smarter password protection. Microsoft reveals that activating two-factor authentication (2FA) successfully blocks 99.9% of automated attacks. This means that the more the employees exercise using 2FA on their business tools, the safer they will be.

Organizations should also monitor network inbound and outbound traffic for suspicious domains, suspicious user activity, and massive movements of sensitive data, be the result of an employee clicking on a phishing link.

Finally, constant updating of security softwares is also important in social engineering defense. Missing patches and late updates on security software (e.g. firewalls) can lead to vulnerabilities in the system which hackers can explore. Constant updates and patches improve security and prevent at least simple social engineering exploits.

However, beyond these simple steps, a cloud-based security solution is still needed, as most social engineering attacks are perpetrated through cloud-based apps. The best thing to do in terms of social engineering prevention is to deploy a cybersecurity solution capable of the following:


Visibility_DarkEnhanced Visibility


Security teams need to be able to discover and onboard all authorized accounts for protection, inspect messaging for malicious content, track new connection requests, and archive all account activity.


Problem_DarkThreat Detection


All cloud-based communication applications need to be monitored 24/7 for suspicious activity and messaging. All fields, attachments, and links should be automatically scanned for malware, such as ransomware, and connections should be evaluated for known or suspicious bad actors. An automated cybersecurity solution that can establish and consolidate visibility into enterprise and employee social media communications and apply consistent analysis to detect risks, including a natural language processing (NLP) solution to detect social engineering language in messages, is a must.


Incident_DarkIncident Response


An automated solution for detecting and blocking malicious messages should include rapid detection and response capabilities for all social media threats, and a framework for security teams to respond to events that get past the automated defenses. Malware must be quarantined in real time at the app level, and IOC notification details sent to SOC/SIEM for evaluation. Social engineering attacks need to be correlated with EDR.

According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 93% of successful data breaches are due to social engineering.

Furthermore, the FBI also reports that social engineering attacks cost companies an average of $130,000 with damages, with BEC being the costliest of all (up to $1.8 billion dollars total across almost 20,000 businesses). 

With these numbers in mind, enterprises should be proactive in protecting themselves from social engineering attacks. Companies should not stop at merely educating their employees on best practices. What they need is a robust cybersecurity solution that is capable of the qualities listed above.



SafeGuard Cyber protects the human connections businesses need to thrive in a digital world. Built on innovative agentless architecture and award-winning AI analytics, the SafeGuard Cyber platform secures business critical communications, detects and stops cyber threats, and ensures compliance in real-time without disruption to natural workflows. We mitigate digital risk so you can focus on driving growth.

With SafeGuard Cyber, customers are protected against social engineering attacks, gaining business agility with better security and time to value. Contact us today to learn more and see our solution in action.

When it comes to ransomware, avoiding becoming a victim is better than cure. Reducing the risk of ransomware incidents should be a priority for many businesses. However, should an organization be unfortunate enough and fall prey to ransomware, the following steps should be followed:

  1. Remove The Device From The Network.
    Ransomware on one device is bad, but ransomware proliferating through a network of devices is catastrophic. Employees should be trained to immediately disconnect their device from the network if they see a ransomware demand displayed on their screen. They should also do the same if they observe anything peculiar, such as an inability to access their own files. Employees must not attempt to restart the device; it should be sent immediately to the IT department.

  2. Notify Law Enforcement.
    Ransomware is a crime. Theft and extortion rolled into one make it a law enforcement concern. Organizations should all default to immediately contacting the police cybercrime department, should they fall victim to a ransomware attack.

  3. Use Digital Risk Protection to Establish The Scope of Attack.
    In the wake of a ransomware attack, security teams need to gather as much intelligence as they can, as fast as they can. This will help both internal IT teams and law enforcement agencies formulate a response. Enterprises should strive to figure out the nature of the attack: who is behind it, what tools they used, who they targeted and why. Answering such questions can help your IT managers and network administrators figure out the extent of the attack and protect networks from future attacks.

  4. Consult with Stakeholders to Develop the Proper Response.
    Enterprises suffering a bad ransomware attack need to answer a host of questions: Can they afford to lose access to the targeted files, either because they have been backed up, or because they are not of the highest priority? Can the organization afford the ransom? Is there any room for negotiation? All stakeholders, from shareholders to legal counsel, should be consulted.

  5. Get the Post-Mortem Right.
    The best way to resist a ransomware threat is to have learnt from the last one. After an attack, enterprises should task their IT technicians, network administrators, and cybersecurity teams with a thorough review of the breach. A meticulous assessment of an organization's infrastructure, practices, and processes is required to discover flaws in security, and reinforce an enterprise against existing and future threats.

Fortunately, more companies are becoming smart enough to not give in to the threat of ransomware. As of Q4 of 2020, the average ransom payment is down by 34% ($154,108) from $233,817 in 2020’s Q3.

The dramatic decline can be attributed to the recent instances of malware attacks where, instead of being deleted, the stolen data is released publicly, even when the affected organization or individual pays. Now, more victims of cyber extortion are saying “no” to ransom payments, and are becoming smarter in their cybersecurity efforts by creating backups of their data and following best practices.

Hopefully, moving forward, more companies will proactively secure their data by following the best practices stated above and continue to resist being strong-armed by ransomware attackers. When cyber extortion loses its profitability, organizations win.



With proper communication risk protection, organizations can detect and nullify ransomware threats before they become an issue. The SafeGuard Cyber platform can keep pace with the scale and velocity of modern digital communications, and detect phishing links and other indicators of ransomware attacks across the full suite of cloud applications. Threats are instantly flagged and quarantined before an unsuspecting human target clicks on anything dangerous.

Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?