The Human Factor in Cybersecurity: Protecting Against Social Engineering Tactics

Cybersecurity isn’t just about securing systems It’s also about protecting people from falling victim to social engineering — when a cybercriminal uses deception to manipulate someone into revealing confidential information. Cybercriminals often exploit our human factor, or our tendency to want to be helpful, trusting, and non-confrontational, as well as our tendency to skim through messages and skip over details. One of the best ways to protect your business is to educate your employees about social engineering and how to spot it.

Emphasize the importance of cybersecurity

Some business owners and employees might ask, “Does our business need a cybersecurity plan? We only have eight employees, and our business doesn’t have anything to do with digital technology. We sell vacuum cleaners.”

When it comes to cybersecurity, any business owner and employee can benefit from education and a plan. By training your employees, you can empower them to make better decisions and recognize potential threats. It’s an effective way to provide a sense of security and peace of mind for both you and your business.

The impact of a cyberattack can come in the form of loss of revenue, damaged reputation, and regulatory consequences that could result in losing your business license. No matter the size of your business, it’s important that everyone at every level of your business understands how cyberattacks begin.

Make a plan and start early

Despite employing state-of-the-art technology and teams of dedicated IT professionals, businesses remain vulnerable to cyberattacks. But it’s not because their equipment or technical skills are lacking. At the end of the day, every employee plays a crucial part in safeguarding their organization.

All the cybersecurity technology still can’t stop an employee from giving cybercriminals a safe passage into their internal networks. Employees typically aren't intentionally giving safe passage into the internal networks, but it’s human nature to want to be helpful when receiving a request from someone we believe to be legitimate. So a good first step is to educate your employees the first day they begin work.

Consider discussing the basics at employee orientation, such as how to recognize various social engineering attempts including business email compromise and phishing emails. If you already have an employee onboarding program, consider adding social engineering education to the curriculum.

These are the first of many discussions you may want to have around cybersecurity. Regular meetings, conversations, and reminders about the latest security awareness tips can be helpful.

Learn to recognize social engineering attempts

A social engineering email can look like this:

We’re reaching out to you regarding a suspicious charge that has been placed on your PayPal account. Please click the link below to approve or dispute this charge. Your account has been frozen until you complete this process.

It could also look like an email from your boss:

Hey, Bill, are you in the office today? I need you to make a payment for me. We’re late sending it out, and the client is really upset, so it needs to get processed right away this morning.

But you don’t have a PayPal account. And you just walked past your boss in the hallway. Those are two red flags telling you NOT to click on that link or take the action your “boss” wants you to. These are social engineering attempts — fake communications that may look legitimate that ask you to send money or reveal information.

When in doubt, watch for these signs:

• A false sense of urgency. Language like, “Act now or your account will be suspended immediately,” puts the fear factor front and center and is a red flag that the communication may be a scam.
• Is money involved? This may seem like an obvious sign, but we sometimes rush past common sense during busy days filled with multitasking. That’s what scammers are counting on.
• Check for a spoofed email address. For example, let’s say the email comes from an address like “UPS_Account_Service@email.com” or “Invite@whitehouse.gov.com.” You can tell those are spoofed email addresses because of the extra words “@email.com” and “.gov.com.”

Know the various types of social engineering

There are several popular social engineering methods:

• Phishing: A general attempt to get someone to reveal sensitive information or take a fraudulent action.
• Business email compromise: A cybercriminal takes over or spoofs an email system to send an email message that appears to come from someone you know and trust.
• Spear phishing: A more targeted phishing attack where the scenario is tailored to the victim to make it appear more legitimate.
• Smishing: When a cybercriminal uses deceptive text messages as part of a phishing attack.
• Vishing: When a cybercriminal uses fraudulent phone calls or voice messages as part of a phishing attack.
• Whaling: A spear phishing attack that targets a very high-profile victim, usually a person in upper management at a company.
• Tailgating or Piggybacking: When a bad actor physically follows an employee into restricted areas without proper authorization.

Keep in mind that cybercriminals can create incredibly believable emails with help from an artificial intelligence platform and a well-crafted prompt.

Implement ongoing training

We get busy. We’re in a hurry to finish a project. A co-worker diverts our attention with a question. We’re hungry and we want to get to lunch. There are all sorts of circumstances to distract us. And what looks like a valid email at first glance can quickly turn into a major data breach when a preoccupied employee clicks on a link in a social engineering communication.

Education and routine exercises are key. Consider running exercises to test employee preparedness. A common drill involves sending an email that mimics a phishing email. Additionally, keep these tips in mind and pass them along to your employees:

• Slow down. A brief pause before clicking on a link in an email—an extra five or 10 seconds—could save your company from losing years of private data.
• Learn more. Understand business email compromise and what it can look like and stay on top of password best practices.
• Be suspicious. Especially if they’re asking for money or requesting something out of the ordinary, even if the email appears to be sent from a co-worker, manager, friend, family member, etc.
• Verify the request. Call the person who sent you the email or text to confirm and clarify their request, but don’t use the phone number in the email or text – it’s likely fake, too.
• Check the email address. The email may have your boss’s name on it, but if you look at the email address, it may not have your company’s domain (the part that comes after the @ symbol) attached to it.
• Hover over links with your mouse. When the address becomes visible, you might see that it is not the email address of your manager or your company’s website.

Treating emails and requests with caution and knowing what to look for can help reduce your risk of falling victim to social engineering. It’s one of the most effective ways to help keep your business safe.