How to protect your business from social engineering attacks

How to protect your business from social engineering attacks

illustrated padlock Header imageHeader imageHeader imageHeader image

According to VentureBeat, roughly 84% of Americans have experienced social engineering attacks, but social engineering scams aren't isolated to the United States—malicious emails, links, and websites find their victims worldwide.

In other words, there's a good chance that employees at your company have been the target of several emails, SMS texts, and phone calls designed to steal the passwords to your network and accounts.

Now, you might think that most hackers target huge networks—cloud services, power companies, and so on. But those are just the attacks that make the news.

Social engineering attacks target anyone and everyone, and the methods they follow are a lot less sophisticated (and a lot easier to pull off) than you might think.

What is social engineering?

Social engineering is the art of using people's social expectations against them for malicious purposes—tricking them into sending money, for example. Or into giving hackers access to your corporate network or an online account.

The movies often make hackers look like supervillains, working feverishly to override digital security systems and disable alarms.

In reality, most social engineering attacks look more like poorly crafted emails sent to thousands of people in the hope that a few hundred will fall victim to them.

Funds transfer fraud vs social engineering—what's the difference?

Funds transfer fraud is the crime of fraudulently directing an electronic money transfer to someone else. You thought you were paying your attorney, for example, when in fact you were paying a criminal.

This kind of fraud is often orchestrated through social engineering attacks.

An employee might get an email that looks like it's from your corporate attorney, urging them to make a certain payment quickly. Or they might get an email that looks like it's from your CEO, asking them to send a payment to a known vendor at a different account number due to unusual circumstances.

Because they trust the person who they think is the source of the email, and because of the sense of urgency included, they could easily fall victim to funds transfer fraud.

Types of social engineering attack techniques

Not all social engineering attacks ask people to wire money. Most are much more subtle. In fact, a victim of social engineering often won't realize what happened until it's too late.

Malicious links in an email, for example, can obtain confidential information like authentication passwords or credit card details that a cybercriminal intends to use later.

Listed below are 13 examples of social engineering attacks that prey on simple human error. The first 5 are attacks we've seen more frequently in recent months, in which bad actors impersonate trusted companies to try to obtain personal information from you.


Phishing is a common type of attack in which a malicious party pretends to be a trustworthy entity—whether a person (like your boss) or a company (like your bank)—to trick you into sharing confidential information.

Phishing emails appear to come from a trusted colleague or brand, such as BILL or an employee of BILL. They may ask you to verify your personal information or password, or they may ask you to click on a link that leads to a malicious website. It looks like BILL, but it isn't.

A phishing attack often includes a sense of urgency, designed to override your usual sense of caution. And it often spoofs the return email address so it looks like it really came from someone you know or a company you often work with. Remember that BILL will never reach out to you to verify your personal information, and neither will most financial institutions.

Spear phishing

A spear-phishing attack is a more targeted type of phishing attack in which threat actors research specific individuals or organizations. It's called spear phishing because it's more like fishing with a spear than a net—the attacker knows exactly what they're trying to hit.

These social engineering attacks often customize their communications with personal details to make the attacks more convincing.

For instance, if your boss is on vacation in Italy—which they posted on their personal social media sites—a spear phishing email message might include a specific note about the trip. These kinds of details add a human element that can lure people into a false sense of security.


Whaling is a spear phishing attempt that targets high-profile individuals, such as CEOs or other prime targets. Like other phishing attacks, whaling attacks will appear to be from a trusted source, such as a financial institution or government agency.


Vishing, or voice phishing, involves phone calls or voice messages to trick victims into sharing sensitive information. A phone scam attacker might pretend to be a representative from a victim's bank, for example, claiming there's been suspicious activity and asking for financial information, passwords, or answers to security questions over the phone to "verify" their identity.


Smishing, or SMS phishing, is a phishing attack that uses text messages to reach potential victims. The attacker sends a message urging the recipient to click on a link or call a number, such as a text message claiming your account has been suspended and you need to click a link to reactivate it.

Less common social engineering attacks


Pretexting involves creating a fake scenario (or pretext) to persuade the victim to give out information. For example, an attacker might pretend to need certain bits of personal data to confirm the victim's identity, such as a date of birth or social security number.

Like phishing, these types of attacks tend to be more successful when the threat actor has done their homework. If your company is installing a new way of accessing your online accounts, and someone calls you that same day asking to help them verify that the new system is working correctly, you're much more likely to "help" without thinking much of it.


Baiting involves offering something enticing to the victim, such as free software, to trick them into providing sensitive data. The bait usually contains malicious software that can track keyboard strokes (to read your passwords when you enter them) or access system files. An example is a USB drive left in a public place, labeled with a tempting file name.

Baiting can be combined with any of the social engineering attacks listed above. For example, you could get a text message saying that "your delivery" or "your payment" has been delayed and asking you to click a link to reschedule.


Social engineering isn't always digital. Tailgating or piggybacking attempts to bypass your company's security policy in the physical world when an unauthorized person falls in with a group of authorized persons who are entering a secure area.

For instance, someone might tailgate a group of employees into an office building, pretending that they misplaced their key card. This type of attack often preys on the herd mentality, such as falling in with a large group of people all coming back from lunch.

Quid pro quo

In quid pro quo attacks, the attacker leverages human psychology by first offering a service or benefit before asking for information or access. This can be as simple as offering a smoker a light on the rear loading dock of a warehouse and then falling in behind them on the way back inside.

The quid pro quo attack isn't about trying to lure good people into becoming malicious actors. It simply takes advantage of the ways in which people build social networks and friendships to trick unsuspecting victims into returning a small kindness.

Watering hole attack

In a watering hole attack, the social engineering attacker figures out where a target group gathers socially—whether online or in real life—and attacks them there, where they aren't as likely to suspect it. For instance, if the target group is a specific company, an attacker might leave a USB with the company logo on a table where the group often meets for lunch. 

Diversion theft

In diversion theft, the attacker manipulates the victim into diverting information or valuables to a different location. This can be done by impersonating a delivery person and saying the delivery route has changed, or by electronic means, through phishing. Funds transfer fraud, covered above, is one type of diversion theft.

Honey trap

A honey trap involves an attacker pretending to be romantically interested in the victim. This is probably more common in the movies than it is in real life, but it does happen. Don't think trench coats and espionage—think more like Catfish, but with malicious intent, in which a bad actor preys on loneliness to get anything from gift cards to financial accounts.

Dumpster diving

Dumpster diving may be the least sophisticated attack of them all, but it's a form of social engineering nonetheless. It involves going through a target company's garbage to find discarded information, like bank account statements or old hardware, that can be used to gain unauthorized access or information.

How do social engineering scams work?

As you've probably figured out, social engineering attacks are well-named—they're socially engineered. What all social engineering methods have in common is that they prey on a wide range of cognitive biases—meaning natural habits and attitudes in how people think.

They don't use sophisticated cryptology to crack strong passwords—they use common methods of communication to ask for them.

Why is social engineering effective?

Social engineering is effective for several reasons.

First, it attempts to use our social instincts against us, building a quick sense of trust by impersonating a brand or simply offering to open a door.

Second, no one is at their best every minute of every day. It only takes one unfortunate moment of inattention to click on a fraudulent email or let a major security threat walk in the door behind you.

Third, it preys on the weakest link. Social engineering attacks might send a dozen unsolicited emails across a company. It only takes one person making one mistake for those efforts to pay off.

How to prevent social engineering fraud

The best way to prevent social engineering fraud is to provide security awareness training for your employees—specifically, social engineering awareness training—not just once but repeatedly, at regular intervals.

The more your employees are aware of security issues and essential signs of fraud, the more likely they are to stop malware attacks by reporting them instead of falling for them.

What is the primary countermeasure to social engineering?

The main counter to social engineering is vigilance—by everyone on your team. Regular security training helps build a positive security culture of awareness and active defense that's a lot tougher for criminals to overcome.

Reducing the risk of a social engineering fraud loss

In addition to security training, adding an extra layer of security to your login protocol, such as an authenticator app or any form of multi-factor authentication, can also help protect your company against cyber threats.

Your security team can install antivirus software on company computers and spam filters on company email accounts. You can even purchase social engineering fraud coverage—which tells you how prevalent the problem is becoming.

But at the end of the day, making sure your operations follow strong internal controls—especially your financial operations—is one of the best ways to protect your company against social engineering attacks.

What is social engineering fraud insurance (SEF)?

Social engineering fraud insurance helps protect your company against losses due to company-targeted email scams (also known as business email compromise).

However, like most forms of insurance, your policy will require you to have certain security measures in place to minimize your risk of exposure.

When it comes to your financial operations, BILL helps you implement internal controls while streamlining your workflows—with a long list of security measures built in.

To learn more about protecting your company against fraud and social engineering attacks:

The information provided on this page does not, and is not intended to constitute legal or financial advice and is for general informational purposes only. The content is provided "as-is"; no representations are made that the content is error free.