Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

3 Easy Steps for Foiling Social Engineering Attacks

Not too long ago, one of my fellow penetration testing consultants at Trustwave sent phishing emails to a large number of "targets" - employees who work for an organization that asked us to simulate attacks against its user base to help quantify its insider risk.

After the emails were delivered, the consultant randomly picked targets to call. For this, he spoofed the phone number of the company's IT help desk to add legitimacy to the ruse. Known as a pretext call, the exercise involved the consultant stating: "Hey, we heard people were getting phishing emails and wanted to test if our password policy is in place." The goal of the call was to confuse, rush and pressure the target into doing things they normally wouldn't, namely changing their network password over the phone.

Many did, and few realized they were handing it over to a complete stranger.

As hardware and software security systems have become more effective and agile in responding to intrusion attempts, hackers are increasingly turning toward the human component of the equation, as was perfectly evidenced by a story in the news this week.

I myself have successfully performed penetration-testing engagements against organizations by being nothing more than a smooth talker or by exploiting a user's everyday activities, such as checking email. Don't be static. That is to say, don't assume your information security program covers everything. Last week, a Trustwave Blog post offered nine tips for pumping up your security awareness program. In this post, we are going to drill down specifically into social engineering defenses.

Threat actors are constantly honing their skills against every kind of organization. These skills include how to break down mental defenses of their target to exploit human nature. Pushing back all begins with education.


You should first teach users that they are a prime target because they are far easier to attack than a hardened system. Explain why someone would use social engineering to attack them - and make the message personal.


Next, you must teach them how to identify a social engineering attack. By first establishing and adhering to strict policies regarding what should be transmitted via email, end-users can then identify suspicious solicitations. Requests for credentials, or to just confirm/test if something is working, are indicators of someone trying to sound legitimate. Training and simulating attacks come in quite handy here. For example, users should be conditioned to check for oddities in links they receive.


In the case of emails, simply reporting a suspected phishing message to the IT security group is generally sufficient. Phone calls, on the other hand, present an additional immediate high-stress scenario where the caller is generally trying to put the target on the spot. When an untrained user is under such pressure, they often forget what they learned from that one training module on social engineering that they had to complete once upon a time.

If they feel pressured or nervous, they should fall back on a "last-resort checklist" to verify the individual calling on the phone. The checklist would contain a list of best practices. For example, it may remind employees to ask a special code of the day to confirm the caller's legitimacy - or, for the example above, calling back the actual help-desk number to verify the caller's identity. Being able to focus on a checklist with the authority to overrule anyone on the phone gives a user confidence and forces the attacker to scramble, potentially revealing their true motives.

While this checklist is primarily for the high-pressure phone call situation, it can easily be adapted for use when an individual receives email communication. It would contain basic things already in an infosec awareness program, such as never giving out usernames and/or passwords, or not opening emails or attachments from sources you do not explicitly know.


Through a combination of receiving education and understanding psychology, your users stand a better chance of resisting social engineering attacks in their purest form - an attack on a person's thoughts and emotions.

Ismail Saifudin is a Trustwave security consultant on the SpiderLabs Network Penetration Testing Team.



Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More