Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

3 Easy Steps for Foiling Social Engineering Attacks

Not too long ago, one of my fellow penetration testing consultants at Trustwave sent phishing emails to a large number of "targets" - employees who work for an organization that asked us to simulate attacks against its user base to help quantify its insider risk.

After the emails were delivered, the consultant randomly picked targets to call. For this, he spoofed the phone number of the company's IT help desk to add legitimacy to the ruse. Known as a pretext call, the exercise involved the consultant stating: "Hey, we heard people were getting phishing emails and wanted to test if our password policy is in place." The goal of the call was to confuse, rush and pressure the target into doing things they normally wouldn't, namely changing their network password over the phone.

Many did, and few realized they were handing it over to a complete stranger.

As hardware and software security systems have become more effective and agile in responding to intrusion attempts, hackers are increasingly turning toward the human component of the equation, as was perfectly evidenced by a story in the news this week.

I myself have successfully performed penetration-testing engagements against organizations by being nothing more than a smooth talker or by exploiting a user's everyday activities, such as checking email. Don't be static. That is to say, don't assume your information security program covers everything. Last week, a Trustwave Blog post offered nine tips for pumping up your security awareness program. In this post, we are going to drill down specifically into social engineering defenses.

Threat actors are constantly honing their skills against every kind of organization. These skills include how to break down mental defenses of their target to exploit human nature. Pushing back all begins with education.


You should first teach users that they are a prime target because they are far easier to attack than a hardened system. Explain why someone would use social engineering to attack them - and make the message personal.


Next, you must teach them how to identify a social engineering attack. By first establishing and adhering to strict policies regarding what should be transmitted via email, end-users can then identify suspicious solicitations. Requests for credentials, or to just confirm/test if something is working, are indicators of someone trying to sound legitimate. Training and simulating attacks come in quite handy here. For example, users should be conditioned to check for oddities in links they receive.


In the case of emails, simply reporting a suspected phishing message to the IT security group is generally sufficient. Phone calls, on the other hand, present an additional immediate high-stress scenario where the caller is generally trying to put the target on the spot. When an untrained user is under such pressure, they often forget what they learned from that one training module on social engineering that they had to complete once upon a time.

If they feel pressured or nervous, they should fall back on a "last-resort checklist" to verify the individual calling on the phone. The checklist would contain a list of best practices. For example, it may remind employees to ask a special code of the day to confirm the caller's legitimacy - or, for the example above, calling back the actual help-desk number to verify the caller's identity. Being able to focus on a checklist with the authority to overrule anyone on the phone gives a user confidence and forces the attacker to scramble, potentially revealing their true motives.

While this checklist is primarily for the high-pressure phone call situation, it can easily be adapted for use when an individual receives email communication. It would contain basic things already in an infosec awareness program, such as never giving out usernames and/or passwords, or not opening emails or attachments from sources you do not explicitly know.


Through a combination of receiving education and understanding psychology, your users stand a better chance of resisting social engineering attacks in their purest form - an attack on a person's thoughts and emotions.

Ismail Saifudin is a Trustwave security consultant on the SpiderLabs Network Penetration Testing Team.



Latest Trustwave Blogs

Trustwave eBook Now Available: 8 Experts on Offensive Security

It is now obvious that defensive measures alone are no longer sufficient to protect an organization from cyberattacks. Threat actors are increasing their capacity at such a rate that merely sitting...

Read More

Upcoming Trustwave Webinar: Top Security Considerations When Moving from Microsoft E3 to E5

Upgrading licensing from Microsoft 365 E3 to E5 is more than just an incremental step—it's a strategic move that can significantly enhance your organization’s security, compliance, and productivity....

Read More

How Trustwave Protects Your Databases in the Wake of Recent Healthcare Data Breaches

The recent cyberattack on Ascension Medical, Change Healthcare and several UK hospitals is a stark reminder of the vulnerabilities within the healthcare sector.

Read More