Social Engineering and Phishing: Protecting Your Team
Social engineering attacks target people rather than technology — exploiting human psychology to trick individuals into revealing credentials, transferring funds, or installing malware. No amount of technical security controls can fully protect against a team member who is deceived.
Common Attack Types
- Phishing: Mass emails impersonating trusted organisations (banks, HMRC, Microsoft) to harvest credentials
- Spear phishing: Targeted phishing using personal information to make the deception more convincing (e.g. an email appearing to be from your CEO asking for urgent bank transfers)
- Vishing: Phone-based social engineering — impersonating IT support to obtain credentials
- Smishing: SMS-based phishing
- Business Email Compromise (BEC): Attackers compromise or impersonate a trusted email account to redirect financial transactions
Technical Defences
- Email authentication (SPF, DKIM, DMARC) to prevent email impersonation of your domain
- Anti-phishing email filtering
- MFA on all accounts (reduces the impact of credential theft — a stolen password is not enough)
- Domain monitoring to detect impersonation domains registered by attackers
Human Defences
- Regular security awareness training — teach your team to recognise and report phishing
- Simulated phishing campaigns to test and improve awareness
- Clear processes for verifying unusual requests (especially financial) through out-of-band channels (call the person directly — don't reply to the email)