{"id":17462,"date":"2025-05-14T12:12:21","date_gmt":"2025-05-14T16:12:21","guid":{"rendered":"https:\/\/joindeleteme.com\/?post_type=b2b-post&#038;p=17462"},"modified":"2025-05-14T12:12:22","modified_gmt":"2025-05-14T16:12:22","slug":"how-to-prevent-social-engineering-in-the-workplace-in-2025","status":"publish","type":"b2b-post","link":"https:\/\/joindeleteme.com\/business\/blog\/how-to-prevent-social-engineering-in-the-workplace-in-2025\/","title":{"rendered":"How to Prevent Social Engineering In the Workplace in 2025"},"content":{"rendered":"\n<p><strong>TL;DR: <\/strong>To prevent social engineering in the workplace, take a layered approach to security. In other words, no single solution works 100% of the time. Combine technical safeguards, employee training, robust reporting mechanisms, and personal data removal from online exposure sources.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DeleteMe removes employees\u2019 personal data from online sources that criminals often use to personalize their social engineering campaigns.\u00a0<\/strong><\/li>\n<\/ul>\n\n\n\n<p>The guide below explores practical strategies to protect your organization from social engineering threats.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4 Steps to Prevent Social Engineering In the Workplace<\/h2>\n\n\n\n<p>None of these steps on their own will stop social engineering, but combined, they will give organizations a robust posture against anyone who wants to trick their employees and executives into sharing sensitive information or enabling threats.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Don\u2019t rely on email filtering<\/h3>\n\n\n\n<p>As many as 85% of all <a href=\"https:\/\/finance.yahoo.com\/news\/mimecast-spam-email-statistics-130000494.html\" target=\"_blank\" rel=\"noreferrer noopener\">emails are malicious<\/a>. Email security solutions should block at least some social engineering attempts included in this number before they reach employees.\u00a0<\/p>\n\n\n\n<p>However, even though these tools typically use sophisticated algorithms to identify suspicious patterns, such as unusual sender addresses, malicious links, or attachments that could contain malware, they are far from perfect.&nbsp;<\/p>\n\n\n\n<p>It\u2019s effectively impossible to prevent social engineering emails at the email client level\u2013especially when criminals use compromised legitimate email accounts (as is the case in <a href=\"https:\/\/blog.barracuda.com\/2024\/06\/18\/new-report-business-email-compromise-email-attacks\" target=\"_blank\" rel=\"noreferrer noopener\">at least 10% of social engineering campaigns<\/a>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Do social engineering training at a granular level and test as regularly as possible<\/h3>\n\n\n\n<p>Social engineering training programs can educate employees on how to recognize social engineering tactics. But only if it feels real.<\/p>\n\n\n\n<p>Training must be updated regularly to keep up with evolving social engineering techniques. For example, <a href=\"https:\/\/www.crowdstrike.com\/explore\/2025-global-threat-report?utm_medium=org\" target=\"_blank\" rel=\"noopener\">cybersecurity researchers reported<\/a> a significant increase in vishing (phone-based social engineering techniques) attacks in 2024.&nbsp;<\/p>\n\n\n\n<p>We advise companies to focus on storytelling. Share as many real-world social engineering examples as possible, ideally relevant to the kind of jobs people are doing at your organization, and show them the consequences of taking a lax approach to security.&nbsp;<\/p>\n\n\n\n<p>Of course, it will be harder to do this when the employees in question are executives, but it&#8217;s still essential.<\/p>\n\n\n\n<p>Phishing simulations are great, too, but again, always consider (and communicate) these as organizational-level exercises and not as attempts to test individuals.&nbsp;<\/p>\n\n\n\n<p>Test the company as a whole and at the departmental level against:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Social engineering tactics like phishing, baiting, and pretexting.\u00a0<\/li>\n\n\n\n<li>Vishing campaigns that impersonate IT support staff to gain access to sensitive information.\u00a0<\/li>\n\n\n\n<li>Social engineering campaigns that impersonate employees to the organization&#8217;s IT support desk.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Go department by department, and you can see where exactly social engineering risk is at its worst.\u00a0<\/p>\n\n\n\n<p>Many companies find that their most vulnerable employees are often those actually working in security or IT roles. These people tend to be highly targeted for their relatively elevated network permissions.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Build a security reporting culture<\/h3>\n\n\n\n<p>Adding on to the previous point, we have to reiterate that safe organizations are open ones, i.e., those where when something looks dangerous, no one has a second thought about raising a red flag.<\/p>\n\n\n\n<p>However, the ground reality is that in many organizations, employees either do not know how to communicate potential security risks or don\u2019t feel like they should.<\/p>\n\n\n\n<p>We saw some pretty explicit examples of this in a recent <a href=\"https:\/\/www.knowbe4.com\/hubfs\/KnowBe4-Security-Approaches-Around-the-Globe.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">report by KnowBe4<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>38% of employees still hesitate to report security concerns because they don&#8217;t know how.<\/li>\n\n\n\n<li>31% of employees still hesitate to report security concerns because they find it too difficult.<\/li>\n\n\n\n<li>20% of employees still hesitate to report security concerns because they didn&#8217;t want to bother the security team.<\/li>\n\n\n\n<li>1 in 10 employees still hesitate to report security concerns due to fear or uncertainty.<\/li>\n<\/ul>\n\n\n\n<p>Employees reporting social engineering promptly is very important to security because it minimizes the blast radius and risk of attacks. When someone flags a social engineering attempt, it reduces the likelihood of additional employees falling victim to the same social engineering tactics.&nbsp;<\/p>\n\n\n\n<p>Prompt reporting also enables IT teams to quickly block malicious emails or communications, update security filters, and implement temporary measures to protect against similar attacks.&nbsp;<\/p>\n\n\n\n<p>Does your organization have a process for employees to report social engineering attempts? Or securely notify IT if they feel they might have fallen victim to an attack?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Remove employee personal data removal from online exposure sources<\/h3>\n\n\n\n<p>This is what we specialize in doing, and it is the easiest and potentially highest ROI tip in this article.&nbsp;<\/p>\n\n\n\n<p>Generic social engineering campaigns can be relatively easy to spot and stop. It\u2019s the personalized attacks that you need to worry about most.&nbsp;<\/p>\n\n\n\n<p>If employees think an email came from someone they know, they\u2019re likely to act on it &#8211; even if, in the IT\/security team\u2019s eyes, there are multiple \u201cred flags\u201d that should have warned them the email (or text, call, etc.) was bogus.&nbsp;<\/p>\n\n\n\n<p>As one <a href=\"https:\/\/www.reddit.com\/r\/sysadmin\/comments\/b6bkgg\/has_anyone_ever_actually_disciplined_an_employee\/\" target=\"_blank\" rel=\"noreferrer noopener\">IT person shared<\/a>, email security controls help, but social engineering scams still trick their employees.\u00a0<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cOne instance was someone impersonating an existing vendor to our Finance dept with a phony invoice and &#8220;Oh, by the way we changed our payment details, please send the payment via ACH to this new account.&nbsp;<\/em><\/p>\n\n\n\n<p><strong><em>Another was someone impersonating an executive to our HR department wanting to change their direct deposit info.<\/em><\/strong><\/p>\n\n\n\n<p><em>In both cases the from display names were slightly altered \/ misspelled in order to avoid the impersonation attempt tag, but the from email addresses were clearly bogus. One was a Gmail address and the other was a gibberish domain.<\/em><\/p>\n\n\n\n<p><strong><em>In both cases, we ended up losing several thousand dollars.\u201d<\/em><\/strong><\/p>\n<\/blockquote>\n<\/blockquote>\n\n\n\n<p>It\u2019s not hard for criminals to launch these kinds of personal attacks, either.&nbsp;<\/p>\n\n\n\n<p>Attackers can find employee information for social engineering through employee social profiles, public records, corporate websites, and data brokers and people search sites.<\/p>\n\n\n\n<p>Data brokers and people search sites pull employees\u2019 information from various sources into one place.&nbsp;<\/p>\n\n\n\n<p>People search sites publish people\u2019s (and your employees\u2019) personal information like their phone number, home address, family member names, links to personal social media profiles, etc.<\/p>\n\n\n\n<p>B2B data brokers publish information about organizations and employees, including org charts, employee education and work histories.&nbsp;<\/p>\n\n\n\n<p>We know from <a href=\"https:\/\/www.varonis.com\/blog\/contileaks\" target=\"_blank\" rel=\"noreferrer noopener\">leaked criminal chat transcripts<\/a> that attackers use data brokers, likely to find social engineering targets and names to \u201cname drop\u201d within these campaigns to make them more believable.\u00a0<\/p>\n\n\n\n<p>As <a href=\"https:\/\/www.reddit.com\/r\/hacking\/comments\/165wcl2\/stop_believing_the_social_engineering_myths\/\" target=\"_blank\" rel=\"noreferrer noopener\">one person says<\/a>, \u201cSocial engineering is ultimately the same art of exploiting as hacking, <strong>you need to know your target first and how to approach it in order to succeed.\u201d\u00a0<\/strong><\/p>\n\n\n\n<p>To reduce criminals\u2019 ability to target employees with this kind of information, it\u2019s critical to remove employees\u2019 data from these sources.&nbsp;<\/p>\n\n\n\n<p>People search sites and data brokers allow people to \u201copt out\u201d of their databases. However, the opt-out process varies from one broker to the next.&nbsp;<\/p>\n\n\n\n<p>Opt-outs also need to be continuous as people search sites and data brokers are known to relist people\u2019s information when they find more of it online, even if they previously opted out.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">DeleteMe automates data broker opt-outs.<\/h4>\n\n\n\n<p>When you enroll employees in a data broker removal service like DeleteMe, our privacy experts will remove your employees\u2019 personal information from the most common exposure sources.<\/p>\n\n\n\n<p>Trusted by 20% of the Fortune 500 and dozens of federal and state agencies, DeleteMe proactively removes employee personal data across hundreds of websites, keeping your organization safer from personalized social engineering threats.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">You Might Never Prevent 100% of Social Engineering In the Workplace<\/h2>\n\n\n\n<p>But with the advice above, you can make successful social engineering attempts a) extremely rare and b) limited in terms of potential impact.&nbsp;<\/p>\n\n\n\n<p>Take this 1,2,3,4 approach and see your social engineering risk drop dramatically.&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Don\u2019t rely on technical controls.<\/li>\n\n\n\n<li>Make social engineering training real and regular.\u00a0<\/li>\n\n\n\n<li>Build a security reporting culture.\u00a0<\/li>\n\n\n\n<li>Remove employee personal information from the web.\u00a0<\/li>\n<\/ol>\n\n\n\n<p>Most successful social engineering attacks use personal data.&nbsp;<\/p>\n\n\n\n<p>And even the most generic social engineering campaigns require lists of employee email addresses or phone numbers &#8211; information that can be easily acquired from data brokers and people search sites.&nbsp;<\/p>\n\n\n\n<p>Remove employees\u2019 personal data from data exposure sources like data brokers, and you will reduce the likelihood of social engineering in your workplace.&nbsp;<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR: To prevent social engineering in the workplace, take a layered approach to security. In other words, no single solution works 100% of the time. Combine technical safeguards, employee training, robust reporting mechanisms, and personal data removal from online exposure sources.&nbsp; The guide below explores practical strategies to protect your organization from social engineering threats.&nbsp; [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":0,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"b2b-category":[],"class_list":["post-17462","b2b-post","type-b2b-post","status-publish","format-standard","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/17462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post"}],"about":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/types\/b2b-post"}],"author":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/users\/14"}],"version-history":[{"count":0,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/17462\/revisions"}],"wp:attachment":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media?parent=17462"}],"wp:term":[{"taxonomy":"b2b-category","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-category?post=17462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}