Social engineering red flags and tips for training users

Social engineering leads to dangerous security lapses and is notoriously difficult to prevent. Make sure your organization's users can spot the most obvious red flags.


While there are proven methods and technological means to prevent attacks and detect malware, when it comes to social engineering, it can be harder to discern what to look for or predict what form an attack might take. That's why social engineering is so effective. If a web server is hardened against entry, it doesn't matter how often someone tries to break in, they will always get the same result.

By playing on human nature, potential saboteurs can target every individual in the organization. Even if most people are trained not to fall victim to these attacks, all a bad guy needs is one person who isn't paying attention and gives out a critical piece of information. Let's look at some of the red flags users (and even IT pros) should recognize, training tips for users, and some policies and procedures to implement as a guard against social engineering tactics.

Red flags: Proceed with caution

Most employees don't have a very good appreciation of how sensitive some pieces of information can be. This is made abundantly clear when we see how many people write their passwords down on post-it notes, or how willing they are to hand out all of their login information to anyone calling in and claiming to be from tech support. Keeping this type of information secret should be something that is repeated on a regular basis. But the burden should not only be placed on the shoulders of individual employees. It's been shown that asking employees to change their passwords too often leads them to forget more easily and thus they are more likely to write them down. It's important to make users understand that there are few, if any, circumstances under which they should share their login credentials. Edward Snowden even got NSA employees to hand over theirs. If someone is asking them for their passwords—red flag!

There are many tricks used in social engineering to gain access to a network. In one case, USB keys were left lying around in the parking lot. A curious employee took one inside and plugged it in to see what was on it! 

In addition to issuing policies concerning the use of their own unauthorized devices, users should be taught to be suspicious of any "lost" USBs or other devices and  to turn them into a designated person in management or IT. Needless to say, we all know just how devastating it would be to have an entire network compromised by malware. Again, IT can easily mitigate this risk by locking down systems and preventing disks or USB keys from working. Any type of wireless should always be locked down properly. Having active filtering of unknown devices would be the only way to protect your network from that type of intrusion.

More on social engineering:

Even high security networks have been compromised in social engineering attacks. Phishing remains the most common method of attack. An employee receives an email that appears to come from a legitimate source, with believable content, but containing a malicious link or a document that exploits an unpatched vulnerability. Some phishing attempts are very sloppy, but some are sophisticated enough to fool even the professionals. Drilling it into users that they should regard all links and attachments with a high degree of skepticism isn't exactly bullet-proof, but it is a message that needs to be repeated on a regular basis.

There are many other methods being used, from tailgating someone into a restricted area, to posing as a fellow employee or contractor, or simply baiting someone with a reward in exchange for critical information. Clear policies should be created for employees to follow, users should be protected so their information doesn't get into the hands of an unauthorized third-party, and any security measure implemented by IT should assume that the intruder will be coming from the inside.

Training won't help your customers

Employees are especially susceptible to social engineering attacks, but they can be trained. What is harder is training your clients and customers. That's why any organization that offers services to external users should do everything it can to protect them from themselves. One particularly vulnerable entry point is password reset forms. If you're creating online services and making a password reset function, be very careful what you ask the user when they try to recover a lost password. Many sites ask commonly available information, things that used to be safe, like the name of a pet or your previous address, but that people these days share on social networks all the time. Instead, try to use information that users are more likely to keep secret, like the last digits of their credit card. Any sensitive change in a user account, like changing a shipping address or financial info should require extra security confirmation.

Room to improve

A lot of IT pros dislike having to deal with social attacks, because they are far less predictable and more linked to human fallibility than to the predictability of computer systems. It has to do with training users to be skeptical and using good judgement. Every part of the organization should be reviewed for potential security problems, from the phone and email system, all the way to the waste disposal system, where sensitive documents should always be destroyed properly. Finally, just like penetration tests are now commonplace against computer networks, employees should also be subjected to random tests to see if they follow procedures. This is one area of security where an IT department just can't do it alone; everyone has to know their role and be involved in the process.

What social engineering ploys have you witnessed? Add your own suggestions for training and prevention, and identify other red flags in the discussion below.


Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...


I disable autorun for all devices on all my Windows machines.


Regarding in-house training:  ..look at 2nd paragraph

Unfortunately, social networking 'teaches' that everyone is your friend and can be fully trusted.  They 'train' to click on links and do whatever you're asked.

And don't forget, every social networking site (including the 'professional' LinkedIn) ask you to enter your username AND password for every e-mail account you own, and for many, that will include their work account(s).  The claim of the requesting site is giving up that information will allow them to 'help you manage your contacts.'  This is one thing that has to stop, but by doing so, the site loses marketing advantage - and, as we all know, you just can't let that happen.

Education is key, but it's become an uphill battle.


The only real defense against USB drives is to disable the function completely and then allow it for specific devices for specific people AND threaten them with dire consequences if issues arise tied to their ID's. You need good ID policies to make that stick, though.

Ultimately, you have to be willing to talk about these risks with the people who could possibly detect and mitigate them. Make them aware that the concerns are receiving more than lip service and they can do something about it.

One technique that seems to work well against many IT people is the perception of an emergency need. Sound policies get set aside if the fire under our rear ends is hot enough. Defeating this can be done with a bit of emergency training AND prepared emergency policies AND cover for the employees who do not respond to the heat even if it turns out to be real.


Interesting article. 

About the usb drives: how about a usb drive disguised as an usb gadget like a ventilator or xmas tree?

There was a test in the Netherlands which tried to see how easy/difficult it would be to penetrate our Inteligence service. Most users regonised the ploys and the test was marked as a success, but the one test they didn't go through with was the above mentioned test. I'd have loved to see the result of that :)

Editor's Picks