Best Practices for Protecting SMBs from Social Engineering Attacks

By Marianne Chrisos - Last Updated on January 6, 2020
Best Practices for Protecting SMBs from Social Engineering Attacks

The statistics about cybersecurity crimes against people and businesses are alarming.

According to the 2017 Internet Crime Report from the Federal Bureau of Investigation, 35,344 entities fell victim to phishing., with a total loss from phishing that same year estimated at $29,703,421.

Another study notes that 43% of cyber attacks target small businesses, with cybercrime and data breaches estimated to cost businesses over $2 trillion dollars in 2019.

Clearly, you don’t have to be a Fortune 500 company to attract the attention to be worth attacking – in fact, some hackers and attackers target small businesses, believing that they’ll have fewer resources and protections in place to prevent a damaging attack.

What are social engineering attacks?

Social engineering attacks are defined as “a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”

The most common social engineering attacks are:


As mentioned above, this is a costly cybersecurity scam and one of the most common of social engineering attacks. Phishing is meant to lure people into volunteering personal data like names, addresses, email addresses, passwords, social security, and credit card numbers. While most people would never voluntarily give up this information to strangers, phishing attacks are often designed to look like legitimate requests for information from sources claiming to be banks, gas companies, the IRS and more.


In pretexting attacks, the victim is contacted under the pretext of something innocuous. For instance, a caller may claim to be conducting a customer survey and ask a few legitimate questions, and once a sense of legitimacy and trust is established, moving on to questions that lead to divulging more sensitive information. Pretext social engineering attacks also sometimes work by incentivizing the exchange of information for a prize or raffle. A person may receive an offer and be told that all they have to do to claim their prize is confirm their social security number – this leads to illegitimate companies gathering sensitive information.


Baiting is a lot like combining phishing and pretexting by using offers for free downloads of materials like ebooks, software, and movies in order to gather personal or payment information. Another way a free giveaway may be used against your business is by companies who give away products that can interface with computers like USB devices. If someone receives one from a legitimate-seeming person or company and plugs it into their computer, it can actually be delivering malware that can send sensitive information back to the original owner.


Tailgating refers to is trying to be familiar with a person from the inside of the company in order to gain access. This often looks like physical access to a business being gained by someone simply holding the door for someone walking behind them, assuming it’s a fellow employee. Key badges help to prevent unauthorized access, as do front desks that serve as a gatekeeper for businesses, but smaller businesses are commonly more at risk, as they don’t often have those resources


This prompts the user into delivering information by threatening them. This can appear in the form of a popup saying that the computer has been infected with malware and saying they need to buy this software immediately to prevent damage, prompting a credit card number to be given.

How to protect your SMB from threats

Once you understand the possible dangers, it’s easier to go forward and prepare for how to protect your business and employees.

#Educate employees

One of the most important steps in preventing social engineering attacks at your SMB is to make sure your employees know what is and isn’t a valid and legitimate form of communication. Train them to never open suspicious emails, respond to emails asking for sensitive data, and to always use strong passwords. You’ll even need to go over the importance of being mindful of who’s in the building, in case someone accidentally lets someone in who shouldn’t be there.

Even if it seems common sense, you can’t bank on all employees having the same working knowledge of cybersecurity. They should also be trained on who to contact in the event of a problem (like accidentally clicking through on a phishing email).  One of the most startling workplace statistics is that 95% of cybersecurity breaches are due to employee error – employees who almost never reside in IT. Finally, it’s important to make sure that training is repeated regularly to capture new employees and also to refresh knowledge in existing employees, as cybersecurity issues are subject to change as technology changes.

#Invest in the right security solutions

The right preventative software can go a long way towards mitigating damaging attacks in your business. Businesses that have a strong mix of anti-virus software, firewalls, email filters, VPN access are the most successful in securing their business.

Cybersecurity is a serious issue. Don’t let your business or your employees become another security statistic. Make sure you’re taking the necessary steps and appropriate precautions to prevent social engineering attacks against your organization.

Marianne Chrisos | Born in Salem, Massachusetts, growing up outside of Chicago, Illinois, and currently living near Dallas, Texas, Marianne is a content writer at a company near Dallas and contributing writer around the internet. She earned her master's degree in Writing and Publishing from DePaul University in Chicago and has worked in publishing, advertising, digital marketing, and content strategy.

Marianne Chrisos | Born in Salem, Massachusetts, growing up outside of Chicago, Illinois, and currently living near Dallas, Texas, Marianne is a content writer at a c...

Related Posts