You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

How to Fight Back Against Social Engineering Hackers

by | Mar 23, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

In the social sciences arena, social engineering is defined as “the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” In the context of information security it has a darker, more ominous meaning – the use of deception to trick individuals into providing access to personal or confidential information that could be used for fraudulent purposes.

The weakest link in an organization’s battle against social engineering has always been the end-user. Cyber attackers can use a wide variety of tactics to entrap unaware or distracted employees. These include email hacking techniques like Spam and Business Email Compromise; Phishing techniques like spear-phishing, angler phishing, and whaling; and pharming, scareware, access tailgating, baiting, DNS spoofing, pretexting, and more.

The number of attack types used by the bad guys can seem insurmountable, and they’re always adding new twists to existing techniques and coming up with new ones. Recently there has been an uptick in the simplest of exploits – domain impersonation – in which an attacker changes a company domain by one or two letters.

For example, a hacker looking to impersonate a company like “” might purchase a closely related domain name such as “” They would then tie their fake email systems to the new domain. By using a real name and email thread, the attacker hopes the intended victim won’t notice the slight difference in the domain and will follow up on the request coming from their supposed contact, perhaps a customer, partner, or vendor.

Repelling Targeted Attacks

How can you defend against this onslaught of targeted attacks on your user population? Start by making these three strategies standard operating procedure throughout your business.

1. Trust No One, Verify All.

Train all users to follow this strict mantra when dealing with sensitive information or actions concerning any types of money transfers, bank account changes, or routing adjustments in emails. These days, hackers can make incoming emails look like legitimate communications from clients and companies you do business with. Never assume an email is legit.

2. Always Use “Second Factor” Authentication.

Passwords alone are no longer enough to verify someone’s identify. Second factor authorization (2FA) provides a higher level of security by requiring a second identification after the password is entered. This could consist of a personal identification number (PIN), the answer to a question, your fingerprint, and more.

3. Never Rely on a Single Email Communication.

This is especially true when bank changes and other financial transactions are being made. If all else fails, pull up a reliable contact list and call the sender for verification. Do not pull a phone number from any suspicious email chain. Doing so could cost your business thousands or perhaps hundreds of thousands of dollars.

As a user or a customer dealing with other customers, it pays to stay focused when working with company emails and other forms of communication. Just as it isn’t safe to drive a car distracted, it is dangerous to get distracted when dealing with company-related and personal emails. Distracted users can miss the telltale signs demonstrated above, fail to notice email domain misspellings, or click on dangerous links that lead to malware infections. Creating a culture of cyber security in your business, with ongoing education and reminders to keep employees focused, will help keep hackers from gaining access to your sensitive data and/or financial assets.

Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.


Did you find this content helpful?

Related Insights


Submit a Comment

Your email address will not be published. Required fields are marked *

one × 4 =


Culture Drives Top Workplace for PenChecks

For the second year in a row PenChecks Trust® has been recognized as a Top Workplace in the San Diego UnionTribune’s annual “Top Workplaces” survey. We are proud to receive this award…

Why You Need Cyber Security Insurance and How to Get It

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA.

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

Recent Posts

Who Knew Distribution Processing Could Be So Simple?

Learn how Amplify – PenChecks’ powerful cloud-based processing platform that automates and streamlines the retirement distributions workflow – has become the standard platform for all the company’s clients and how it keeps getting better.Learn more about...

Why Our Clients Believe in PenChecks

PenChecks Vice President and National Sales Director Scott Okrasinski relates how the company’s corporate values and principles have played a key role in PenChecks’ continuing growth and long-term relationships with clients.Learn more about PenChecks:

Over 29 Years of Industry Leadership

PenChecks Trust® President and CEO Spiro Preovolos talks about how PenChecks became a leader in the retirement plan distribution industry by doing what nobody else was doing.Learn more about PenChecks:

How One Idea Forever Changed Distribution Processing

For nearly 30 years, PenChecks has leveraged its people and technology to support their retirement plan clients efficiently and effectively. Learn how PenChecks can be big enough to process billions of dollars in distributions each year but small enough to care. Learn...

April 2 – 4 / NAPA 401(k) Summit

San Diego Convention Center / San Diego, CAThe NAPA 401(k) Summit is the nation’s largest and most prestigious conference for retirement plan advisors. PenChecks will be attending. Come meet our team at booth 226!


Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.


Follow Us
Send this to a friend
I saw this on the PenChecks Trust® website and thought you may be interested in this: