You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

How to Fight Back Against Social Engineering Hackers

by | Mar 23, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

In the social sciences arena, social engineering is defined as “the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society.” In the context of information security it has a darker, more ominous meaning – the use of deception to trick individuals into providing access to personal or confidential information that could be used for fraudulent purposes.

The weakest link in an organization’s battle against social engineering has always been the end-user. Cyber attackers can use a wide variety of tactics to entrap unaware or distracted employees. These include email hacking techniques like Spam and Business Email Compromise; Phishing techniques like spear-phishing, angler phishing, and whaling; and pharming, scareware, access tailgating, baiting, DNS spoofing, pretexting, and more.

The number of attack types used by the bad guys can seem insurmountable, and they’re always adding new twists to existing techniques and coming up with new ones. Recently there has been an uptick in the simplest of exploits – domain impersonation – in which an attacker changes a company domain by one or two letters.

For example, a hacker looking to impersonate a company like “” might purchase a closely related domain name such as “” They would then tie their fake email systems to the new domain. By using a real name and email thread, the attacker hopes the intended victim won’t notice the slight difference in the domain and will follow up on the request coming from their supposed contact, perhaps a customer, partner, or vendor.

Repelling Targeted Attacks

How can you defend against this onslaught of targeted attacks on your user population? Start by making these three strategies standard operating procedure throughout your business.

1. Trust No One, Verify All.

Train all users to follow this strict mantra when dealing with sensitive information or actions concerning any types of money transfers, bank account changes, or routing adjustments in emails. These days, hackers can make incoming emails look like legitimate communications from clients and companies you do business with. Never assume an email is legit.

2. Always Use “Second Factor” Authentication.

Passwords alone are no longer enough to verify someone’s identify. Second factor authorization (2FA) provides a higher level of security by requiring a second identification after the password is entered. This could consist of a personal identification number (PIN), the answer to a question, your fingerprint, and more.

3. Never Rely on a Single Email Communication.

This is especially true when bank changes and other financial transactions are being made. If all else fails, pull up a reliable contact list and call the sender for verification. Do not pull a phone number from any suspicious email chain. Doing so could cost your business thousands or perhaps hundreds of thousands of dollars.

As a user or a customer dealing with other customers, it pays to stay focused when working with company emails and other forms of communication. Just as it isn’t safe to drive a car distracted, it is dangerous to get distracted when dealing with company-related and personal emails. Distracted users can miss the telltale signs demonstrated above, fail to notice email domain misspellings, or click on dangerous links that lead to malware infections. Creating a culture of cyber security in your business, with ongoing education and reminders to keep employees focused, will help keep hackers from gaining access to your sensitive data and/or financial assets.

Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.


Did you find this content helpful?

Related Insights


Submit a Comment

Your email address will not be published. Required fields are marked *

fifteen − 1 =


SECURE 2.0 Force Out Limit and Plan Audits

The Economic Growth and Tax Relief Reconciliation Act of 2001, better known as EGTRRA, was signed by President Bush on June 7, 2001. EGTRRA made significant changes to income tax, capital gains tax, and estate and gift tax laws.

SECURE 2.0 Provides New Tools to Assist Plan Participants In Crisis

The primary goal of retirement plans is to provide income at retirement, but defined contribution plans have been permitted to make some distributions while participants are employed. The most common form of distribution to participants who are younger than age 59 ½…

Recent Posts

Sentinel Group

Company Situation:When missing terminated plan participants fail to claim their retirement accounts, plan sponsors retain fiduciary responsibility for the assets and must continue paying plan administration expenses for those former employees until they claim their...

Acuff & Associates

Company Situation:Acuff performed small account closeouts for two clients. One had a small plan with about 100 accounts. The other, a big retailer with automatic enrollment and a very large plan, had sizeable numbers of small accounts. Forcing out those accounts...

SECURE 2.0 Force Out Limit and Plan Audits

The Economic Growth and Tax Relief Reconciliation Act of 2001, better known as EGTRRA, was signed by President Bush on June 7, 2001. EGTRRA made significant changes to income tax, capital gains tax, and estate and gift tax laws.


Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.


Follow Us