Make sure your staff and management are frequently engaged in education and training that promotes employee safe practices and enhanced data security. Informing your staff of recent threats and constantly educating them about proper protocols and responses is essential to stopping social engineering scams.

As the Facebook and Google scams should warn you, even vendors and third-party providers should be vetted thoroughly for every transaction, order, and invoice. This includes checking IDs, login keys, and sourcing credentials.

Employees should be asked to create, or even be assigned credentials. They should also follow a strict set of protocols for how and when those credentials are used, and by whom.

One of the fastest ways to confirm a fraudster is not who they say they are is to find out where they’re contacting you from. Through reverse email and IP address lookups, you can gauge the risk associated with an email address or the location from which that email was sent. If neither address matches the legitimate sender, it’s likely a scam. If it’s a scam phone call, you wouldn’t be able to trace the phone number to the business in question, as scammers use online phone numbers and burner phones.

Never allow any vendor or third-party service provider into your place of business without thorough ID and invoice checks. Also, never leave hardware or equipment unsecured in your offices. You should have a strict series of protocols for connecting to your company’s server and software, and deploy anti-malware and anti-virus software at all times. Beyond this, securing your premises each night and ensuring everyone in your company must have badges to enter is also very important.

Require multi-factor authentication on all email accounts, financial systems, and administrative platforms. Even if an attacker phishes credentials, MFA creates a second barrier that's significantly harder to bypass.

For high-risk requests like wire transfers, payment changes, or sensitive data requests, require verification through a completely separate communication channel. If the request comes via email, verify by phone using a number from your records, not any number provided in the email. Never use reply-to addresses or contact info in suspicious messages.

Configure protocols like SPF, DMARC, or DKIM to prevent attackers from spoofing your domain and to verify incoming emails. DMARC (Domain-based Message Authentication, Reporting, & Conformance) policies can reject emails that fail authentication, stopping domain spoofing attacks before they reach employee inboxes. This protects both your employees and your customers from impersonation attempts.

Test your staff with realistic phishing scenarios to identify vulnerabilities and reinforce training. Track who clicks suspicious links or provides credentials, then provide immediate targeted education. Organizations running regular simulations see dramatically lower click-through rates on real attacks.

Establish documented steps for what employees should do when they suspect social engineering: who to contact, how to report it, and what immediate actions to take. Include procedures for freezing fraudulent transfers, resetting compromised credentials, and notifying relevant parties. Fast response can mean the difference between recovering funds and permanent loss.