Sage Advice - Cybersecurity Blog

Four Simple Tricks to Stop a Social Engineering Attack in its Tracks

stop-a-social-engineering-attack-1Human beings are trusting by nature, and that makes us vulnerable to social engineers. Here are four simple tricks you can use to defeat a social engineering attack.

#1. Can I call you back? 

This simple phrase can stop a social engineering attack over the phone immediately.  Most of the time, when asked, the attacker just hangs up. Of course if they do give you a phone number, be sure to Google the number to ensure that it’s a legitimate organization before calling back. 

This is also a recommended practice for IT help desks at large organizations, where personal knowledge of the staff and voice recognition are nearly impossible.  Calling the IT person back provides the required verification before giving them access to your system.

#2 Did I initiate this? 

This trick works for stopping both phishing email and phone pre-texting attacks.  If you receive an email, ask yourself, “did I initiate this communication?”  If the answer is no, don't click the link or provide any information. If you did initiate the communication, and it's a legitimate company or individual, then you can respond.

For example, you sign-up for mobile banking on your bank’s website, and immediately receive an email to verify your email address.  Since you initiated it, it’s okay!  But if you get an unsolicited email from your bank saying there is a problem with your account, don’t click!  Call the bank directly to verify before doing anything.  

The same goes for phone calls.  If you call the IRS and they ask for your social security number, it’s okay to give it to them because you initiated the call.  However, if the IRS calls you and asks for your social security number, the answer is, “can I call you back?” because you didn’t initiate the call.

There is no such thing as innocuous information when you’re providing information to an unsolicited email or phone call.     

#3 Forward Slash, Two Dots Back

It’s fairly easy to create a fraudulent web site that has a deceptively similar URL to the real thing.  But you can’t be tricked by it if you use the formula “Forward Slash, Two Dots Back” to determine the actual URL of the website you are visiting.  Getting familiar with this rule protects you from fraudulent constructions of URLs that are put up by fraudsters to deceive you.

It’s easy, just go to the first forward slash, count two dots back, and there you find the real URL.


Here are a few real-word examples of fraudulent websites.

  • - At first glance, this appears to be a legitimate site because American Airlines’ URL,, is included. However, following the “Forward Slash, Two Dots Back” rule, we see that the actual website is  Plus it has a mis-spelled word – there is an extra “e” in member.  This link isn’t taking you to the legitimate American Airlines’ website.
  • - Again, this seems like a legitimate twitter link, however our rule shows that the actual domain is  This link will not take you a legitimate twitter site.
  • - In this URL, using is an attempt to trick you into thinking it’s legitimate. But ebay is just a folder name. Using the rule, we can see that is the actual URL.
  •  Misspelling an actual url domain is a great trick for social engineers.

The trick here is to always be aware of the websites you are visiting.    

#4 Am I expecting this?

When you receive an attachment unexpectedly, you should always treat it with suspicion. If your role requires you to open unexpected attachments, it’s best practice to scan the attachment with anti-virus software prior to opening it. If your role does not require you to recieve unexpected attachments, you should just delete it.

Mindful use of the internet and using these 4 simple tricks can make you a powerful force against a social engineering attack.

Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack.  But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. Download our Ransomware Survival Guide to arm yourself with the knowledge you need to defend against and prepare for an attack.

Go to Download



Topics: Social Engineering, Cyber Defense

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More