Social engineering is when an attacker interacts directly with your users or staff, in an effort to trick them into disclosing sensitive information or performing restricted actions.
Social engineering often takes place over the phone or email. An overloaded employee may be fooled by someone posing as an employee in another department, or a valued client. Or a naive user might be tricked into installing malware by an unsolicited call from “tech support.”
To limit the potential damage by social engineering within your organization, it is important to make employees aware of the risk. Obeying the principle of least privilege will also minimize the number of staff who can be usefully targeted.
If your users are reporting unsolicited communication from your company that you are not aware of, make sure you publish clear guidelines describing under what circumstances you will contact them.