What are some good sources to educate/train myself on defending against social engineering?
Unfortunately I don’t have any good resources to recommend and I think resources are generally lacking in this area. I found this article which is alright:
Hopefully I can be a decent resource and at least provide some helpful knowledge.
The biggest thing to know is that humans are the weak link, so it’s generally a good idea to lean on technology. For example, if you use an encrypted messenger to communicate with your family (say Signal with E2EE manually verified) then you can be 99% sure it’s who you expect on the other end. Compare this to an unecrypted phone call which is unauthenticated and with modern deep fakes may easily convince you (especially if you are tired, etc.) they are a family member or friend.
The other thing is to verify what you are being told. If you think about it, anyone could tell you some terrible accident has happened or that your family member is kidnapped. Obviously you shouldn’t completely dismiss this kind of stuff, but you also should try to verify what they are saying. For example you might try to reach out to said family member directly.
Before all that there is the obvious surface level stuff that is mentioned in the CISA article. Use passkeys (since they are pishing proof), use MFA, use email aliases (that way if someone claims to be your bank but doesn’t contact your banking email you immediately know it’s not them), and most importantly take a step back if you get the slightest feeling that something isn’t right. Often times social engineering depends on wearing the target down so coming back later if you feel overwhelmed can help mitigate that.
I would recommend starting understanding who your adversary is and what the adversary is capable of.
Techniques | No Trace Project is useful, and so is Free Haven's Selected Papers in Anonymity for state level surveillance.
Simple stuff like password manager, VPN, and good browsing habits is good for non state level script kiddie adversary.
Firewalls and denial based systems (as opposed to approval based systems) are useful against corporate espionage.
Physical safety is different for all three. Using cloud or keeping data on device makes difference in social engineering too.