As a partial defense against this type of social engineering, a company I once worked for arranged to publish some fake entries in the company phone list, with extensions that rang through to HR. The extensions were at the beginning of our block. If the phone list got into the wrong hands, the fake people would be called. Or if a recruiter started working their way through the company, the fake people would be called. Either way, this gave HR a quick heads-up that we were being "hacked".

A few got through. My favorite was "Hi, this is <mummble> in accounting. We need to verify your position, manager, and salary." That tends not to work well when your company is 50 people under the same roof.