Social engineering

How companies protect themselves and their customers from manipulation

The phenomenon of people manipulating others to gain certain advantages is as old as human history – and has recently become an omnipresent threat in the digital world as well. Every day, we are warned about new cyber-attacks in the mass media, and one conclusion is clear: the biggest weak point in the digital world is and always will be people, who can be tricked into disclosing confidential information or bypassing security measures using social engineering methods.

The consequences for companies range from financial damage and data loss to reputational risks because employees or customers act without careful consideration. However, the risk can be minimized with the right measures.

The five most common social engineering methods

Social engineering is characterized by attackers tricking their victims into revealing confidential information by posing as a known person or legitimate entity. And there are a whole range of methods that fall under the term social engineering.

Phishing – the classic among scams

According to Statista, in the third quarter of 2024, financial institutions, e-commerce and payment providers were the most frequent targets of phishing attacks, alongside social networks and SaaS/webmail providers. Employees or customers receive deceptively realistic-looking but fake spam emails, text messages or chat messages that attempt to trick them into entering sensitive data – and there is always a suggestion that there is an urgent need for action:

• An email apparently sent by the “IT department” asks employees to reset their password due to an alleged security breach.
• Customers of a financial institution are informed that their account has been hacked, that a payment could not be made or similar incidents that require direct login to a – of course deceptively genuine, but nonetheless fake – website.

According to figures also published by Statista, spam emails accounted for around 44.6 percent of all email traffic worldwide in December 2024 (incidentally, with over 30 percent, the majority of spam emails in 2024 came from Russia). This figure gives us an idea of the dimensions that the phenomenon of phishing has reached. And how quickly it can happen that someone falls into the trap without thinking – as a customer or employee.

Spear phishing – targeted attacks on managers and employees

In contrast to classic phishing, spear phishing attacks are individually tailored, and the victims are in most cases employees of companies. In spear phishing, criminals focus on collecting specific information about the victim to create particularly credible messages.

For example, a CFO or someone from the accounting team receives an email from the IT department asking to log in to the “new finance system” using their personal access data.

Pretexting – identity fraud through invented stories

In pretexting, the attackers pose as trustworthy individuals or organizations. They come up with a plausible reason to obtain sensitive information or access to internal systems.

In pretexting, for example, a “human resources employee” asks a new colleague to confirm the login data for the payroll accounting system. The link to this fake system is conveniently sent at the same time.

Baiting – the curiosity trap

In baiting, attackers play on human curiosity by disguising malicious files or links as attractive downloads.

For example, a USB stick labeled “Bonusliste 2024” is placed in the company car park. An employee finds it and inserts it into his PC – thereby activating a virus that may cause all the data on the sensitive company servers to be deleted or, even worse, copied and used by cybercriminals to blackmail the affected company and/or steal customer data.

Quid pro quo – dangerous quid pro quos

This method is used by attackers to offer a supposed advantage in exchange for sensitive information or system access. For example, someone from “IT support” calls and offers help with an alleged problem which the person called has not yet even noticed and asks this person to pass on login data so that a solution to the alleged problem can be quickly provided.

Identity verification solutions reduce the dangers of social engineering

To help companies to minimize the dangers posed by various social engineering methods, target group-specific identity verification solutions and procedures are essential – such as VideoID (Live).

Know Your Employee (KYE) principle

Processes and instruments should be established within the company that follow the Know Your Employee principle (KYE). In decentralized organizational structures, where entire teams work exclusively remotely, the unambiguous identification of employees is highly recommended, for which WebID offers a sophisticated portfolio of identification solutions.

In industries which are subject to special due diligence rules, KYE principle verification is understandably mandatory. These include companies that are subject to regulatory and compliance requirements to prevent money laundering, terrorist financing or other financial crimes, such as banks, financial institutions, insurance companies or real estate agents. But companies with highly sensitive data or complex supply chains are also obliged to carefully verify the identity of their employees.

Know Your Customer (KYC)

Finally, customer identification according to the KYC principle is also an urgently recommended measure that companies can use to minimize the risks posed by various methods of social engineering.

Of course, there are also industries whose companies are obliged to carry out money laundering or anti-money laundering compliant identification of their customers, such as banks and financial service providers, insurance companies, real estate agents, notaries and others.

Further measures to protect against social engineering attacks

In addition to using secure identification procedures, companies can implement several measures to minimize the risks of social engineering attacks that could pose a threat to the IT infrastructure and security systems via employees.

And, of course, it is equally important to define measures to improve customer protection against social engineering.

Security awareness and employee training

Die Fachbereiche im Unternehmen, die das operative Geschäft verantworten und auf deren Tagesgeschäft sich unternehmerische Risiken auswirken können, sind in Bezug auf die „Three Lines of Defense“ die erste Verteidigungslinie gegen Social-Engineering-Angriffe. Als Risikoeigentümer sind sie entsprechend zuständig dafür, Gefahren in ihrer operativen Tätigkeit frühzeitig zu erkennen, zu beurteilen, zu steuern und zu reduzieren, Regelmäßige Schulungen und interaktive Simulationen erhöhen das Bewusstsein für Bedrohungen durch Phishing, Spear-Phishing und Co.

In vielen (vor allem) international agierenden Unternehmen gehören darum Online-Schulungen und Phishing-Tests zur allgemeinen Routine, um die Sensibilisierung für das Thema Social Engineering sowie die Reaktionsfähigkeit der Teams zu verbessern.

Multi-factor authentication (MFA)

Even if criminals have obtained the passwords of employees and customers through a social engineering attack, multi-factor authentication can at least make unauthorized access by cybercriminals much more difficult.

Increase communication security

Communication within a company and with external parties takes place by email, via chat and, of course, by phone. Social engineering attacks can be carried out via all communication tools, which is why it is important to define appropriate guidelines and measures. Call-back procedures, for example, have proven effective when it comes to telephone contact. Instead of disclosing confidential data directly, employees should call callers back using a known, official number.

Modern security solutions can also be used to automatically block suspicious messages and emails. Many companies have already implemented AI-supported systems for identifying and defending against spear phishing attacks.

Strict access controls and zero trust security

Setting up a sophisticated role-rights authorization system based on zero-trust architecture can also help to reduce the risk of social engineering attacks. If employees only have access to the company systems, they really need for their work, the “gateway” for unauthorized access by criminals is at least reduced.

Clear security guidelines for customers and business partners

External service providers, cooperating companies and customers are also potential targets of social engineering, which is why external communication should be conducted exclusively via official contact channels if possible. Furthermore, companies should integrate security guidelines into their communication, unless they are already legally obliged to do so.

Social engineering is a real danger – but the risks can be (significantly) minimized

Cybercriminals are increasingly using psychological manipulation to attack companies and their employees. The best defense is a combination of technical security solutions, trained employees and security policies.

Companies that invest in security awareness training, state-of-the-art protective measures and sophisticated and secure identification procedures at an early stage not only minimize their own risk but also strengthen the trust of their customers and business partners.