What is social engineering and what should companies be aware of?

What is social engineering and what should companies be aware of? Social engineering is a method in which fraudsters use psychological manipulation techniques. They want to persuade people to reveal confidential information or to take certain actions. They often take advantage of employees’ natural willingness to help or their trust in authority. Attackers mask themselves as trustworthy persons, such as managers, colleagues or representatives of well-known companies. Even in the circle of friends and acquaintances, there is a risk that sensitive data may fall into the wrong hands. In a social media chat, a basis of trust can quickly be established, leading to the unwary sharing of confidential information.

Social engineering methods are many and varied, ranging from phishing e-mails and fake websites to telephone calls or direct personal contact. The perpetrators try to trick their victims into revealing passwords, bank information or other sensitive data. There is also a risk of malicious software being installed.

Often, the attacks are devious and are carefully planned and executed over a long period of time. An example of such a long-term social engineering strategy is the ‘out-of-office’ attack: First, key people at a company were identified. When an employee was on vacation, he was asked by phone to open a certain document. The document contained malware that infected the computer. Over the course of several months, more computers were infected and backups were manipulated so that they were executed but did not back up any data. The final ransomware attack was a complete success from the attackers’ point of view.

Our guide for companies:

1. Create awareness: Employees should be educated about the various methods of social engineering. These include phishing, pretexting, baiting, and the quid pro quo attack. Example: An employee receives an email that appears to be from the IT department asking them to update their password. Being aware of phishing helps them recognize that the email contains a fake URL.
2. Provide training: Regular training can help raise awareness of social engineering tactics and prepare employees for how they should respond. A role play is carried out in a training session. An employee learns how to react to phone calls in which confidential information such as bank details are requested.
3. Establish security guidelines: Clear guidelines and procedures for handling confidential information and accessing company systems are essential. Proposed solution: The company introduces a policy. Confidential documents are only shared through secure channels and are not sent by email to external addresses.
4. Introduce verification processes: Employees should be instructed to verify identities before disclosing information or granting access. A simple process like this can work wonders. For example, an employee is instructed to always call back when a call requests sensitive information. This way, the caller’s identity can be confirmed via a known official number.
5. Strengthen physical security: Measures such as wearing ID badges and securing access points can help prevent unauthorized access. Installing a barcode or QR code scanner at the entrance to office buildings means that only people with the appropriate access code can enter.
6. Use technical protection measures: firewalls, antivirus programs and regular updates can ward off technical attacks, which often go hand in hand with social engineering.

It is important that your company prioritizes social engineering prevention methods as a core component of your cyber security plan. By combining technical and human security measures, your company can also reduce its vulnerability to these types of attacks. The German Federal Office for Information Security provides further information: Social Engineering – the “Human Factor”