Social engineering - 6 tips on how companies can protect themselves

In social engineering, cyber criminals try to gain the trust of their victims so that they disclose sensitive information such as access data or credit card numbers or make bank transfers. Social engineering is not limited to the Internet, but is a widespread scam: a well-known example is the so-called grandchild trick, in which criminals convince elderly people by phone call that they are relatives and need money immediately due to an emergency.

With the spread of digital means of communication, cyber criminals have a multitude of new opportunities to deceive their victims. The path to being tricked into making bank transfers, disclosing confidential information or installing malware on your device is often just a click away. As a result, cases of social engineering have risen sharply in recent years and are increasingly affecting companies and their employees.

Social engineering is aimed at manipulation on an interpersonal level. Psychological techniques are therefore used to exploit trust, fear, curiosity or other human emotions. Here are some common techniques used in social engineering:

Phishing involves sending fake emails or messages that pretend to come from trustworthy sources, such as a bank or company. The aim is to persuade users to disclose their personal data or click on malicious links.

In this method, the attacker pretends to be a trustworthy person or authority figure in order to obtain information. In the corporate context, this can mean, for example, faking the identity of superiors, colleagues or people who are externally connected to the company in order to gain access to sensitive data.

Here, the attacker lures his victims with something valuable or tempting, such as a USB stick with “secret” information, which is then inserted into a company network and contains malware.

This method involves offering a benefit or reward in exchange for information or action. An example would be a call where the attacker claims to be a technician and offers free IT support, but requires credentials to “help”.

Tailgating involves the attacker sneaking into a secured building by hiding behind an authorized user who enters the building and, for example, kindly asking them to hold the door. Shoulder surfing involves watching users as they enter their passwords or other confidential information.

Companies are a popular target for social engineering attacks, as larger sums can be stolen than from private individuals. The procedure remains the same, although the effort required to obtain the necessary information for a social engineering attack on a company is greater. The following information is particularly relevant for criminals:

• Who is the CEO of the company? Who are the division heads?
• When are individuals from this group on business trips or on vacation?
• Which persons in the company are authorized to execute transfers?
• What current business-related activities are taking place?

Once this information is available, the hacker now targets an employee – usually aperson authorized to make financial transactions. Using a fake e-mail address and in the name of his superior, he now uses insistent words to request information or a bank transfer.

You can protect yourself and your company against social engineering by taking various measures to

– train your employees,

– implement security guidelines and

– strengthen technical security measures.

Here you can see the most important measures in the fight against social engineering:

Train your employees regularly on the risks of social engineering and how to recognize suspicious requests or activities. Training courses, simulations of phishing attacks and regular security briefings are possible.

Establish clear security policies and procedures for handling confidential information, accessing sensitive systems and verifying identities, especially for remote access or unusual requests.

Implement two-factor authentication to make access to systems more difficult. This makes it more difficult for attackers to gain access, even with the respective passwords.

Restrict access to sensitive data and systems to those employees who really need them. This reduces the risk of data leaks or unauthorized access through social engineering attacks.

Use technical security solutions such as firewalls, intrusion detection systems (IDS) and antivirus software to detect and block malware that may be introduced through social engineering attacks. Implement an email security solution that reliably intercepts social engineering attacks via email in advance.

Actively monitor your systems and networks for suspicious activity to detect and respond to anomalies or unusual access before damage occurs. It is important that companies view security as an ongoing process and regularly review and update their security measures to keep up with constantly evolving threats.