• Social engineering:
    how to recognize and prevent targeted manipulation

Cybercriminals use targeted manipulation to gain trust and persuade people to disclose sensitive data or unknowingly act in their interest. The aim is to trick selected targets into disclosing sensitive information, transferring sums of money to fraudulent accounts or enabling the crooks to penetrate technical systems or access buildings. With convincing pretexts and false identities, they exploit everyday vulnerabilities.

In the following article we will show you how social engineering works, how to better recognize early warning signs and how to avoid common mistakes.

Key points:

Man’s hand capturing a white queen with a black rook on a chessboard

Protect confidential information and never share personal or professional details, projects, contacts, or confidential information on social platforms.

Several people sitting next to each other on a bench, each holding a smartphone and looking at it

Do not share sensitive information such as personal data, passwords, or contact details of others with unknown contacts. Always take the time to consider the legitimacy of requests. Banks and reputable companies never ask their customers to enter confidential information via email or phone.

Woman sitting at a desk with a laptop and writing tools, holding a smartphone while looking at it pensively with her hand on her temple

Trust your instincts and question unusual requests. Report suspicious incidents immediately – in a professional environment to the IT department or security team, or in a personal environment to the police or official reporting centres like the consumer protection agency.

How social engineering works

Social engineering uses psychological manipulation to gain trust and obtain sensitive information. Techniques such as phishing, pretexting, and baiting are used to deceive target individuals and prepare attacks. Cybercriminals specifically analyse contacts and vulnerabilities in the environment.

Knowing these methods can help you recognize signs of an attempted fraud in time:

This icon describes a globe.

Phishing

Phishing is a widespread method where attackers use fake emails, SMS, or websites to steal sensitive information such as passwords, credit card data, or other personal information. They often pose as trustworthy institutions.

This icon describes a globe.

Pretexting

In pretexting, attackers invent a credible story and identity to gain the victim's trust and obtain sensitive information that the victim voluntarily discloses. For example, they pose as bank employees, parcel services, or tech support on the phone and request data or access for an apparently legitimate purpose.

This icon describes a globe.

Baiting

Baiting exploits human curiosity: attackers lure their victims with an incentive, such as a free download or an apparently attractive file. Often, these baits are equipped with malware that infects the system. Compared to phishing, baiting involves a specific "bait."

This icon describes a globe.

Tailgating (or Piggybacking)

In this method, attackers gain physical access to protected areas by sneaking into a building unnoticed behind an authorized person.

This icon describes a globe.

Vishing (voice + phishing)

Vishing is the telephone variant of phishing, where attackers try to obtain sensitive information through calls by posing as trustworthy individuals or organizations.

This icon describes a globe.

Quid Pro Quo

In this scenario, attackers seemingly offer a service, such as technical support or a contest, and exploit the victim's trust to gain access to information or systems.

These methods illustrate how versatile and creative social engineers are in achieving their goals. Vigilance and healthy scepticism are crucial to protect yourself.

StayInformed

How do social engineers use artificial intelligence?

  • Using voice cloning, they speak in voice messages, phone calls, and video conferences with the voice of a known person.
  • Using text generators, they create fraudulent texts for phishing messages.
  • To prepare cyberattacks using social engineering, they use AI-based information about a target company and its employees.

How to actively protect yourself against social engineering

Pay attention to typical warning signs such as a sense of urgency or unexpected contacts. Always be vigilant and carefully check sender addresses, phone numbers, and content. With a healthy dose of scepticism, you can recognize social engineering attempts early and protect yourself effectively.

  • Stay vigilant: critically question unusual requests, unexpected calls, or emails – especially if they involve requests for confidential information.
  • Report suspicious activity: immediately inform your email provider, the imitated company, or your IT or security department if you notice a possible social engineering attack.
  • Communicate securely: only send sensitive data through secure channels – for example, via encrypted email. When sending data via a website, look for the padlock symbol in the address bar. It indicates that the connection is secure. Always verify that the person requesting something from you is really who they claim to be.
  • Use training: stay informed about current fraud schemes and security risks – for example, through trusted media, specialist portals, or official sources. In a corporate environment, internal training and knowledge databases often provide valuable information.

StayInformed

To manipulate their target individuals, cybercriminals use these psychological strategies: 

  • Authority: they pose as government, professional superiors or other trusted entities and demand a prompt response.
  • Similarity: they build a bridge through alleged similarities with the target.
  • Reciprocity: they start with a personal exchange that appears sympathetic.
  • Scarcity: they lure targets with an event or a product that is supposedly only available for a short time.
  • Consistency: the pretext appears coherent and understandable.
  • Consensus: the target person is made to believe that the requested behaviour is normal and safe.

Typical examples of social engineering attacks

Woman’s hand holding a smartphone, viewed from the front

Phishing: unexpected contact requests

Attackers pose as acquaintances, employees, head-hunters, influencers, or companies on social media platforms. After establishing seemingly harmless contact and building initial trust, they send fraudulent messages with links – for example, to fake login pages or contests.

Baiting: found USB stick in the stairwell

A USB stick appears to be forgotten in a shared entrance area or parking lot. Whoever plugs it into their computer out of curiosity installs malware that steals data or locks the computer.

Hand inserts a USB stick into the side of a laptop

Consequences of social engineering: why prevention is crucial

A successful social engineering attack can have serious consequences in both personal and professional settings:

In personal setting:

  • Identity theft: personal data such as name, address, or date of birth can be misused, for example, for contract conclusions or account openings.
  • Financial losses: fraudsters can gain direct access to accounts or payment services through phishing or fake payment requests.
  • Misuse of personal photos or content: private information can be published, manipulated, or used for extortion.
  • Access to online accounts: attackers gain access to email inboxes, social media accounts, or cloud services and take over digital identities.
  • Loss of trust: affected individuals can feel hurt or exposed, especially if personal contacts are involved.
  • High effort to restore: restoring accounts, data, or reputation can be lengthy and burdensome.

In professional setting:

  • Financial damage: attacks can be costly due to fraud, data misuse, or technology downtime.
  • Loss of reputation: a security incident can permanently damage the trust of customers and partners.
  • Threat to sensitive business information: internal company information could be misused.
  • Personal impact: private data could be used for identity theft or fraud.
  • Drive increased protective measures: attacks require extensive countermeasures and increase the burden on IT and security teams.

Frequently asked questions about Social Engineering

Show content of What should I do if I become a victim of a social engineering attack?

Immediately change all affected passwords, inform impacted institutions such as your bank or employer, and monitor your accounts for unauthorized activities.

Show content of Does the social engineering attack affect your professional environment?

Report the incident to your IT department and supervisor.

Show content of What is social hacking?

Approaching a person in a public environment to observe or film them entering a password.