What is social engineering?

From a seemingly harmless text message to a complex phishing campaign - how attackers exploit the weaknesses and trust of employees to achieve their goals.

Social engineering is an important term not only in today's digital world, but also at home. It is about how attackers exploit the weaknesses and trust of people/employees instead of relying on technical tricks and security loopholes to achieve their goals.

New challenges: IT specialists today must not only implement technical security measures, but also develop a deep understanding of the psychological aspects of social engineering. In this article, we will take a closer look at social engineering, clarify what exactly it means and why it is so relevant.

Definition of social engineering

To understand social engineering, it is crucial to clearly define the term: Social engineering refers to getting people to disclose confidential information, perform actions or make decisions that are usually against their own interests or the interests of their organization. Many types of social and psychological manipulation are used. The attacker often wants to exploit the human characteristics of his victim, such as fear, respect for authority figures, trust and willingness to help.

This manipulation can take many forms, from seemingly harmless SMS or messenger messages in which the attacker pretends to be a family member to beg for money from the victim, to the sophisticated infiltration of large corporations through methods such as phishing. Between these two extremes, there is a wide range of tactics and techniques used by attackers to gain access to sensitive data.

Social engineering attacks

According to a G Data CyberDefence AG survey conducted in 2023, 48% of all companies surveyed were attacked by social engineering. These attacks were mainly carried out by telephone or email. In addition, attempts are also made to gain access to internal company data in private environments or professional networks. According to the Federal Ministry for Information and Security, 66% of all spam emails were attempted cyber attacks.1

As already explained in the definition, social engineering attacks can take many forms. In general, they can be divided into two main categories, with a third, less common category:


1. human-based social engineering:
without technical elements



2. computer-based social engineering:
with technical elements



3. reverse social engineering:
victim voluntarily approaches attacker


Nowadays, the two larger categories of human-based and computer-based social engineering are increasingly merging. In the following, the categories most frequently encountered in the business world are explained, and strategies for mitigating these attacks are also outlined.

Phishing is considered the most widespread method of social engineering, and almost everyone has seen at least one phishing email in their inbox. This technique involves a malicious actor sending emails containing malicious attachments or redirecting recipients to dangerous websites.

A wide variety of phishing variants now exist, ranging from classic spam phishing to highly specialized forms such as whaling, spear phishing or even quishing (QR code phishing), to name but a few. Despite its widespread use, the threat of phishing should by no means be underestimated, as well-executed phishing campaigns are often crowned with great success for the attackers. At this point, it is important to realize that it is enough for just one person in the company to fall for a phishing email.

This technique targets individuals who are active on online dating platforms or social media, for example. The attacker creates fake identities by setting up fake profiles in order to befriend the target person over a longer period of time. The attacker then exploits the "basis of trust" built up in this way to trick the victim into installing malware, transferring money or disclosing confidential company information.

To protect yourself from this tactic, it is crucial to create a strong awareness of online security and data protection and to be careful not to disclose personal information and financial details carelessly.

Baiting is a form of social engineering attack in which the attacker makes false promises to trick the victim into revealing personal information or installing malware.

The baiting method is often initiated by enticing ads or emails, which often take the form of offers for free movie downloads, updates, games and the like. If the victim falls for this deception and, for example, enters their password for platforms such as Amazon, the attacker has access to this sensitive data and can misuse it for their own purposes.

Baiting is not limited to the online world; there is also a physical variant where a malware-infected flash drive is given to the victim. As soon as this is connected to the computer, the malware on the drive is automatically installed.

To protect yourself from online baiting, it is strongly recommended that you always keep a critical eye on advertisements and tempting offers. When baiting offline, it is particularly important to never connect flash drives from unknown sources to minimize the risk of malware infection. Raising employee awareness and training in relation to such scams is also recommended.

Diversion theft is a multi-layered cyberattack that originally started offline but is now taking on online variants. This type of attack aims to distract or divert the victim while criminal activity is carried out.

In offline diversion theft, the attacker manipulates physical events. For example, a thief may convince a courier to pick up a package at the wrong location, deliver the wrong package or deliver a package to the wrong recipient. The diversion usually takes place in the real world and the damage can be significant.

In the online version of Diversion Theft, the attacker uses tactics to steal confidential information from his victim. He tricks the user into sending this information to the wrong recipient by cleverly using distractions and misdirection. The attacker often disguises himself as a known or trusted source to deceive the victim. This is often done by spoofing.

To protect against diversion theft, it is crucial to be vigilant and suspicious, especially of unexpected distractions or communications from supposedly trusted sources. Training employees in online safety, implementing strong security policies and raising awareness of the risks of spoofing are essential defenses against this threat.

Pretexting is a form of social engineering in which the attacker invents clever scenarios or pretexts to persuade the target to disclose sensitive data.

The attacker may assume the role of an authority figure (such as lawyers, law enforcement agencies or tax consultants) or pretend to be interested in the target (such as talent scouts or event organizers). In this context, the attacker would explain plausible reasons to the victim and ask targeted questions to gain additional information. This collected data is used to employ other techniques to obtain even more sensitive information or even gain access to the victim's personal accounts.

To protect yourself against pretexting attacks, increased vigilance plays a central role. Above all, this means not disclosing personal or sensitive information carelessly and carefully verifying the identity of people who request such information. Raising employee awareness and training in relation to social engineering are very important here.

Business Email Compromise (BEC) is a sophisticated social engineering tactic in which the attacker cleverly pretends to be a trusted executive who is authorized to direct activities related to a company's financial affairs, for example.

In this attack scenario, the fraudster carefully observes the executive's behavior over an extended period of time and creates a fake email account using spoofing techniques. The attacker then uses this fake identity to send targeted emails to the executive's employees. In these fake messages, recipients are instructed to make bank transfers, change bank details and carry out other financial transactions.

BEC attacks can result in serious financial losses for organizations. Unlike other cyber fraud methods, BEC attacks do not necessarily rely on malicious URLs or malware that can be intercepted by traditional cybersecurity tools such as firewalls or endpoint detection and response (EDR) systems. Instead, BEC attacks are based on intimate knowledge of the victim's personal behavior. This makes them particularly insidious, as they are often more difficult to monitor and detect, especially in large organizations.

The risk of BEC attacks underscores the need for employee training and awareness, as well as the implementation of effective monitoring and security policies to minimize the impact of this fraud method.

The quid pro quo attack is a social engineering tactic in which the attacker pretends to perform a positive service for the victim, often in the context of supposed IT problems to be fixed, such as poor internet connections or security updates.

If the victim responds to this supposedly helpful gesture, the attacker often requests the "necessary" credentials to fix the supposed problem. Once the victim has disclosed this information, the attacker uses it to intercept data or even infect the network with malware. There is also the possibility that the malicious actor will use this access to apply further social engineering techniques with a much better chance of success.

To mitigate this method, a comprehensive knowledge of social engineering is crucial for all employees. In addition, clear guidelines and policies should be established that prohibit the disclosure of login credentials, even to supposed IT support staff.

SMS phishing, also known as smishing, is a form of phishing attack in which the fraudster attempts to trick the victim into following a malicious link via SMS. As this is a special variant of phishing, similar precautions apply as for conventional phishing attacks, which were discussed previously.

Tailgating, also known as "piggybacking", is a physical form of intrusion into company premises. In this method, the attacker often lurks at secured entrances, expecting an employee to open the door with their access credentials, thereby knowingly or unknowingly letting the intruder in. Methods for doing this often include pretending to have forgotten the access chip or similar authorization at home. Alternatively, the attacker can also say in a simple way: "Wait a minute, I need to get in too!" in the hope of enticing the employee to hold the door open for the intruder for a moment.

After a successful intrusion, there are numerous opportunities for the attacker to not only explore the building, but also steal more sensitive documents, compromise the corporate network, attempt to install malware and much more.

To prevent this method of intrusion, it is essential to provide an appropriate level of training and awareness training for all employees, highlighting the dangers.

Social engineering example

Social engineering is not a new phenomenon; deceiving people by pretending to want good things in order to exploit trust has existed since the dawn of civilization. In modern times, however, the acceleration of our communication and, above all, the increase in non-personal communication has brought this type of deception even more to the fore.

A vivid example of social engineering is Robin Sage, a fictional character created in December 2009 by security expert Thomas Ryan. This experiment resembled a honeypot attack. Ryan created several profiles on social media platforms using the fictitious identity and made targeted contacts, primarily with security experts, military personnel, intelligence agencies and defense agencies.

Despite the false profile, Robin Sage received offers for consultancy work from companies such as Google and Lockheed Martin. Over a period of two months, Thomas Ryan managed to obtain email addresses, bank details and even location information of secret military bases.

New trends in social engineering

In its report "The State of IT Security in Germany 2023", the Federal Office for Information Security describes the possibility of using Generative Artificial Intelligence (GKI) in the field of social engineering.1 GKI models designed to generate human-like texts or even voices enable attackers to create even more convincing and customized deceptions.

With CCI, social attacks can be taken to a new level. Malicious actors can create personalized phishing emails, fraudulent phone calls or fake social media profiles based on the individual characteristics of their potential victims. This can make fraudulent activity more difficult to detect and reduce the effectiveness of security training.

The impact of this technology on cyber security requires increased attention and proactive measures. Organizations must constantly update their security infrastructures to be prepared for the advancing capability of CCI in social engineering scenarios. Additionally, it is critical to raise employee awareness of this specific threat to ensure a better defense against such attempts at deception.

Protective measures against social engineering

Attackers use human vulnerabilities in social engineering, such as the desire to solve things quickly and easily in order to achieve their goals. This makes this type of attack particularly difficult to thwart reliably.

To protect against this threat as effectively as possible, a number of protective measures should be implemented:

  • Never share confidential information about your employer or your work, even in private.
  • Reputable companies will never ask for contact information, access data or passwords to be passed on.
  • Always treat strangers with suspicion and a sense of responsibility. Always consider whether your actions could be misused by third parties.
  • Be extremely careful with e-mails. If you suspect that they are not from a reputable source, inform your internal or external security officer immediately.
  • In the event of an urgent reply or other anomalies, you should call your contact to verify whether the email in question actually originated from them.
  • Create a shared awareness of the need to combat social engineering. If an attack occurs, it must be reported immediately. False shame is out of place at this point and management should also communicate this. To err is human, but an undetected attack can be devastating.

Due to its complexity and the human attack vector, social engineering is generally considered to be difficult to defend against one hundred percent in the IT security industry. Nevertheless, the measures discussed in the article and thorough awareness training for all employees can significantly reduce the likelihood of a successful attack.

Frequently asked questions on the topic of "social engineering"

Social engineering attacks do not necessarily have to be extensive, but can also be launched within a few minutes. Furthermore, a successful attack usually opens the door to even more serious attacks.

If you discover that your company has been the victim of a social engineering attack, quick action is crucial - time is precious. Report the incident immediately to your internal security incident response team and don't be afraid to involve your internal and possible external experts to take appropriate action quickly.
If you need external insight, our IT security experts are available for a free initial consultation. We will be happy to help you to evaluate the situation and take appropriate steps.

In the first step, the topic of social engineering is developed in collaboration with the audience. This involves the various types of social engineering and raising awareness of the topic.

Once the foundation for the topic has been laid, a brief description is given of the current threat situation with social engineering and how professionally attackers now operate.

Social engineering is then shown in concrete terms using the example of a phishing attack. The following four attack steps of the "cyber kill chain" are examined

  • Reconnaissance (Reconnaissance)
  • Enumeration (social engineering techniques)
  • Exploitation (execution of attack)
  • Lateral Movement (consolidate access)


Finally, we will talk in detail about countermeasures and how you can better protect yourself against social engineering attacks in the future.


Your journey with OHB Digital Services

1 vgl. Die Lage der IT-Sicherheit in Deutschland 2023: in: Bundesamt für Sicherheit in der Informationstechnik, o. D., https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2023.pdf.


Learn more about our phishing simulations and awareness training.

Discover the possible applications for your company

Arrange an initial meeting now


Current magazine articles on the subject of IT security