Skip to main content
Informationssicherheit / NIS2

Social engineering

Social engineering is the deliberate psychological manipulation of people to make them disclose confidential information or perform security-critical actions, thereby bypassing technical protective measures.

Social engineering is a form of attack that exploits people, the weakest link in the security chain, rather than technology. Attackers manipulate their victims by deliberately exploiting human traits such as helpfulness, trust, deference to authority, fear or time pressure. Even high-quality technical safeguards such as firewalls, encryption or multi-factor authentication are rendered useless once an employee is tricked into revealing credentials, opening a malicious file or approving a fraudulent payment.

It takes many forms: phishing and spear phishing via email, vishing (telephone fraud), smishing (via SMS), pretexting (impersonating a credible identity or situation), CEO fraud or business email compromise, as well as physical variants such as tailgating (slipping through secured doors behind an authorised person) or planting prepared USB sticks (baiting). Attackers frequently combine several channels and use publicly available information from social networks (open source intelligence) to make their attacks credible and precisely tailored to the target.

Effective protection against social engineering is primarily organisational and requires continuous staff awareness training (security awareness), clear processes for verifying instructions and payment approvals, and a security culture in which reporting suspicious incidents is encouraged and free of sanctions. The NIS2 Directive and the German BSI IT-Grundschutz explicitly require training and awareness measures; ISO/IEC 27001 likewise establishes awareness and the management of human-related risks as binding components of an information security management system.

Legal Basis

Art. 21(2)(g) NIS2 Directive (EU) 2022/2555 (cyber hygiene and training); ISO/IEC 27001:2022 Annex A 6.3 (information security awareness, education and training); BSI IT-Grundschutz module ORP.3 (awareness and training)

Practical Example

An accounts clerk receives an email that appears to come from senior management and, citing a confidential acquisition, demands the immediate transfer of EUR 48,000 to a new supplier. The sender name is correct, the tone fits and urgency is stressed. However, because the company has established a mandatory four-eyes principle for payments over EUR 10,000 and a call-back verification using a phone number stored in the system, the clerk calls back the supposed instructor, uncovers the CEO fraud and reports the incident to the information security officer, who then sends a targeted warning to all staff.

FAQ

Social engineering targets human behaviour rather than technical vulnerabilities. If an employee voluntarily discloses credentials or approves a payment, firewalls, encryption and multi-factor authentication are bypassed. That is why organisational measures and awareness are indispensable.
The most effective approach combines regular awareness training, simulated phishing tests, mandatory verification and four-eyes processes for critical operations, and an open reporting culture. Technical filters (spam and email protection) complement these organisational measures but cannot replace them.
Yes. Art. 21 of the NIS2 Directive requires, among other things, cyber hygiene measures and regular staff training. As social engineering is one of the most common attack vectors, awareness programmes and training are part of the binding risk-management measures for affected entities.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Phishing Security awareness Multi-factor authentication Security Incident Incident response
Back to Glossary