Bitkom Research, on behalf of the digital association Bitkom, conducted a telephone survey of 1,003 companies in Germany with at least 10 employees and an annual revenue of at least 1 million euros. The results show that 8 out of 10 companies have been affected by data theft, espionage, or sabotage. The survey was conducted between calendar weeks 16 and 24 of 2024. Link to the results.
One of the main risks is employees unknowingly clicking on a dangerous link. For this reason, Kloepfel Group, specializing in procurement and supply chains, has developed a checklist for buyers and supply chain managers to protect against social engineering.
The ABCs of Social Engineering Techniques and How to Identify Them
Baiting
The attacker lures the victim with an attractive offer, often in the form of a free download or a USB stick infected with malware.
Example: A malicious USB stick is placed in a parking lot, hoping that someone will pick it up and insert it into their computer. Be cautious of unknown USB sticks or unusually attractive offers without a clear source.
Impersonation
The attacker pretends to be someone else, often a trusted person such as a colleague or supervisor, to gain access to information or secure areas.
Example: A stranger claims to be a new employee and requests access to the building.
Phishing
Phishing involves using fake emails or websites to steal personal data such as passwords.
Example: An email that appears to be from a bank asks the recipient to enter their account details.
Phishing emails can often be identified by unusual sender addresses, spelling errors, or unexpected requests for personal information.
Pretexting
In pretexting, the attacker fabricates a false identity to obtain confidential information.
Example: Someone calls and pretends to be an IT employee to ask for your password.
Pretexting can be recognized when the caller asks unusual questions or requests information that is not typically shared over the phone.
Quid Pro Quo
This method involves offering something in return for information or access rights.
Example: A caller offers “free technical support” to trick you into revealing login credentials.
Quid Pro Quo attacks can be identified when someone requests personal or security-related information in exchange for a supposed service.
Spear Phishing
A targeted form of phishing where the attacker focuses on a specific person and uses a personalized message to gain the victim’s trust.
Example: An email appearing to be from the CEO instructs an employee to click on an attachment or share confidential information.
Tailgating
Tailgating occurs when someone attempts to enter a secure area without their own access card or authorization.
Vishing
Vishing (voice phishing) is a technique where fraudsters attempt to obtain sensitive information such as passwords or bank details over the phone.
Example: A scammer pretends to be a bank employee and asks for your account information.
So-called “grandparent scams,” where fraudsters use shock calls to manipulate victims into transferring money, also fall into this category. If an unexpected caller requests confidential information or exerts strong pressure, it is best to hang up.
Watering Hole
In this technique, the attacker compromises a frequently visited website to spread malware or collect data.
Example: A popular industry website is infected so that visitors unknowingly download malicious software.
Watering Hole attacks can be detected by virus warnings or unusual behavior on trusted websites.
Countermeasures Against Social Engineering
To protect against social engineering attacks, clear communication rules should be in place to ensure that suspicious requests are always verified.
Access to sensitive information should only be granted through strong security measures such as multi-factor authentication and secure passwords.
A good monitoring system helps detect and report suspicious activities quickly.
Regular security audits and training for all involved parties, including suppliers, ensure that everyone is aware of the risks and works together to prevent attacks.
Companies should appoint IT security consultants or security officers to effectively implement these protective measures.
Marc Kloepfel, CEO of Kloepfel Group, advises:
“With a high number of suppliers, as is common in supply chains with numerous key suppliers, the risk of cyberattacks increases significantly. Therefore, it is essential that procurement is comprehensively secured against cyber threats. This includes implementing strict security protocols and regularly reviewing IT security at all suppliers to ensure the integrity of the entire supply chain and minimize the risk of cyberattacks.”
Contact:
Kloepfel Group
Damir Berberovic
Tel.: +49 211 941 984 33 | Email: rendite@kloepfel-consulting.com