Social Engineering Attacks: Why Your Employees Are the Target

The Attack That Firewalls Cannot Stop

Your company can have the best firewall, encrypted communications, two-factor authentication on every account, and a website built with security best practices. None of that matters if an attacker can call your receptionist, pretend to be from the IT department, and get them to read out a verification code. Or walk into your office behind an employee who holds the door open. Or leave a USB drive labeled "Salary Report Q3" in the parking lot.

Social engineering is the practice of manipulating people into giving up confidential information or performing actions that compromise security. It targets human psychology rather than technical vulnerabilities. And it works with alarming consistency, particularly against small and medium businesses where formal security processes are often informal or nonexistent.

The numbers back this up. According to the Verizon Data Breach Investigations Report, the human element is involved in 74% of all data breaches. Social engineering is the primary vector for initial access in a significant portion of these incidents. Attackers choose it because it is effective, cheap, and scalable.

Social Engineering vs Technical Phishing

Before we go further, let us clarify the distinction. Phishing (which we cover in detail in our article on business email phishing) is a specific type of social engineering that uses fraudulent emails, messages, or websites to trick people into revealing credentials or installing malware. It is largely automated and cast-wide.

Social engineering, in the broader sense, includes phishing but also encompasses attacks that are more personal, more targeted, and often conducted in person or over the phone. An attacker who researches your company on LinkedIn, identifies the finance manager by name, calls the office pretending to be a supplier, and convinces an employee to redirect a payment is performing social engineering. The technical sophistication is near zero. The psychological sophistication is high.

This distinction matters because businesses that protect themselves against phishing emails (with spam filters, link scanners, and email authentication) can still be completely vulnerable to a well-crafted phone call or an in-person manipulation.

The Core Techniques

Pretexting

Pretexting is the most sophisticated form of social engineering. The attacker creates a fabricated scenario (a "pretext") and assumes a false identity to extract information from the target. The pretext gives the target a reason to share information they would not otherwise share.

Example scenarios that work against businesses:

• The IT support call: An attacker calls an employee, claims to be from the company's IT provider or help desk, and asks them to install remote access software or share login credentials to "fix an urgent problem." The urgency is manufactured to prevent the employee from verifying the caller's identity.
• The new employee: An attacker calls the finance department, claims to be a recently hired employee who has not yet received their login credentials, and asks for help accessing a system "just this one time."
• The vendor verification: An attacker emails the accounts payable team, impersonating an existing vendor, and requests that future payments be sent to updated bank details. This is sometimes called business email compromise (BEC) and costs businesses billions globally every year.
• The executive request: An attacker impersonates the CEO or CFO (often using a slightly different email address or a spoofed phone number) and instructs an employee to make an urgent wire transfer. The instruction is timed for when the executive is known to be traveling or unavailable for verification.

What makes pretexting effective is preparation. Attackers research their targets. They know names, job titles, organizational structures, vendor relationships, and recent company events. LinkedIn, company websites, press releases, and even social media posts provide all the information needed to construct a convincing pretext.

Baiting

Baiting uses the promise of something desirable to lure a victim into a trap. The "bait" can be physical or digital.

Physical baiting: The classic example is a USB drive left in a public area, the company parking lot, the lobby, or the restroom. The drive is labeled with something enticing: "Confidential," "Salary Report," "Restructuring Plan." Human curiosity does the rest. When an employee plugs the drive into their work computer, malware installs automatically, giving the attacker access to the corporate network.

You might think this is too obvious to work. Studies suggest otherwise. A University of Illinois experiment dropped 297 USB drives across a campus. 48% of them were plugged into computers, and 68% of the people who did so took no precautions before opening files. In a corporate environment with less security awareness, the success rate is likely higher.

Digital baiting: Free software downloads, pirated content, or fake tools that contain malware. An employee searching for a free PDF converter or a cracked version of a software tool may download a trojanized application that looks legitimate but includes a backdoor.

Tailgating (Piggybacking)

Tailgating is physical social engineering. The attacker follows an authorized person through a secured door or entrance without using their own credentials. They might carry a box of supplies, pretend to be on a phone call, or simply walk close behind the authorized person and say "thanks" as they hold the door.

In small offices, which are common for businesses in Lugano and across Ticino, tailgating is trivially easy. Many small companies do not have electronic access control at all. Those that do often have a culture of holding the door for others because it feels rude not to. An attacker in business casual clothing who walks in with confidence will rarely be challenged.

Once inside, the attacker has physical access to workstations, printers (which often store documents in memory), network jacks, and unlocked computers. They can install hardware keyloggers, photograph sensitive documents, or simply sit at an empty desk and plug in a laptop.

Vishing (Voice Phishing)

Vishing uses phone calls instead of emails to extract information. The attacker calls the target, assumes a convincing identity, and uses conversational manipulation to get what they need.

Vishing is effective because phone conversations create psychological pressure that emails do not. When someone is talking to you in real time, there is social pressure to respond, to be helpful, to not seem suspicious or unhelpful. Email gives you time to think, to consult a colleague, to verify. A phone call demands an immediate response.

Common vishing scenarios:

• Bank verification: "This is your bank calling. We have detected unusual activity on your business account. To verify your identity, please confirm your account number and the last transaction."
• Tax authority: "This is the cantonal tax office. There is a discrepancy in your company's tax filing. We need your company registration number and the name of your accountant to resolve this."
• Technical support: "I am calling from Microsoft. We have detected that your computer is sending suspicious traffic. I need to help you run some diagnostic tools." (The "diagnostic tools" are remote access software.)

Caller ID can be spoofed. The number displayed on your phone can be made to show the actual phone number of your bank, your IT provider, or any other organization. This makes vishing attacks far more convincing than many people realize.

Quid Pro Quo

In quid pro quo attacks, the attacker offers something in exchange for information. It is a variation of baiting but involves a direct exchange rather than a passive lure.

Example: An attacker calls employees at a company, posing as a researcher conducting a "cybersecurity survey." In exchange for five minutes of the employee's time and answers to a few questions (which include questions about internal systems, software used, and security practices), the attacker offers a gift card or entry into a prize draw. The employee sees a harmless survey and a free reward. The attacker gets a detailed map of the company's technical infrastructure.

Why Small Companies Are Particularly Vulnerable

Large corporations have formal security protocols, badge access systems, security teams, and regular training programs. Small and medium businesses, especially in tight-knit business communities like Lugano and Ticino, have several characteristics that make them easier targets:

• Trust culture: In a small company, everyone knows everyone. New faces are unusual but not alarming. A friendly stranger asking for the office manager by first name is not suspicious; it is assumed they are a client or a supplier's new representative. This high-trust environment is wonderful for business relationships and terrible for security.
• No formal visitor process: Many small offices do not have a reception desk, visitor logs, or badge requirements. People walk in and out freely. There is no one whose job it is to challenge unknown visitors.
• Multi-role employees: In a small company, the person who handles accounting also manages the website, deals with suppliers, and occasionally covers reception. They are busy and distracted, making them more susceptible to social engineering pressure. They also have broader system access than a role-specific employee in a larger organization.
• No security awareness training: Most SMEs do not conduct formal security awareness training. Employees have never been told about pretexting, vishing, or tailgating. They have never practiced responding to a suspicious request. The first time they encounter a social engineering attack is the real thing.
• Authority-based culture: In many Swiss SMEs, employees are conditioned to follow instructions from management without questioning. When an attacker impersonates the CEO and issues an urgent instruction, employees comply because they have been trained to comply with authority.

Real Scenarios from Swiss Business Context

These are not hypothetical. These patterns have played out against businesses in Switzerland:

A Ticino-based trading company received a phone call from someone claiming to be from their bank. The caller knew the company name, the account manager's name, and recent transaction amounts. They asked the finance officer to "confirm" a pending transfer by providing a verification code that had been sent to the company's registered phone. The finance officer provided the code, which the attacker used to authorize a fraudulent transfer.

An architect firm in a shared office building had no access control beyond a front door code that was shared among all tenants. An attacker entered the building, found the firm's office unlocked during lunch, and spent fifteen minutes photographing project documents and copying files from an unlocked workstation to a USB drive.

A manufacturing company received an email from what appeared to be a long-standing supplier, informing them that the supplier's bank account had changed. The email came from a domain that differed from the supplier's actual domain by one character. The company updated the payment details and sent two months of payments to the fraudulent account before discovering the deception.

In each case, the technical security of the company was not breached. The attackers went around the technology by targeting the people.

Building a Human Firewall

The term "human firewall" refers to employees who are trained to recognize, resist, and report social engineering attempts. Building this firewall requires three elements: awareness, procedures, and culture.

Security Awareness Training

Every employee needs to know what social engineering looks like. Training should cover:

• Recognition: What are the signs of a social engineering attempt? Urgency, authority pressure, unusual requests, requests for information that should not be shared over the phone, offers that seem too good to be true.
• Verification: How to verify the identity of a caller or visitor. Never use the contact information provided by the caller. Look up the organization's number independently and call back.
• Reporting: What to do when you suspect a social engineering attempt. Who to contact, how to document the interaction, what information to record.
• Practice: Simulated social engineering exercises. Just as fire drills prepare employees for fires, social engineering simulations prepare them for manipulation attempts. Run simulated vishing calls, send simulated phishing emails, and test physical security with authorized tailgating attempts.

Training should be regular, not annual. Quarterly sessions of 20-30 minutes, focused on specific techniques, are far more effective than a yearly two-hour seminar that employees forget within a week.

Clear Procedures

Employees need clear, simple procedures for common scenarios:

• Verification of payment changes: Any request to change bank details for a supplier or partner must be verified through a separate communication channel. If the request comes by email, verify by phone using a known number. If it comes by phone, verify by email or in person.
• Information sharing policy: Define what information can and cannot be shared over the phone. Account numbers, passwords, verification codes, employee personal details, client information, and internal system details should never be shared with unverified callers.
• Visitor management: Even in a small office, implement a basic visitor process. Visitors should be greeted at the door, asked who they are meeting, and accompanied while in the office. Unaccompanied strangers should be politely challenged.
• USB policy: Found USB drives should never be plugged into work computers. They should be given to whoever manages IT security. If your company finds USB drives on its premises, treat it as a potential attack, not as someone's lost property.
• Escalation path: Employees should know exactly who to contact when something feels wrong. "When in doubt, ask" should be the policy. No one should be punished for taking the time to verify a request, even if it turns out to be legitimate.

Security Culture

Procedures only work if the culture supports them. Building a security-aware culture means:

• Leadership sets the example: If the CEO or owner bypasses security procedures ("just let them in, I know them"), employees will do the same. Security rules must apply to everyone equally.
• No blame for reporting: If an employee falls for a social engineering attack and reports it immediately, the response should be support and remediation, not punishment. Punishing people for honest mistakes guarantees that future incidents will be hidden rather than reported.
• Rewarding vigilance: When an employee successfully identifies and reports a social engineering attempt, recognize it publicly (with their permission). This reinforces that security awareness is valued.
• Regular communication: Share anonymized examples of social engineering attempts (whether they succeeded or were caught) in team meetings or company communications. Keeping social engineering visible keeps employees alert.

Practical Defense Checklist

Here is a concrete list of actions you can take this month:

1. Conduct a 30-minute training session covering pretexting, vishing, and baiting. Use real examples from your industry.
2. Establish a payment change verification procedure. Write it down. Make sure everyone in finance knows it.
3. Define an information sharing policy. List specifically what can and cannot be shared over the phone.
4. Implement a visitor process, even if it is just "greet people at the door and ask who they are here to see."
5. Test your team. Have someone (an external consultant or a trusted contact your team does not know) attempt a vishing call or a tailgating attempt. See what happens. Use the results as a training opportunity.
6. Set up a reporting channel. An email address, a Slack channel, a physical logbook. Something simple where employees can report suspicious interactions.
7. Run a simulated phishing test. Send a realistic-looking phishing email to all employees and track who clicks. Follow up with individual coaching, not with blame.
8. Schedule quarterly refresher sessions. 20 minutes each, one topic per session. Keep it focused and practical.

If you need help designing a security awareness program for your team, or if you want to run a controlled social engineering test against your organization, contact our team in Lugano. We work with businesses across Ticino and Switzerland to build the human layer of defense that technology alone cannot provide.

The Bottom Line

Social engineering targets the one vulnerability you cannot patch with a software update: human behavior. Your employees are not the weakest link by nature. They become the weakest link through lack of training, unclear procedures, and a culture that does not prioritize security awareness.

Every minute you invest in building your human firewall is a minute saved from the aftermath of a successful attack. And unlike technology solutions, training your people does not require a budget for new software. It requires time, attention, and consistency. For a broader view of how to protect your business, see our complete cybersecurity guide for SMEs.