G 0.42 — Social Engineering

The phone rings in the IT department. The caller introduces himself as a new employee from the branch office who urgently needs access to the ERP system — his laptop isn’t configured yet and his manager has an important presentation tomorrow. The voice sounds stressed, the story is plausible. Five minutes later, the “new colleague” has full system access — and he has never worked for the company.

Social engineering attacks where technical security measures end: at the human being. The BSI lists the method as elementary threat G 0.42.

What’s behind it?

Social engineering is the targeted manipulation of people to gain unauthorised access to information, accounts or actions. The method exploits basic human traits: helpfulness, trust, respect for authority, fear of consequences and the desire to be cooperative.

The attacks follow a psychological playbook. Attackers create artificial time pressure, invoke authority figures, build a trust relationship over multiple contacts or play deliberately on fear and uncertainty. The methods are often multi-stage: information from an earlier attack serves as a credibility signal for the next.

Attack methods

Phishing — fake emails that lure victims into entering credentials on replica websites. Spear phishing targets specific individuals and references personal details (manager’s name, current projects).
Vishing (voice phishing) — phone calls in which the attacker poses as IT support, a manager or an external authority. Direct human contact raises the pressure considerably.
Pretexting — the attacker creates a complete scenario (pretext) and poses as a trustworthy person over a longer period. Information from social media, the company imprint or annual reports supplies the material.
Baiting — prepared USB sticks, fake software downloads or seemingly useful tools that contain malware.
Tailgating — physical entry into secured areas by simply slipping through the door behind an authorised employee.

Impact

Social engineering is often the entry point for far bigger attacks. A compromised credential can open the door to data theft, ransomware, financial fraud or industrial espionage. The actual scale of damage often only becomes visible weeks after the initial attack, once the attacker has expanded their foothold in the network.

Practical examples

CEO fraud by email. The accounting department of a mid-sized company receives an email that looks like a message from the managing director. The content: a confidential acquisition is imminent, a down payment must be transferred immediately — absolute confidentiality, inform no one. The sender address differs from the real one by just one letter. The transfer of 180,000 euros is executed before anyone becomes suspicious.

Multi-stage attack via the secretary’s office. Over several weeks, an attacker calls the reception regularly and asks harmless questions about events, holiday schedules and the organisational chart. With each call he picks up another detail. Finally he calls the IT department, gives the managing director’s name, his current business trip and the internal project — and gains access to the email account.

Fake service technicians. Two people appear in the uniform of a telecommunications provider and claim they need to fix a fault on the phone system. Reception lets them through without further questions. In the basement they install a hardware keylogger on the server and leave the building after 20 minutes.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 12 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.6.3 — Information security awareness, education and training: Regular, practical awareness training with simulated phishing campaigns.
A.5.14 — Information transfer: Clear rules for sharing information, especially with external parties.
A.5.16 — Identity management: Verification of identity for critical requests.
A.8.2 — Privileged access rights: Restrictive assignment of privileged rights limits the impact of a successful attack.
A.6.5 — Responsibilities after termination or change of employment: Prompt revocation of access rights when personnel changes.

Detection:

A.8.18 — Use of privileged utility programs: Monitoring the use of tools that are among the first things misused after a successful social engineering attack.
A.8.30 — Outsourced development: Review of external access paths that social engineers could exploit as an entry point.

Response:

A.5.29 — Information security during disruption: Incident response processes that also cover social engineering incidents.
A.5.19 — Information security in supplier relationships: Contractual provisions with service providers for verifying requests.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.42 with the following modules:

ORP.3 (Awareness and training on information security) — awareness programmes as the central countermeasure.
ORP.2 (Personnel) — personnel measures at hiring and exit, background checks.
OPS.2.3 (Use of outsourcing) — security requirements for external service providers.
NET.4.1 (Telecommunications systems) — safeguarding telecommunications systems against vishing.

Sources

BSI: The State of IT Security in Germany — annual report with current social engineering statistics
BSI IT-Grundschutz: Elementary Threats, G 0.42 — original description of the elementary threat
ISO/IEC 27002:2022 Section 6.3 — implementation guidance on information security awareness

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.16 Identity management A.5.19 Information security in supplier relationships A.5.21 Managing information security in the ICT supply chain A.5.29 Information security during disruption A.6.3 Information security awareness, education and training A.6.5 Responsibilities after termination or change of employment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.18 Use of privileged utility programs A.8.30 Outsourced development

Frequently asked questions

What distinguishes social engineering from ordinary fraud?

Social engineering deliberately exploits psychological mechanisms -- helpfulness, time pressure, deference to authority -- to get people to take actions they would never carry out in calmer moments. The methods are systematic, often multi-stage and tailored to the target organisation.

Does awareness training really help against social engineering?

Training alone does not eliminate the risk, but it measurably reduces the success rate of attacks. What matters is that training is practical (simulated phishing campaigns, realistic scenarios) and is repeated regularly. Technical controls are needed in addition, so they still take effect even when an employee falls for the attack.

Can experienced IT professionals also fall for social engineering?

Yes. Social engineers adapt their tactics to the target group. IT professionals are often approached with a fabricated technical problem under time pressure. Particularly for well-informed targets, attackers invest in building a trust-based relationship over multiple contacts.