Hackers use psychological tricks, telling their victims heart-rending stories, putting them under time pressure or intimidating them with authoritarian behavior. As communication channels they use not only email but also faxes, personal conversations or phone calls (vishing). Security specialist Chris Kirsch demonstrated an example of a successful telephone attack in a video by reconstructing a phone call with a genuine company, which won him a social engineering competition at the 2015 DEF CON hacker conference.

In the summer of 2017 the German Federal Office for Information Security (BSI) issued an explicit warning against criminals claiming to be company executives and instructing employees to transfer large sums of money to foreign bank accounts.
According to this, around € 75 million in damages were incurred by the German economy in 2016. Victims of such a CEO fraud using fake emails included automotive supplier Leoni and messaging app provider Snapchat.
In the latter case, for example, a payroll clerk issued a current salary list after receiving a phishing email posing to be from the CEO.

The more detail the attacker has unearthed about his victim(s) beforehand, the greater the likelihood that the hack will be a success. For example, in two studies in 2014 and 2017, German security researchers sent emails with a link and similar content to students. The only difference was the salutation. In the case of personalized emails, 56 percent of recipients clicked on the link, and only 20 percent of the non-personalized emails. Thanks to social media like Facebook and Twitter, social engineering attacks today can be targeted much easier and more precisely than before.

However,  social engineering also works without personal contact between hacker and victim, however. By USB stick, for example. When researchers around the Google security expert Elie Bursztein dropped 300 USB flash drives on the campus of the University of Illinois Urbana-Champaign in April 2015 as a test, 48 percent of them were picked up and the files on them opened. Hackers can also search trash cans (a practice known as dumpster diving) for sensitive data like written-down passwords or shadow employees with special access authorizations: This practice is called tailgating or piggybacking allowing unauthorized persons to sneak onto corporate premises.

IT security is not much of use when employees fail to recognize social engineering attacks The most important measure is therefore employee training to explain the typical tricks of the hackers and to practice the behavior in appropriate situations. One-off sessions are no help, warns the German Federal Office for Information Security (BSI), and recommends regular refresher courses. However, according to Loudhouse, only around one in two companies in the world saw safety issues on the training agenda in 2017.

Social penetration tests are one way to test the success of awareness training. An authorized person takes on the role of a social engineer and tests how far he can get using hacker methods. The disadvantage is that employees who are tricked may feel exposed. Social engineering measures are, of course, a part of the security concept that companies must submit and implement for ISO 27001 certification on the basis of BSI IT baseline protection.

In the end, it must be made clear that although employees can pose a security risk, they are also a bulwark against cyberattacks. According to Bitkom, most often companies are made aware of hacker attacks by tips from their workforce.