Protection against social engineering and phishing attacks

Cybercriminals employ a variety of methods: instead of hacking systems, they manipulate people, among other things. Social engineering and phishing are among the most common types of attacks on companies today—and are often the cause of reportable data breaches.

What makes them particularly dangerous is that the deception seems harmless at first glance – for example, through seemingly legitimate emails or calls from supposed colleagues or service providers. But if you respond incorrectly, you open the door to attacks, data leaks, and GDPR risks.

Below you will learn specifically:

• Which types of attacks are particularly common: From simple email tricks to fake CEO calls – social engineering is versatile.
• Which GDPR requirements apply in the event of incidents: The General Data Protection Regulation has clear reporting and documentation requirements – even for human error.
• How typical mistakes can be avoided: Training, processes, and technology prevent attacks from being successful.

And how heyData supports prevention and documentation: With digital modules, checklists, and audit-ready documentation.

The method: psychology instead of technology

Social engineering refers to attempts to use targeted deception to persuade people to perform actions that are critical from a security or data protection perspective. Attackers rely on trust, stress, or authority - not technology.

Typical methods:

• CEO fraud: deception via email on behalf of management—often with a request for an “urgent” transfer.
• Fake IT support: Fraudsters pose as technicians on the phone and request passwords or access details.
• Fake applications: Malware is introduced via fake resumes or job application portals.
• WhatsApp/SMS fraud: Short messages appear to be internal communications but contain fraudulent links.

Phishing is a form of social engineering—often via email, but also via text message, phone call, or social media. The goal is to steal sensitive data such as passwords, login details, or payment information.

Typical characteristics:

• Supposedly legitimate sender: Attackers fake email addresses or use deceptively real names.
• Urgent call to action: Users are asked to respond “immediately” to resolve an alleged problem.
• Request to click or log in: A link leads to a fake login page in order to steal data.
• Subtly manipulated links or attachments: Dangerous files or URLs appear harmless at first glance, but have been manipulated.

A successful social engineering attack often leads to a data breach—for example, through unauthorized access to personal data. The GDPR sets out clear obligations in such cases.
 

• Important requirements:
  Art. 32 GDPR: Companies must take appropriate technical and organizational measures to minimize data protection risks.
• Art. 33 GDPR: If an incident occurs, authorities must be informed within 72 hours – regardless of how the attack came about.
• Accountability: It is not enough to simply decide on measures – they must be documented and implemented in a verifiable manner.

Without training, protective measures, or emergency processes, high fines may be imposed – even on small businesses.

1. No training: Employees cannot recognize dangerous messages and accidentally click on malicious content.
2. No guidelines: There are no clear guidelines on how to deal with suspicious messages or calls.
3. No processes: In an emergency, teams do not know who to inform or how to respond – valuable time is lost.
4. No evidence: Even if training takes place, there is no documentation – in an audit, only what can be proven counts.
5. Incomplete technology: Without basic measures such as two-factor authentication or email verification, many doors remain open.

• Awareness training: Regular training helps employees recognize attacks and respond appropriately.
• Phishing simulations: Controlled tests reveal weaknesses and improve responsiveness without any real risk.
• Email protection measures: SPF, DKIM, and DMARC make it easier to identify and block fake senders.
• Two-factor authentication: Even if login details are stolen, a second factor prevents unauthorized access.
• Response processes: Clear internal instructions ensure that incidents can be reported and analyzed quickly.

An accounting employee receives an email from the “CEO” asking them to quickly transfer a five-figure sum. The sender appears to be genuine, the tone is credible – the transfer is made.

Thanks to heyData, the incident could be systematically investigated:

• Awareness gap identified: The attack revealed a training gap, which was quickly closed.
• Report to supervisory authority: The data breach was reported correctly and in a timely manner.
• Measures documented: All responses were centrally recorded and prepared for an audit.
• Processes adapted: Approval processes for payments and communication with management were improved.

The case clearly shows that targeted attacks can be successful even in routine processes – and how important structured processes, training, and documentation are to limit damage and maintain compliance.

heyData is a digital data protection solution that helps companies address social engineering risks in a structured and GDPR-compliant manner.

Features at a glance:

• Awareness modules: Interactive training courses raise employee awareness and automatically document their participation.
• TOM templates: heyData provides verified catalogs of measures that are adapted to different company sizes and scenarios.
• Reporting processes: Step-by-step guides show exactly what to do in the event of an incident – including escalation chains.
• Audit documentation: All training courses, measures, and incidents can be exported and documented for auditors.
• Risk assessment: Particularly vulnerable areas – e.g., accounting or HR – can be specifically identified and prioritized.

Social engineering is not a hypothetical risk – it is one of the biggest threats to data protection and information security. Companies of all sizes are affected and bear responsibility for prevention and response.

heyData offers:

• GDPR-compliant training and awareness modules
• Structured risk management
• Audit-proof documentation for authorities and customers
• Up-to-date TOMs and practical processes

This way, data protection becomes a competitive advantage rather than a stumbling block.

1. What is the difference between social engineering and phishing?
Phishing is a specific method of social engineering in which attackers attempt to steal access data or other sensitive information, for example via fake emails. Social engineering, however, covers a broader spectrum—including phone calls, deep fake videos, or personal conversations in which manipulation is deliberately used.

2. Is technical protection alone sufficient?
No, because the biggest weak point remains the human factor. Even the most secure system is of little help if employees fall for fake emails or accidentally disclose sensitive data. Technical measures must therefore always be supplemented by awareness training.

3. Does every incident have to be reported?
If an attack results in the loss of or unauthorized access to personal data, Article 33 of the GDPR requires that the supervisory authority be notified within 72 hours. Affected parties may also need to be informed.

4. How can I demonstrate awareness?
The GDPR requires companies to be able to document their protective measures. With heyData, training courses, test participation, and awareness campaigns are automatically documented—including evidence for audits and certificates for employees.

5. What role do TOMs play in social engineering?
TOMs – i.e., technical and organizational measures – are designed to ensure the protection of personal data. This also includes protection against human error, for example through access restrictions, training, two-factor authentication, or clear reporting channels for incidents.