By Hakan Akcan · Reepa Solutions
When a German SMB falls victim to a successful cyber incident today, the trail leads back to a firewall or software update in fewer than one in three cases — in more than two thirds it starts with an employee who, in a normal working situation, acted on a plausible-seeming request. That is social engineering: the targeted manipulation of people using trust, authority, or time pressure as leverage. For management, HR, and IT leadership this is simultaneously bad news and good news. Bad, because no technology alone can protect the workforce. Good, because the workforce, processes, and safeguards can be positioned with manageable effort so that manipulation attempts reliably stand out and get intercepted. This article shows what an effective protection concept looks like for SMBs — from awareness training through approval processes to technical safeguards and the first response when something seems off. For context within the overall strategy, see our Cybersecurity Guide for SMBs.
What is social engineering from a defence perspective?
Social engineering is the umbrella term for all attempts in which outsiders impersonate trusted individuals to persuade employees into taking an action they would not take under normal circumstances — authorising a transfer, entering credentials into a form, opening an attachment, holding a door open. Manipulation attempts do not exploit technical vulnerabilities but human reflexes: deference to authority, helpfulness, time pressure, curiosity. From a defence standpoint it is therefore important to be familiar with the typical manifestations so that employees can recognise them for what they are: an attempt to pressurise or deceive them.
Phishing is the most common form and refers to emails that appear to come from a familiar sender — the company's bank, Microsoft, a parcel carrier, a manager — and call for rapid action. Employees should learn to spot such emails by three warning signs: unusual pressure to act quickly, a sender domain that differs on closer inspection, and an unusual request to click something or open a file. Our cluster on phishing simulations for employees covers this in greater depth.
Spear phishing and CEO fraud are the personally tailored variant. Here the senders know the recipient's name, position, and sometimes internal projects, and target specific individuals — often in accounting, procurement, or the managing director's office. A typical protective mindset: any request concerning a payment, a change of bank details, or the sharing of a confidential file that arrives by email and signals urgency is suspicious — regardless of how convincing the sender appears.
Pretexting describes situations in which a person poses on the phone or via chat as someone with a plausible backstory — an external IT service provider, a new colleague from head office, or a supplier's account manager with an "urgent follow-up question". Protective behaviour: for any unexpected request for access, data, or approvals, actively verify through an independent channel rather than responding within the conversation.
Baiting refers to lures — for example USB drives with an enticing label left in a car park, or supposed download offers for in-demand software. Protective behaviour: never plug found storage devices into work equipment; hand them to IT instead. Obtain software exclusively from approved internal sources.
Tailgating is the physical variant: an unknown person follows employees through an access gate by telling a friendly story — "hands full of coffee", "meeting with Mr. Smith", "new cleaning crew". Protective behaviour: politely but consistently direct any unknown person to reception rather than letting them through unchecked.
Why SMBs are particularly affected
Mid-sized companies are especially vulnerable for three structural reasons. First, hierarchies and decision chains are shorter — an instruction that appears to come from the managing director carries weight quickly and is rarely formally verified. Second, processes are often concentrated in a few key individuals, meaning a single employee in accounting may be able to authorise five- or six-figure transfers without a second person necessarily being involved. Third, there is frequently no dedicated security team to keep the workforce informed, assess suspicious cases, and adapt processes.
On top of this, SMBs represent a financially very attractive target from the perspective of threat actors: large enough that six-figure transfers do not immediately raise flags, small enough to operate without a dedicated Security Operations Centre. Insurers and Germany's Federal Office for Information Security (BSI) consistently report that losses from social engineering incidents at German SMBs range from €80,000 to €1.5 million per incident — including direct damage, recovery costs, and reputational and supply-chain consequences. That scale justifies any serious awareness programme many times over.
Building an effective awareness training programme
An awareness training programme is effective when it changes behaviour, not merely tests knowledge. Three design principles stand out from our consulting practice: short learning units at high frequency, realistic content with relevance to the organisation's own industry, and a consistent no-blame culture. The table below shows a proven programme structure for SMBs.
| Component | Frequency | Content |
|---|---|---|
| Onboarding module | First two weeks for new employees | Fundamentals, reporting channels, examples from the company's own industry, introduction to the security contact |
| Learning snack | Monthly, 3–5 minutes | Current pattern, recognition tips, short practical exercise with immediate feedback |
| In-depth module | Quarterly, 15–20 minutes | Topics such as CEO fraud, supplier fraud, phone-based attacks, secure use of cloud services |
| Role-specific training | Half-yearly | Tailored for accounting, procurement, HR, management, and IT administration |
| Full-workforce refresher | Annually | Overview, review of reported incidents, outlook on new threat trends |
Content should be concrete and situational. Rather than abstract definitions, short scenarios work far better: "You receive an email from your manager asking for an immediate transfer to a new supplier — what do you do?" From these micro-exercises employees learn to activate the right behavioural pattern in everyday situations. It is also important that training does not take place solely on-screen but is supplemented by regular reminders — posters on the notice board, brief notices on the intranet, a visible report button in Outlook.
The no-blame culture is non-negotiable. Employees who fear sanctions after making a mistake will not report suspicious cases — and with that the entire programme loses its most important data source. A written no-blame statement signed by management and visible on the intranet is a small effort with a significant impact.
Request a free awareness consultation
Are you considering introducing an awareness programme or professionalising your existing one? We offer a free 30-minute initial consultation — we assess your current awareness maturity, sketch suitable content, and propose a realistic frequency framework.
Request a free awareness consultationOrganisational safeguards
Awareness alone is not enough. Even trained employees miss warning signs under time pressure or in unusual situations — and those are precisely the moments that manipulation attempts target. Organisational safeguards therefore act as a second line of defence: they make it structurally difficult to carry out a harmful action alone and quickly. We summarise the most important measures for SMBs below.
- Four-eyes principle for paymentsEvery payment above a defined threshold — typically €5,000 to €25,000 — requires approval from two independent individuals. For emergency transfers or changes to the recipient's bank details the rule applies without any threshold. This means the most common CEO fraud attempts fail structurally.
- Phone verification for payment requestsRequests for transfers, new bank details, or short-notice special payments are confirmed via an independently researched phone number — never via the number given in the email or call. An internal list of verified contact numbers for management and key suppliers supports this.
- Clear approval processes for master dataChanges to supplier or employee bank details follow a documented process with dual approval and a written confirmation letter on paper. Verbal or email-only master data changes are structurally rejected.
- Defined reporting channelsThere is a single, easy-to-remember internal reporting point for suspicious emails, calls, and encounters — for example an email address like security@company.com and an Outlook button. Employees are informed of the assessment outcome by the next working day at the latest, which strengthens the willingness to report.
- Visitor and access rulesExternal visitors sign in at reception, receive a visible badge, and are accompanied by an employee. A short, friendly standard question — "May I help you find the right contact?" — replaces the silent wave-through.
- Segregation of duties in accountingCreating suppliers, approving invoices, and triggering transfers are handled by different individuals. This means a single compromised identity cannot trigger a complete payment chain.
These safeguards can be implemented in SMBs with minor adjustments and without the need for complex new tools. The critical factor is that they are documented in writing, agreed with HR and the works council where applicable, and communicated to all new employees during onboarding.
Technical safeguards
Technology cannot replace awareness, but it can drastically reduce the number of manipulation-attempt emails and requests that actually reach employees. Three components are central from a protection-architecture standpoint.
Email authentication via SPF, DKIM, and DMARC. These three DNS-based mechanisms allow receiving mail servers to verify whether an email genuinely originates from the stated sender. SPF publishes the authorised sending servers, DKIM signs outgoing emails cryptographically, and DMARC specifies what should happen to unauthenticated emails — typically quarantine or rejection. A DMARC policy fully configured to "p=reject" blocks most spoofed sender addresses used in CEO fraud attempts.
Modern email gateway with attachment sandboxing and URL protection. Current gateways inspect attachments in an isolated environment for suspicious behaviour and rewrite links so that they are checked against known threat lists when clicked — even if the link appeared harmless at the time of delivery. For SMBs, Microsoft Defender for Office 365, Mimecast, Proofpoint, and Hornetsecurity offer established solutions.
Multi-factor authentication (MFA) for all cloud and remote access. MFA is the single most effective measure against the misuse of stolen credentials. Even if credentials are disclosed in an unguarded moment, the login attempt fails without the second factor. Hardware tokens or authenticator apps are recommended; SMS-based methods are considered outdated because they can be bypassed via SIM swapping.
Web filters that block known phishing sites on access are also worthwhile, as are conditional access rules in Microsoft 365 or Google Workspace that apply additional checks to logins from unusual countries or new devices. A complete overview of minimum requirements can be found in our GDPR IT Security Checklist.
Incident response when something seems off
A well-designed awareness programme generates reports — and reports need a reliable process. The first minutes after a suspicious incident determine whether an event is nipped in the bud or develops into a full-blown loss. A proven response chain for SMBs looks as follows.
Step 1 — Capture the report. The employee reports the suspicion via the Outlook button, the central email address, or by phone to IT. Important: no forwarding to colleagues, no independent investigation attempts, no reply to the suspicious sender.
Step 2 — Initial assessment. A designated person from IT or security reviews the report within a defined target timeframe — typically two hours during working hours. A decision is made as to whether it is a false alarm, a broadly distributed attempt, or a targeted scenario.
Step 3 — Containment. If an incident is confirmed, affected accounts are locked, credentials are reset, suspicious emails are removed from other mailboxes, and — if payment manipulation is suspected — accounting is informed immediately so that any outgoing transfers can be stopped.
Step 4 — Investigation and documentation. The incident is documented in a structured log — time, individuals involved, measures taken, outcomes. Where notification is required under GDPR Article 33 or NIS2, the relevant authority is informed within the statutory deadline.
Step 5 — Learning loop. The incident is fed back anonymously into the awareness programme — as an example in the next learning snack, as an adjustment to approval processes, or as an additional phone verification rule. This way training and safeguards continuously develop over time.
A useful supplement is a written response guide of one page in length, available to every employee on the intranet — concise, clear, jargon-free. In an emergency it ensures that even untrained stand-ins know where to turn.
Compliance context: GDPR, NIS2, ISO 27001
Awareness programmes and organisational safeguards simultaneously satisfy several regulatory requirements. The GDPR requires in Article 32 measures to ensure security of processing, including training as a technical and organisational measure. NIS2 explicitly names cyber hygiene practices and training in Article 21 as mandatory measures and holds management personally liable. ISO 27001 in its 2022 edition requires in Control A.6.3 demonstrable awareness programmes covering the entire employee lifecycle. A detailed mapping overview for SMBs can be found in our cluster on ISO 27001 certification.
The Reepa Awareness Programme
Reepa Solutions supports SMBs in building an effective protection concept against social engineering attempts. Our programme combines short monthly learning snacks, quarterly in-depth sessions, and role-specific modules for accounting, procurement, and management with structured guidance on organisational safeguards — approval processes, four-eyes rules, phone verification, and master data governance.
We also assist with technical security hardening via SPF, DKIM, and DMARC, with the rollout of multi-factor authentication in Microsoft 365 or Google Workspace, and with selecting an appropriate email gateway. If required, we take over ongoing operations as a managed service, relieving the internal IT team and allowing it to focus on day-to-day business. A detailed initial consultation of 30 minutes is free of charge and delivers a first maturity assessment along with concrete next steps.
Frequently asked questions
What is social engineering and why is it so dangerous for SMBs?
Social engineering refers to manipulation attempts in which outsiders impersonate trusted individuals to prompt employees into taking an action — authorising a transfer, disclosing credentials, opening a file. The risk is particularly high for SMBs because flat hierarchies and short decision chains make it easier to impersonate management or a supplier without automatic approval processes kicking in. Protection comes from a combination of a trained workforce, clear approval processes, and technical safeguards such as MFA and email authentication.
How frequently should effective awareness training take place?
A single annual training session is not enough. Effective training combines short monthly learning snacks of three to five minutes with quarterly in-depth modules on current threat patterns. New employees receive an onboarding module in their first two weeks, followed by reminders at three and six months. This builds routine and recognition rather than a box-ticking exercise on the calendar.
What is the four-eyes principle for payment requests?
The four-eyes principle is an organisational safeguard requiring that every payment approval above a defined threshold be confirmed by two independent individuals. For sensitive transactions such as changes to bank details or short-notice emergency transfers, an additional phone confirmation via a known landline number is required — never via the number given in the request. These processes reliably catch most CEO fraud attempts by removing the speed from the manipulated transaction.
Which technical safeguards support the awareness programme?
Three components are central from a protection standpoint. First, email authentication via SPF, DKIM, and DMARC so that spoofed sender addresses are technically detected and rejected. Second, multi-factor authentication for all cloud and remote access so that credentials alone are not sufficient to take over an account. Third, a modern email gateway with attachment sandboxing and URL rewriting that filters suspicious content before it reaches employees.
How should an employee respond when they suspect something is wrong?
The most important step is to report the suspicion quickly to a clearly defined contact — typically the IT department or a dedicated security team — via a report button in Outlook or a short internal email address. Until a response is received, the employee should take no further action, click no links, open no attachments, and share no data. If CEO fraud with a payment angle is suspected, accounting must be informed immediately so that any outgoing transfers can be stopped. A no-blame culture ensures that even uncertain suspicions get reported.
Ready to protect your workforce systematically?
Let's talk for 30 minutes with no obligation. We assess your current awareness maturity, review your approval processes and technical safeguards, and deliver a realistic roadmap for the first 90 days — including arguments for works council and data protection discussions.
Schedule a 30-minute conversation
IT security and cloud architect with over ten years of experience. Develops Reepa Security with his team — an audit platform for SMBs. Writes regularly about cloud security, NIS2, GDPR compliance, and security awareness.
Reviewed: 22 May 2026 · More about Hakan