Email Security and Protection Against BEC Fraud: A Practical Guide
Email security and protection against BEC fraud: SPF, DKIM, DMARC, MFA, and internal procedures that protect your company from fraudulent pa
Read
Social engineering is a type of attack in which the attacker does not break through your technology but your people: with a fake email, a phone call or a fake identity, they trick an employee into revealing a password, approving a payment or clicking a malicious link. While companies invest in firewalls, antivirus and EDR, attackers increasingly choose the cheapest and most reliable path: human goodwill, urgency and trust. That is exactly why defending against social engineering is a combination of training, clear procedures and regular testing, not just software.
Our solution
24/7 SOC service - 24/7 monitoring that stops threats in time. You do not have to do it alone; we handle it for your company. Request a free assessment.
In practice, the vast majority of serious incidents, from compromised mail accounts to payment fraud, start right here: someone convinced someone else. There is no exploit, no zero-day vulnerability, just well-acted urgency and a convincing story. For companies in Bosnia and Herzegovina, Croatia and Serbia, this means that even a small company with up-to-date antivirus can lose money or data if employees are not prepared to recognise manipulation.
What social engineering is and why it is so successful
Social engineering is psychological manipulation aimed at making a person do something they otherwise would not: reveal information, bypass a security rule or take an action that benefits the attacker. The attacker relies on principles that work almost automatically in people:
- Authority: the message supposedly comes from the director, the bank or the IT department, so we do not question it.
- Urgency and pressure: the deadline is today, the invoice is overdue, the account will be blocked, all so the victim has no time to think.
- Fear: the threat of a penalty, loss of access or a problem with a superior.
- Trust and courtesy: the attacker poses as a colleague or partner you already work with.
- Curiosity and greed: a reward, a refund, an interesting document that just has to be opened.
Technology offers little help here because the attack targets behaviour, not the system. That is why people are often called the weakest link in security, although it is fairer to say that the human factor is a link that has long been neglected in investment.
The main social engineering techniques
Attacks come in several forms, but they all share the same logic: create a convincing context and lead the victim into taking action. Here are the techniques we most often see among clients in the region.
Phishing
The most widespread form: mass or targeted emails that mimic a bank, Microsoft 365, a supplier or an internal service. The goal is for the victim to enter a password on a fake page or open an attachment. A more dangerous variant is spear phishing, where the message is tailored to a specific person, with real names and company context, so it looks entirely legitimate.
Vishing (voice phishing)
An attack carried out by phone. A fake call from a bank, a supplier or supposed IT support asking to confirm details, share an SMS code or grant remote access to a computer. The voice and the urgency create pressure that is harder to ignore than an email.
Pretexting
The attacker builds an entire false story (a pretext) and identity: posing as an auditor, a new colleague from another branch, a courier or a partner's representative. They gradually gather information and trust until they obtain what they need. It is often the lead-in to a larger attack.
Baiting
A lure. A classic example is an infected USB stick left in a parking lot or a lobby, labelled something like Salaries or Bonuses, which a curious employee plugs into their work computer. The digital variant is free content or software that carries malicious code.
Tailgating and piggybacking
Physical entry into a protected area. The attacker simply walks in behind an employee through an access-controlled door, carrying boxes or pretending to be a technician, counting on no one stopping them out of politeness.
| Technique | Channel | Typical lure | Main defence |
|---|---|---|---|
| Phishing | Fake login, invoice, alert | Verify the sender, MFA, report the message | |
| Vishing | Phone | Bank, IT support, urgency | Call back on a known number |
| Pretexting | Email, phone, in person | Fake identity and story | Verify identity following procedure |
| Baiting | USB, web | Free, confidential, tempting | Ban unknown media, policy |
| Tailgating | Physical entry | Politeness, authority | Access control, a culture of verification |
People as the weakest, but also the strongest link
The claim that people are the weakest link holds true only as long as we leave them without knowledge and support. An employee who knows how to recognise phishing, who has clear guidance on whom to report a suspicious message to, and who is not afraid to say no to a supposed director, becomes a sensor that catches attacks before they do damage. The difference between risk and defence is training and culture, not an individual's intelligence.
What makes an attack dangerous is not technical sophistication but the fact that it strikes at a moment of haste, at the end of the working day, when someone is processing their tenth invoice. That is why defence must be built into everyday processes and not depend on whether someone happens to remember to be careful.
What a company can do right away
- Introduce multi-factor authentication (MFA) on email and key systems: a stolen password is then not enough.
- Define a payment procedure: any change to a supplier's bank account and any larger payment must be confirmed through a second channel (by phone on a known number).
- Set up a simple way to report: one click or one address to which an employee sends a suspicious message, with no fear of consequences.
- Restrict the use of unknown USB devices and write that clearly into the rules.
- Train regularly, in short and concrete sessions with real-world examples, rather than once a year as a formality.
- Foster a culture of verification: asking and double-checking should be commended, not seen as rude.
Training, procedures and simulated attacks: how NeoBit helps
A one-off lecture does not change behaviour. Resilience to social engineering is built through a cycle: measure the current state, train, simulate an attack, measure the progress and repeat. At NeoBit we apply this approach through several steps.
- Simulated phishing campaigns: we send controlled, harmless phishing emails to your employees and measure who clicks, who enters their details and who reports the message. You get a clear picture of the real risk, without blaming individuals.
- Vishing and pretexting tests: by prior agreement we test resilience to phone calls and fake-identity scenarios, because email is only part of the picture.
- Targeted training: after the test we deliver training based on the actual results, with examples that are familiar and relevant to your people.
- Procedures and policies: we help define clear rules for payments, access and incident reporting, tailored to the size and operations of your company.
- Measuring progress: repeated campaigns show how much the click-through rate has dropped and where more work is still needed.
We connect all of this with the rest of the security picture: SOC monitoring, EDR and SIEM solutions, and penetration testing, so that human and technical defences work together. The goal is not a perfect result on paper but a company in which an employee instinctively pauses before clicking or approving a payment.
If you want to find out how resilient your organisation is to social engineering, NeoBit offers an assessment and a simulated phishing test tailored to your company. Contact us for a free assessment and to arrange a simulated attack, and together let us turn the weakest link into the first line of defence.
Frequently asked questions
How does social engineering differ from traditional hacking?
Traditional hacking exploits technical vulnerabilities in systems, whereas social engineering exploits people: their trust, haste and fear. The attacker does not break through the firewall but convinces an employee to reveal information or take an action themselves. That is why defence must include training and procedures, not just security software.
How do you recognise a phishing email?
Suspicious emails are those that create urgency or a threat, ask for a password or a payment, have an unusual sender address, grammatical errors or links that do not lead to the expected page. When you are not sure, do not click; instead, verify the sender through another channel and report the message to your internal IT service.
Does technology alone help against social engineering?
Technology such as MFA, anti-spam filters and EDR reduces the risk and mitigates the damage, but it does not stop an attack that targets human behaviour. The best protection is a combination of technical measures, clear procedures and continuous employee training, regularly verified through simulated attacks.
What is a simulated phishing attack and is it dangerous for employees?
A simulated phishing attack is a controlled, harmless test in which NeoBit sends fake but safe phishing emails to measure employee resilience. There is no real damage and no collection of sensitive data, and the goal is not to punish individuals but to educate and reduce the real risk to the company.
Related guides: Cyber security in Bosnia and Herzegovina - the complete guide · Email security and protection against BEC fraud: a practical guide · Protection against hacking attacks - 10 steps for companies
