Your company just received an urgent email from the CEO asking for a wire transfer. The sender is correct, the style is identical. Except it's not the CEO. It's a social engineering attack, and it'll cost you €50,000 if someone clicks "send".
We at Meteora Web have been working with SMEs for nearly a decade. We've seen accounts compromised, passwords stolen with a phone call, invoices paid to fake suppliers. Social engineering is not an IT problem — it's a business problem. Because revenue is lost when an employee mistakes a scam for a legitimate request.
This pillar guide gives you the complete toolkit: techniques, defenses, tools, and training. We start with the most insidious enemy: the one that exploits human trust, not a software bug.
Phishing, Spear Phishing, Whaling, and Business Email Compromise
Phishing is still the most effective attack vector. But it's no longer the typo-ridden email from a Nigerian prince. Today's campaigns are personalized, tailored to the victim.
Spear Phishing: When the Attacker Knows You
It doesn't come at random: the criminal has gathered intelligence about you (role, suppliers, projects). The email contains real references, names, dates. One malicious attachment or a fake login page is enough. Real example: one of our clients, a communication agency, received an email from the "MUNICIPALITY OF [...]" asking for a quote. The PDF attachment was malware. The only defense? Training plus attachment filtering.
Whaling: The Big Fish in the Crosshairs
Whaling is spear phishing targeting top executives (CEO, CFO). The attacker studies language, habits, travel patterns. They pretend to be a lawyer, a trusted supplier. Business Email Compromise (BEC): a modified invoice, a fake IBAN transfer. In 2023, global BEC losses exceeded $50 billion (FBI IC3).
Sponsored Protocol
What to do now: Implement a verification rule for every bank account change: call back using a known number. Never via email. And enable DMARC, DKIM, SPF to reduce spoofing.
Vishing: Phone Scams That Bypass Every Firewall
The phone is a Trojan horse. An employee answers a fake IT technician asking for a password for an "urgent update". Or receives a call from the "bank" asking for an OTP code. Vishing (voice phishing) exploits perceived authority and urgency.
We saw a case: an accountant received a call from the "Italian Tax Agency" — a realistic robotic voice — requesting their tax file credentials. The victim provided them. Result: fake F24 forms and a €80,000 liability.
Concrete Defenses Against Vishing
- Never share passwords or OTPs over the phone, no matter who calls.
- Establish an internal verification code for critical calls.
- Use a call routing system that blocks suspicious numbers (CNAM spoofing is common).
- Train staff to hang up and call back the official number.
What to do now: Print a poster with the procedure: "If they call asking for sensitive data: hang up and call back the number you know." Place it near every company phone.
Pretexting and Impersonation: Trust Built on a Script
Pretexting is when the attacker creates a believable scenario to obtain information or physical access. They pretend to be a cleaner, a courier, an auditor. Impersonation is acting as someone else (often online or via email).
Sponsored Protocol
In 2019, an attack on MGM Resorts used a fake help desk to reset passwords. Closer to home: one of our clients, a law firm, received an email from a "fellow lawyer" urgently requesting a digital file. The attacker had researched the lawyer's name on LinkedIn. The associate sent the document via a fake link.
How to defend: Implement a two-factor verification process for every request for sensitive data, even from apparent colleagues. Use identity verification tools like RFID badges for physical access and single sign-on (SSO) with MFA for logical access.
Deepfakes and AI Fraud: When the Enemy Has Your Face
Generative AI makes social engineering a precision weapon. Deepfake audio or video: a CEO "calls" the CFO asking for an urgent transfer. The voice is cloned from a few seconds of public recording (YouTube, podcast). It's already happened: in 2020, a Hong Kong bank manager transferred $35 million after a deepfake phone call from the director.
How to recognize them? Look for artifacts: out-of-sync lip movements, flicker in transitions, unnatural blinking. But quality improves every month. The best defense is procedural: no payment or data change authorized solely by audio/video. Always require a second channel of confirmation (e.g., email + call to a predefined number).
What to do now: Define a company rule: any financial request or critical data access must be verified with a pre-shared secret code. The code can be an agreed-upon phrase among executives.
Social Media OSINT: What Attackers Find About You
LinkedIn, Instagram, Facebook, even your own website. Attackers gather public information to personalize the attack. Role, org chart, travel, personal tastes, suppliers. A photo of your company badge can reveal the card structure. An airport check-in says "I'm out of the office".
Sponsored Protocol
We at Meteora Web advise clients to regularly review their social media footprint. It's not about censorship — it's about awareness: knowing what's exposed and reducing vulnerabilities.
Defensive OSINT Tools
Use Google Alerts for your domain and executives' names. Services like Have I Been Pwned to check for exposed credentials. Social listening platforms to monitor suspicious mentions. But most importantly: ask employees not to post hierarchy information, work hours, badge photos, or screenshots of internal systems.
What to do now: Run an OSINT session on your own team: search Google, LinkedIn, Facebook. See what an attacker can find in 10 minutes. Draft a social media policy for the company.
Phishing Simulation: Testing Employee Awareness
Training alone isn't enough — you must measure. Phishing simulations (with tools like GoPhish, KnowBe4, PhishInsight) send fake emails to employees and track who clicks. The click-through rate is a health KPI.
Be careful: don't humiliate those who fall for it. Use it to improve. Simulations should be paired with immediate micro-training (e.g., a short video after the click). We recommend starting with baseline campaigns (no training beforehand) to get real data, then introduce training and track improvement.
What to do now: Pick a phishing simulation tool and launch a monthly campaign. Target: reduce click rate below 5% within six months. Track repeat offenders and provide extra coaching.
Sponsored Protocol
Security Awareness Training: Programs That Work
Training is not a boring video once a year. It must be continuous, contextual, engaging. Here are the ingredients of an effective program based on our experience:
- Microlearning: 5-minute pills, one per month, on a specific topic (phishing, vishing, passwords, AI deepfakes).
- Real examples: show actual attacks that hit similar companies. Show the email, the call, the deepfake video.
- Simulations: combined with training, with immediate feedback.
- Gamification: leaderboards, rewards for those who report real phishing.
- Periodic reporting: show management the improvement trend (e.g., click rate dropped 40%).
What to do now: Write an annual awareness plan: 12 topics, 12 simulations, 12 15-minute meetings. Start with "Recognize a phishing email" and "How to protect passwords".
Multi-Factor Authentication (MFA) as a Barrier
MFA doesn't block social engineering, but it limits the damage. If an employee gives away their password, the second factor (OTP, push notification, hardware key) can stop the attack. Caution: phishing can steal even OTP tokens if the fake page is a real-time proxy (evilginx). Better to use FIDO2/WebAuthn: phishing-resistant.
At Meteora Web, we enforce MFA on all business accounts: email, CRM, ERP, hosting. For clients, we recommend switching to Passkeys or YubiKeys for critical accounts.
What to do now: Enable MFA on every service that supports it. For those that don't, consider Single Sign-On (SSO) with mandatory MFA.
Sponsored Protocol
Reporting Phishing: Company Procedures and Tools
An employee who receives a suspicious email must know what to do. Not delete and forget. Standard procedure: forward to a dedicated address (e.g., phishing@company.com) with subject "Suspicious". IT analyzes, blocks the sender, adds signature to blacklists.
Automated tools exist: PhishAlarm (KnowBe4), Proofpoint, or simple integrations into the email client (a "Report phishing" button). We built a Telegram bot for a client: the employee forwards the suspicious email to a number, the bot analyzes it with an ML model and returns a verdict.
What to do now: Define the procedure and communicate it to everyone. Add a banner to your email signature: "If you receive a suspicious email, forward to phishing@company.com".
In Summary — What to Do Now
- Assess the risk: analyze your vulnerabilities to social engineering. Examine processes, access, public information.
- Train everyone: annual awareness security program with microlearning and simulations.
- MFA everywhere: enable phishing-resistant two-factor authentication (FIDO2).
- Verification procedures: no payment or data change without dual channel (e.g., phone + email).
- Monitor and improve: KPIs like click rate in simulations, report rate, incident response time.
Social engineering is the most tangible risk for SMEs. It is defeated with technology, procedures, and human awareness. At Meteora Web, we help companies build this 360-degree defense, from domain to revenue. If you want a free exposure check-up, contact us.
