Deception and Data Theft
, Social Engineering: How to Protect Yourself from Manipulation

Through cunning tricks and deception, criminals use social engineering to gain access to your sensitive data. Here’s how you can protect yourself from this scam.

Social Engineering
, At a glance

  • Social engineering is a method used by criminals to obtain confidential information through deliberate interpersonal manipulation.
  • To protect yourself, never share sensitive data such as passwords or TANs, and always be cautious about unusual requests.
  • If you become the victim of cyber fraud, immediately block all affected accounts, inform relevant institutions, e.g., your bank, and report the incident to the police.

Definition
, What is Social Engineering?

Social engineering is a form of fraud in which criminals deliberately manipulate their victims to gain access to confidential information and, consequently, systems. Instead of exploiting technical vulnerabilities, attackers rely on interpersonal manipulation, such as exploiting helpfulness, trust, fear, or respect for authority.

The goal is to persuade the victim to perform specific actions. For instance, they may ask you to reveal sensitive data to bypass security measures. In some cases, they may even trick you into making financial transfers or installing malware on your private or corporate computer.

Why are Social Engineering Attacks so Dangerous?

Social engineering ranks among the greatest threats to cybersecurity. According to studies, the majority of successful cyberattacks involve social engineering methods. This scam is particularly dangerous because it exploits human interaction, making the attack difficult to detect for many victims. Additionally, social engineering can cause severe financial damage, whether it’s through criminals gaining access to accounts or malware paralysing corporate IT systems.

Which Channels are Used for Social Engineering Attacks?

Social engineering is not a new phenomenon — it has existed for years. Today, however, criminals have access to a wide variety of communication channels: Alongside digital mediums such as email, text messages, or social networks, traditional communication methods like telephone or even in-person contact at your doorstep are also used.

A well-known example is the so-called "grandchild trick," where criminals pretend to be close relatives in distress through phone calls or messenger apps and demand money urgently under false pretenses.

What Damage Can Social Engineering Cause?

Social engineering attacks can have severe consequences for both individuals and businesses, including:

  • Financial losses: Criminals misuse obtained account information to steal money, or victims are manipulated into transferring money themselves, believing they are "doing the right thing."
  • IT system damages: Undetected malware is introduced, encrypting, stealing, misusing, or manipulating data and operations.
  • Reputation damage: Trust is lost among customers due to stolen customer data or fraud incidents.

Warning Signs
, What Are Typical Social Engineering Attacks?

Social engineering is a collective term for numerous scams in which criminals exploit human behaviour and trust in targeted ways. While the methods may differ in detail, their ultimate goal remains the same: Through deception and manipulation, attackers trick victims into believing they are acting in good faith when revealing confidential information or performing specific actions. Some common scams include:

Phishing

Phishing (derived from the word “fishing”) is the most well-known and prevalent form of social engineering. Victims receive emails or SMS (also known as Smishing) that appear trustworthy at first glance. These messages contain links to fake websites where users are asked to enter their login or account details. Cybercriminals collect this information and use it for illegal activities.

As senders, cybercriminals often impersonate familiar institutions or banks, as well as trusted clients or service providers. Many users suspect nothing because the sender addresses often closely resemble those of legitimate companies — with only minor variations.

Investment Fraud (Boiler-Room-Fraud)

For Investment fraud, criminals pose as reputable financial advisors or investment experts. Commonly, they approach victims through advertisements or directly via phone calls, appearing highly professional and persuasive. They convince victims to invest in seemingly lucrative financial products, such as securities or cryptocurrencies. However, these products are either non-existent or entirely worthless.

Fraudsters create convincing websites and trading platforms that display apparent profits to build trust among victims.

Important Note: Institutions such as Commerzbank or other banks will never request sensitive data such as online access credentials or card PINs via SMS or phone calls from you.

Caller Fraud

In caller fraud, attackers fabricate a pretext and pose as someone else to obtain information. For example, fraudsters frequently pretend to be bank employees on calls, asking for sensitive data such as PINs or TANs — usually claiming it is part of reauthorization or account updates.

There are also reported cases of criminals posing as police officers or government officials over the phone. Similarly, be cautious with calls claiming to be from Microsoft Support, offering to fix a security vulnerability.

Baiting

Baiting attacks involve external data sources, such as USB drives or external hard disks. These may be distributed as promotional gifts and, upon being connected to a computer, infect it with harmful software (known as “malware”).

One also refers to pretexting, when attackers assume a false identity or fabricate a reason to obtain information.

Love-Scam

Fraudsters on online dating platforms gain victims’ trust by feigning romantic interest. Over time, they ask for money and, later, increasingly larger sums, citing reasons such as supporting family or overcoming emergencies. Fraudsters may even target bookkeeping employees authorised for business transactions, manipulating them into transferring company funds to illicit accounts.

Business Email Compromise (BEC) or CEO Fraud

BEC attacks involve cybercriminals manipulating business email communication. Fraudsters often impersonate executives ("CEO fraud") or suppliers via email to deceive employees — especially those in accounting or payment processes — into transferring money to fraudulent accounts or disclosing sensitive information.

Prevention
, 8 Tips to Protect Yourself from Social Engineering Attacks

With vigilance and the right knowledge, social engineering attacks can often be identified and prevented early. Here are eight tips to significantly reduce your risk:

Minimise Points of Attack with Data Economy

Anyone can be targeted in a social engineering attack. Consider which personal information is publicly accessible — such as through company websites — and how criminals could misuse this information against you.

Never Share Login Credentials

Never disclose passwords, login credentials, account details, or your photoTAN graphic via phone, email, or messaging apps. Banks and legitimate companies will never request sensitive data via these methods.

Question New Contacts

In social networks, always approach new contact requests with scepticism. Avoid revealing sensitive information and verify the trustworthiness of the contact using publicly available information.

Verify Unknown Senders

Emails or messages from unknown — and even familiar — senders can be dangerous. Always scrutinize the content, intent, and urgency of unexpected email requests.

Check Privacy Settings

Regularly review your privacy settings on social networks. Ensure that only close contacts can view your sensitive information.

Be Wary of Too-Good-to-Be-True Offers

Approach offers that sound overly appealing or unrealistic with scepticism. Scams often leverage fake giveaways or attractive investment options to gain access to your data.

Detect Manipulation and Time Pressure

Social engineering criminals often resort to emotional manipulation or claim urgent action is required. Avoid being rushed — whether by private individuals or seemingly familiar companies or authorities.

Stay Alert

Be cautious about unusual, unexpected, or urgent requests — even if they appear trustworthy. Trust your instincts and avoid acting hastily. Regularly inform yourself about current fraud schemes, for instance, via the consumer protection agency (German only).

Measures for Affected Individuals
, Social Engineering: What to Do in Case of an Emergency

If you suspect that you have fallen victim to a social engineering attack, you should act immediately:

Contact Your Bank: Depending on which accounts, data, or accesses have been compromised, contact all relevant institutions immediately and report the incident. For example, if your banking information has been affected, reach out to your bank directly.

If you encounter social engineering in your professional environment, contact your company’s IT department or a cybersecurity expert right away.

Block access: If you’ve already clicked on a phishing link in an email and entered your login details for the corporate client portal, you should block your online access:

Security for your online banking | Corporate Clients - Commerzbank
Log in and navigate to the "My data" tab, then select "Block access."

Over the phone: Contact your corporate client adviser or call our corporate clients hotline at +49 69 1368 0527 (English) or +49 69 1362 6360 (German) - Monday – Friday, 8:00 AM – 6:00 PM.

Or call our blocking hotline at +49 69 5050 2786. We’re available 24/7, worldwide. A customer service representative will process your request to block access.

Block your cards and accounts:

Block your photoTAN system: You can independently block your photoTAN functionality via our Digital Banking system. The blocking is effective immediately. We also recommend blocking your photoTAN procedure in the following situations for additional security: If your smartphone has been lost or sold. If you suspect improper usage.

In Digital Banking:

  1. Log in to your account to access your TAN settings.
  2. Navigate to the "My data" tab and select "TAN management".
  3. Click "Lock photoTAN" and confirm the button "lock access" to confirm the blockage.

Important note: If you use multiple participant numbers, follow this process separately for each participant number.

Over the phone: Contact your corporate client adviser or call our corporate clients hotline at +49 69 1368 0527 (English) or +49 69 1362 6360 (German) - Monday – Friday, 8:00 AM – 6:00 PM.

Or call our blocking hotline at +49 69 5050 2786. We’re available 24/7, worldwide. A customer service representative will handle the process of blocking your photoTAN functionality.

File a Police Report:
If you have incurred damages due to a social engineering attack, it’s essential to file a report. You can do this either in person at your local police station or conveniently online via the police’s digital reporting portal Online-Wache (in German only).

Commerzbank at your side
, What we do for your security in the corporate client portal?

High-security standards

The corporate client portal and its various applications are regularly tested and reviewed by security teams during development.

Deactivating fraudulent phishing websites

Although we cannot prevent phishing emails from arriving in your inbox, we ensure that the fraudulent websites linked within such emails are deactivated promptly in most cases.

Two-factor authentication

Access to our online portal is secured by a two-factor authentication mechanism (2FA), an extra security measure. Although 2FA cannot completely prevent phishing, it significantly enhances the protection of your account.

Personal advice

If you have any questions or security concerns, please contact your dedicated corporate client adviser directly.

You might also be interested in