Artikels

“Good afternoon! I’m from IT — we just received a report about your printer on the third floor. Mind if I take a quick look at the reception computer?”
The front desk employee hesitates briefly. The man is friendly, wears a badge, and surprisingly knows quite a bit about internal affairs She smiles politely and shows him the way. Five minutes later, he has full access to the internal network.

Unfortunately, stories like this are no longer fiction. Media are increasingly reporting companies and individuals being hacked, sometimes resulting in significant financial losses. File encryption, large-scale data breaches, or stolen personal information are common consequences. These are risks companies must take seriously.

What is social engineering?

Social engineering: the weakest link is often human

Social engineering is a technique where attackers don’t exploit technical flaws but human behaviour. Instead of hacking through firewalls or cracking passwords, they manipulate employees into opening the door — figuratively or literally.

With a smile, a convincing story, and just enough insider knowledge, attackers can even persuade alert colleagues to act against protocol.
. Examples include:

• Someone posing as a technician, colleague, or vendor to gain physical access.
• A phone call from “the bank” urgently requesting card verification.
• An email from the “CEO” requesting an urgent payment.

But it doesn’t stop at digital manipulation. Physical carelessness is often exploited as well:

• Confidential documents left exposed on desks
• Passwords written on sticky notes or in unsecured files.
• Keys or access cards left within easy reach.

That’s why technical security isn’t enough. You need awareness of the human aspect too. A clear clean desk policy, regular training, and a healthy dose of suspicion go a long way.

Social engineering always has one goal: gaining access to information, systems, or spaces — through you or your colleagues. Stay alert, online and offline.

Which businesses are vulnerable to social engineering?

All organisations or companies are, in principle, a potential target for social engineers. They are specifically looking for sensitive information. But of course, that information is everywhere. We interact daily with all kinds of people and stakeholders. The risk that people with less honest intentions may try to gain access to things they shouldn’t, through those channels, is very real. Of course, there are environments where more unfamiliar or external people pass through than average. Think of companies that are primarily focused on selling to individual consumers. Such as retail businesses or hotels. These places are known for their lively atmosphere and the constant flow of people — often from all corners of the world. That’s why hotels are often a dream environment for social engineers. Why?

• There is a high staff turnover, so not everyone knows each other.
• Staff are trained to be welcoming, friendly, and helpful — exactly what social engineers rely on.
• There is a constant flow of visitors and suppliers, which makes it easier to impersonate someone else.
• Shared IT solutions are often used, which can create vulnerabilities.

How do you raise employee awareness?

Thankfully, you don’t need to be a tech expert to strengthen your first line of defence: your people. And the good news? You don’t need to be a technical expert top make a difference

Invest in thorough training

There are several training programmes to help organisations counter social engineering — especially general security awareness training. It helps employees understand just how damaging social engineering can be.

Show employees:

• What warning signs to look out for
• How to spot a credible fake story?
• What to do if something doesn’t feel right?

You can also offer cybersecurity awareness training that focuses specifically on digital threats and best practices.

Create a culture of ‘healthy doubt’

Empower your employees to say “no” or escalate when they’re unsure. Your motto should be: “Better safe than sorry.” Staff often feel pressured to say yes — especially if a request comes from a manager or a supposed client. But safety must always come before service, even in hospitality. In addition, they want to deliver the level of service that is expected of them. Just imagine getting a bad review simply because you asked one question too many to a customer or hotel guest. And yet, even in the hotel sector, service should never take precedence over safety.

Test your defences

Simulate a social engineering attack. Have a team member or mystery guest pose as a visitor with a convincing story — see how staff respond. Mystery calls are also useful: a voice on the phone is much harder to assess, especially if it’s distorted or unfamiliar. These tests aren’t about punishing staff — they’re meant to identify vulnerabilities and improve awareness. Which, in the worst case, may even be distorted.

It’s not meant to punish employees, but to uncover vulnerabilities and ultimately create learning opportunities.

The strength of companies and organisations lies in the service and hospitality they provide. But that same openness also makes them vulnerable. Social engineering is not a technical risk, but a fundamental human vulnerability. By training employees in awareness and recognition, you can make a significant difference in your organisation’s security.

At Kingsm3n, we have developed training programmes focused on security awareness. In this training, we guide all employees within the organisation through all the ins and outs of this topic. This lays an essential foundation for an effective prevention policy in the field of security.