Cyberattacks against companies – what you need to know

Cyberattacks can hit anyone

For example, a website can go offline, but the entire network can also be affected. Aside from financial losses, confidential information sometimes falls into the wrong hands, with devastating consequences: data loss, system failure, liability claims due to a data protection violation and reputational damage are just some examples.In order to penetrate IT systems, the perpetrators try to trick employees of the authority concerned into doing something without actually wanting to, e.g. opening an email attachment, clicking on a link, entering personal data such as passwords or making a payment.

Common method: social engineering

Attackers try to trick people into doing something they do not actually want to do. The scenario that they choose for this is intended to affect the potential victim emotionally or attract their interest. The aim is to establish a feeling of closeness and create a false sense of security. Perpetrators gather information in advance about a company's structure or the personal interests of a potential target. This is often done using freely available information (for example on a company's website or through social media). The target person is then confronted with a tailor-made scenario. This approach is called social engineering.


Perpetrators take advantage of the hierarchical structure of a company and create a certain pressure to act. For example, they assume the identity of a superior and ask an employee to disclose sensitive information or transfer money on his or her behalf.

Time pressure

The victims are told that they have to act quickly or under time pressure.


The victims are promised a prize or a surprise in return for opening the file or clicking on the link.


The victims are threatened with consequences if they do not comply with the request. Incorrect information is for example used to coax victims into clicking on a link to correct it.


The subject presented appeals to the victims emotionally. The victims for example want to help someone.

Companies are lucrative targets for fraudsters. Compared to private individuals, larger sums can usually be obtained in one hit. This is why the attackers spend more time on these attacks and they are more targeted and professional than those against private individuals. They concentrate their attacks on company finance departments.

Technical and organisational measures

Of course, cyber attacks are not only caused by employees, but also by insufficiently protected IT systems. An overview of technical and organisational measures can be found on the page : Information security checklist for SMEs

The most frequent types of threat

The NCSC has identified the following types of fraud against companies as being particularly common:

Further Information

Last modification 01.01.2024

Top of page