Skip to Main Content

Understanding and Protecting Against the Modern Threat Landscape

The Growing Threat of Social Engineering

Monday, October 21, 2024
The Growing Threat of Social Engineering
Print

In today’s digital world, cybercriminals have found a new target: people. Instead of relying solely on hacking technology, they use a strategy called social engineering, which tricks individuals into revealing sensitive information or taking harmful actions. A recent Verizon report shows that 74% of data breaches involve some form of human error. As cybercriminals become more sophisticated, it’s critical for businesses to understand these threats and take steps to protect their people—and their data.

The “Ishings”: Common Social Engineering Tactics

  • Phishing: Phishing is the most common and dangerous form of social engineering. It involves sending fake emails that look legitimate in order to steal information or spread malware. Cybercriminals send an astonishing 6.4 billion fake emails every day, often pretending to be a trusted source. These emails might ask you to click on a link, download an attachment, or even send money. One particularly sneaky tactic is CEO fraud, where criminals impersonate a company executive and ask an employee to make an urgent payment or transfer.
  • Vishing: Vishing, or voice phishing, involves tricking people over the phone. Attackers may spoof phone numbers to make their calls look like they’re coming from a familiar source, like a local number or government agency. Robocalls telling you that your Social Security number is suspended or that you need to take immediate action are examples of vishing. These scams often rely on creating a sense of urgency, hoping to make you panic and give up personal or financial information.
  • Smishing: Smishing uses text messages to trick victims, often by including malicious links or asking for sensitive information. Since people tend to trust text messages more than emails, these attacks can be especially effective. You might receive a message that looks like it’s from your bank or a trusted service, asking you to verify account details or follow a link to fix an urgent problem.
  • Quishing: Quishing is a newer tactic that uses malicious QR codes to trick users. Scanning a QR code that appears legitimate—such as one you see in a restaurant or on a flyer—could direct you to a fake website that steals your data. This method is becoming more common because QR codes are widely used and trusted.

The Cost of Falling Victim to Social Engineering

The consequences of social engineering attacks can be severe, regardless of a company’s size. These attacks often target businesses that deal with wire transfers, work with foreign suppliers, or have access to valuable information. Companies like Toyota, Ticketmaster, and MGM Resorts International have all fallen victim to social engineering attacks. MGM, for instance, suffered a ransomware attack that took its systems offline for 10 days, costing the company an estimated $100 million.

What is Ransomware?

Ransomware is a type of malware (malicious software) that locks or encrypts a victim’s data, making it inaccessible until a ransom is paid to the attacker. In many cases, the attacker threatens to delete or leak the data if the ransom isn’t paid. Even when businesses do pay, there’s no guarantee that their data will be restored. The average ransom demand has skyrocketed, with the typical amount increasing from $6,000 to $84,000 between 2018 and 2019. Ransomware attacks are often delivered through phishing emails, making it vital for employees to recognize suspicious messages before it’s too late.

How AI is Changing the Game for Attackers

The growing use of artificial intelligence (AI) has given attackers new tools to launch more convincing and widespread attacks. AI can automatically generate phishing emails, making it easier for cybercriminals to cast a wide net and trick more people. Worse yet, AI can create deepfakes—extremely realistic fake videos or voice recordings. This technology has been weaponized to clone voices or create fake video messages that appear to come from company leaders, manipulating employees into taking harmful actions.

Defense Against Social Engineering Attacks

So, how can businesses protect themselves? The key is a mix of awareness, education, and strong policies. Here are some steps companies can take:

  • Think twice about strange requests: If a request seems unusual or urgent, pause and verify it through trusted channels.
  • Trust your gut: If something feels off, it probably is. Cybercriminals often prey on emotions like fear, curiosity, or urgency.
  • Implement strong policies: Ensure your business has policies in place to handle requests for money transfers or sensitive information and ensure employees follow them.
  • Educate your employees: One of the best defenses is training employees to recognize phishing, vishing, smishing, and other scams. Knowledge about how these scams work can help people avoid falling for them.

The Role of Cyber Insurance

As social engineering attacks grow more complex, the cyber insurance market has evolved to address these risks. Companies that rely on technology or have extensive third-party relationships are particularly vulnerable. Cyber insurance can provide financial protection in the event of an attack, but insurers are also focusing on prevention. Many insurers now require companies to have security measures in place, such as Multi-Factor Authentication (MFA) and Endpoint Detection and Response (EDR), before offering coverage.

Staying One Step Ahead

Social engineering is a constantly evolving threat that targets human vulnerabilities. As cybercriminals develop new tactics—such as using AI to automate attacks—businesses must stay vigilant. By investing in employee education, implementing strong cybersecurity practices, and considering cyber insurance, companies can better protect themselves from becoming victims of these sophisticated scams. In today’s world, staying one step ahead of cybercriminals is not just an option—it’s a necessity.

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.