Social engineering is a form of psychological manipulation intended to trick users into making security mistakes or giving up sensitive information that can be used for fraudulent purposes. These “scammers'' use tactics such as fear, pressure, baiting and other forms of manipulation to exploit or fool their unsuspecting target(s) into handing over sensitive information. These “scammers,” commonly known as “bad actors,” are mainly motivated by financial gain. The impact of social engineering can hurt both the individual and larger organization.
This finding is corroborated by the FBI's most recent Internet Crime Report, which found phishing, vishing, smishing, pharming the No. 1 cyber crime type by volume accounting for over 323,972 victims. The impact of social engineering attacks is growing as the corporate attack surface expands and cloud-based systems become more pervasive.
How prevalent is social engineering?
According to the 2022 Verizon Data Breach Investigations Report (DBIR), a top industry recognized report created annually to help minimize risk and keep your business safe, social engineering is defined as the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality. The impact of social engineering is purely attributed to the “human element” with an enormous 82% of breaches accounted for by social attacks, human errors and misuse.
What happens next?
Additionally, as the DBIR states, malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security awareness program. These attacks continue to be split between phishing attacks and the more convincing pretexting attacks, which are commonly associated with business email compromises (BEC). These are the two main types of integrity violations.
- Pretexting: The bad actor often pretends to be in a position of authority in order to trick the victim into getting what they need. Pretexting accounts for 27% of social engineering breaches, almost all of which are BECs.
- Phishing: The bad actor impersonates a legitimate user or institution via email and uses fear, urgency or curiosity to trick an employee into clicking malicious links, opening malware-laden attachments or handing over login credentials. 41% of BECs involved phishing. It’s important to note this trickery is also prevalent via smishing (text message compromise) and vishing (via voice tactics).
The negative consequences of successful social engineering can be significant:
- Stealing users' personal and financial data which can be sold or used fraudulently.
- Stealing corporate logins (with a view to deploy ransomware, steal data, access cloud email servers, etc.).
- Deploying malware through malicious links/attachments, with command and control (C2), backdoors and Trojans as the most common malware varieties.
- Tricking users into making money transfers or buying/sending gift cards.
What are the latest social engineering trends?
Social engineering attacks are constantly maturing in nature. For instance, Google's Threat Analysis Group (TAG), “[In 2021]...identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers…” including the creation of a sophisticated Twitter campaign to appear legitimate.
The impact of social engineering on the organization can put anyone at considerable risk. Here are some of the latest social engineering assault trends:
Phishing-as-a-service (PhaaS)
These packages offer hackers with few technical skills all the resources they need to launch phishing campaigns, including databases of targets and phishing templates. One vendor detected a 397.5% increase in domains associated with phishing kits from September to November 2021.
BEC using deepfakes
The FBI revealed new scams in which deepfake audio is used in conjunction with virtual meetings to trick employees into wiring funds on behalf of their "CEO." In reality, it's not their CEO but spoofed audio played on top of a still image. The scammers typically make an excuse about technical issues preventing the video from working properly.
Targeting home workers
The pandemic created prime conditions for social engineering attacks. These include:
MFA fatigue
Multi-factor authentication (MFA) fatigue is when attackers use (often stolen) credentials to login and trigger repeated MFA requests in the hopes that the user will ultimately accept a request. Some more sophisticated attackers are going further and posing as IT to “help” resolve these MFA “issues”. If the user then provides MFA directly to this fake IT request, the attacker can gain access to the system.
Spear-Phishing
We are now seeing highly-customized spear-phishing attacks - especially targeted at c-suite executives - that leverage personal information scraped from social media and even purchased on the dark web.
Combined phishing and vishing attacks
Though not a new technique, phone-based phishing (vishing) has become a popular way to increase the impact of social engineering on the organization. IBM found click rates for phishing campaigns surged threefold when vishing was included. The Federal Communications Commission is now treating ID spoofing as a consumer protection priority.
Weaponizing collaboration tools
One tactic seeks to exploit a well-known document drive's notification system. By tagging their target in a comment on a document containing malicious links to a phishing site, and asking them to collaborate, the target receives a legitimate email notification containing the comment's text and a link to the relevant document.
Consent phishing
Instead of harvesting users' passwords, some social engineering attacks use OAuth permission request screens to trick users into granting access tokens. This enables the attacker to access victim accounts, steal confidential info, maintain persistence and perform other tasks. Microsoft warns such consent phishing attacks are on the rise.
What is the financial impact of social engineering attacks?
Like most cyber attacks, the impact of social engineering on the organization can ultimately be measured in significant financial and reputational damage, illustrated by the following statistics:
- BEC attacks cost $43 billion from October 2013 to December 2021 according to the FBI Internet Crime Report.
- The average cost of a data breach globally now stands at a record $4.24 million, although it can rise even higher in some cases, like healthcare ($9.23 million). Stolen credentials are the most common cause of breaches.
- Estimated ransomware recovery costs more than doubled in 2021 to reach nearly $2 million, although some organizations have lost tens of millions.
Contributing factors to breach costs arising from social engineering include:
- IT overtime (investigation and response)
- Recovery and remediation
- Legal costs
- Lost productivity and sales
- Regulatory fines
- Customer churn
How can your organization mitigate social engineering risks?
Although a social engineering attack is difficult to fully prevent, you can take steps to mitigate the threat. Here are some best practices and recommendations:
- Company wide cyber security training: Training can help stop problems before they start. Look for a security provider that is able to provide actionable insights to help organizations of all sizes implement robust cybersecurity policies and solutions to better respond to threats.
- Enhanced end-user awareness training: Campaigns should be run regularly in short lessons of 10-15 minutes across the entire organization. Real-life simulations are key, as is the ability to analyze and act on the results.
- Zero trust: Leverage a zero trust architecture so as to limit access to tools and systems.
- Regular backups: According to the best practice 3-2-1 methodology, create three backups to two different types of media with one stored off-site.
- Process changes: Consider internal changes that would mandate checks before large money transfers are approved.
- Email security tools: Use email security tools to spot suspicious links, attachments, domains and behavior. Artificial intelligence-powered capabilities can also scan for writing-style changes that indicate phishing.
- Good cyber hygiene: Employ continuous risk-based patching to mitigate the impact of social engineering on the organization.
- Multi-factor authentication/password managers: This will help reduce the typical risk associated with corporate passwords.
- Incident response (IR): Create and regularly test IR plans to ensure the organization can recover quickly from a breach. Regular pen testing will also help reveal any exposure to social engineering.
- Threat detection tools: Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) can help to uncover malicious activity following a successful social engineering attack.
- Managed security services: For organizations short on internal skills and resources, third-party providers can help out with many of the above capabilities.
The Verizon Threat Research Advisory Center can help your organization stay up to date on the latest trends in social engineering attacks. Learn more about how to secure your attack surface and secure your business.
Gabriela Allen is the Head of Security Product Marketing at Verizon Business Group.