Author: Phil Muncaster
Employees are often an organization's greatest asset—but social engineering attacks can turn them into an organization's biggest security risk.
Social engineering has emerged as a top tactic that helps cybercriminals covertly install malware, steal login information and sensitive data and trick users into wiring them corporate funds. Beating it requires the right people, processes and technology.
What is social engineering?
Humans are fundamentally social creatures, and we tend to be overly trusting in the digital world. This leaves people vulnerable to social engineering, a modern term for the oldest con in the book: exploiting human psychology, rather than relying solely on hacking techniques, to manipulate people into divulging confidential or personal information to be used for fraudulent purposes.
According to the 2020 Verizon Data Breach Investigations Report, 96% of social engineering attacks enter organizations through email inboxes. Types of social engineering attacks include:
Phishing: In a phishing attack, an attacker impersonates a legitimate user or institution and uses fear, urgency or curiosity to trick an employee into clicking malicious links, opening malware-laden attachments or handing over login credentials. Phishing attacks accounted for 22% of all breaches in 2019, according to the DBIR.
Pretexting: Pretexting is similar to phishing, except attackers instead attempt to build trust with their victims to persuade them to give up valuable information. The attacker usually pretends to be someone in a position of authority who has the right to access the sought-after information or who can help the victim.
Business email compromise attack: A business email compromise attack targets employees who have access to corporate funds and attempts to convince them into transferring money into an external account. When the attack targets a high-level corporate executive, such as a CEO or CFO, it's often referred to as a whaling attack.
What is the impact?
If you have employees, your organization is susceptible to social engineering attacks. These could lead to the theft of sensitive data, ransomware outages or the direct loss of corporate funds.
Business email compromise attacks accounted for almost half of all cyber crime losses in 2019, and they netted scammers $1.8 billion. Ransomware costs are harder to estimate, but organizations that have fallen victim have reported losses in the tens of millions. The average cost of a data breach is $3.86 million.
Avoiding social engineering attacks
Though any user in your organization could be targeted, attacks usually go after members of the finance team, employees with privileged account access and the C-suite.
If an attack is successful, it's critical to have a well-tested incident response plan to quickly mitigate the fallout. However, prevention is the best approach, so consider the following:
- Hold effective training and awareness programs for all temporary and permanent staff, from the board down. For maximum impact, look for phishing simulation tools that can be deployed in short lessons.
- Erect email gateway security that can spot suspicious sender domains and malicious links. Focus on options that use AI tools to detect inauthentic behavior.
- Keep software up to date to minimize the impact of malware.
- Install antivirus software on company-issued mobile devices in case employees open malicious phishing messages.
- Set up multifactor authentication to mitigate the risk of password theft.
- Enhance business processes, e.g., request that any money transfer be signed-off by two staff members.
Learn more about how Verizon Security Solutions help protect your organization against social engineering attacks.