Rise of Social Engineering: Why Enterprises Should Worry about this in 2024? (Part1)
In the era of digitization and GenAI, social engineering is another rapidly rising cybersecurity threat that capitalizes on human vulnerabilities. CISOs and cybersecurity leaders are always on the lookout for emerging sophistication. Threat actors apply unique methods to make their attacks look more benign and convincing. In this two-part blog, we will unwrap social engineering as an emerging form of non-technical threat attack that businesses need to educate employees to prevent cybersecurity risks.
According to the IBM 2023 Cost of Data Report, the average cost of a data breach globally was $4.5 million. Another study also found that social engineering accounts for 98% of cyber-attacks.
Some of the high-profile social engineering examples include the $100 million worth of phishing scams perpetrated by a Lithuanian scammer pretending to be a computer manufacturing company. The attacker had sent phishing emails to Google and Facebook. The 2020 Twitter Bitcoin scam, in which attackers identified employees of the social media platform to access private information, is another notable social engineering incident.
What is Social Engineering, anyway?
Social engineering is a form of cybersecurity attack that involves psychological manipulation of human behavior to reveal sensitive information such as endpoint passwords, banking security codes, account numbers, phone numbers, and much more to attackers. Recent technological advancements enable attackers to blend AI capabilities like voice vishing, realistic images and videos from deepfakes, emails, or even live audio or video recording on phone calls.
Adversaries trap their victims in several ways by deploying common deception tactics to put them under stress and force them to act on impulses. Victims respond to those techniques out of fear or stress, sending money or compromising personal or organizational data privacy and security.
What Makes Social Engineering Effective?
Unlike other cybersecurity attacks, criminals can access endpoints, digital networks, and accounts without penetrating through firewalls, encryptions, antivirus, and other cybersecurity controls. Hackers or attackers’ primary role is convincing their unassuming target to share what’s confidential inadvertently.
Social engineering attacks are well-orchestrated because they are well-planned and executed. Cybersecurity criminals do their research and homework that involves below activities:
- Identifying Targets: Scammers select their targets based on what they require, such as personal data, money, confidential information, user credentials, and passwords. They can identify victims online or on social media and research their online personas and behavior to make attacks more personalized and convincing.
- Identifying Attack and Trust Points: Once they discover potential targets, scammers, and attackers need to choose a platform as an entry point to bait and hook their victims. It can be a connection request sent on LinkedIn or social media platforms, an email from a renowned firm or person, or phone calls pretending to be from banks or the police.
- Attack Execution: After successfully coaxing and convincing victims with the right messaging, links that can discreetly plant malware on devices, or account user credentials are shared, cybercriminals get what they want. It could be employees or patient data that will be held for ransom, access to the entire enterprise network, or identity theft.
- Leaving Behind No Trails: IBM’s 2023 Cost of Data Breach report found that it took nearly 11 months to identify data breaches and 10 months to address violations carried out by insiders. Once cybersecurity criminals gain unauthorized access, they can vanish without a trace. They leave behind very few clues, which makes it hard to identify them.
Social Engineering Tactics Prey on Human Psychological Urge to Share & Connect Online
A study by experts from the University of Texas on Human Cognition Through the Lens of Social Engineering Cyberattacks refers to social engineering as a form of psychological attack that persuades an individual or a victim to act as the attacker intended. The research recommends treating social engineering as a psychological attack and using insights to design compelling defenses against such cybersecurity attacks.
The recent New York Times Social Sharing Report also explored people’s motivation for sharing content online. The research found that 68% of respondents share content online to give others a better sense of who they are and what they care about. 78% revealed that their online information sharing is to stay connected with others. And 73% believe their sharing activities bring them closer to those with similar interests.
The above findings point to humans’ inherent psychological need to reveal much about themselves or trust online connections without considering the legitimacy of offers, suggestions, and requests. It makes it easier for attackers to leverage their victim’s curiosity and difficulty to resist the lure of offers or alarming messages. Ultimately, they let their guard down, only to be deceived by seemingly legitimate and bogus warnings. Social engineering tactics typically employ the following methods:
- Pretending to be a Trusted Source: Attackers typically impersonate brands and individuals their targets trust or know personally. It makes earning their trust easier and drives victims to follow instructions without exercising caution. Scammers stage websites, brand assets, and messaging that resemble real brands and businesses.
- Impersonating a Legal Entity or Authority: Attacks can leverage authority or trust in certain positions like working the government or legal agencies. Social engineering attacks that involve emails that claim to be from government authorities like the FBI or IRS, political figures, or celebrities easily lure victims into traps.
- Fearmongering and Creating a Sense of Urgency: Social engineering attacks use fear and or urgency to stress victims to act out of fear or make mistakes. Verizon’s Data Breach Investigation Reports says 82% of breaches are caused by human error. For example, a scammer can pretend to be from the bank and call his target about a recent credit card payment that was due and may have to share his account details and password for a security check. Recently, threat actors have employed AI-led voice impersonation tools to make calls to victims with voices that impersonate a family member who is in distress.
- Use of Attractive Deals: The most common example of social engineering that has reached nearly everyone’s inbox is the email by Nigerian Prince. An email from a Nigerian royal looking to flee his country offered a significant financial reward if the recipient shared their banking information. The use of attractive deals with monetary rewards, which claim to be coming from an authority figure, makes the email feel more legitimate, causing victims to fall prey to such scams.
- Fueling Curiosity or Empathy Seeking: A few social engineering ploys involve understanding what appeals to their victims. A message that can trigger curiosity or empathy when sent from a trusted source, like a friend on a social networking site. It often ends up inciting some form of action that later proves costly or lures them into clicking on links to fake websites or malware.
Annually, CEOs are targeted to 57 phishing attacks on average. And an organization is targeted with 700 social engineering attacks in a year. What are your organization’s defenses against social engineering? We’d like to know.
iTech GRC experts are always on top of industry trends to give enterprises a better sense of their regulatory and compliance obligations. Internal IT governance and data privacy management are part of our GRC inventory. With the recent AI enhancements to the OpenPages with Watson platform, we can help your enterprise simplify privacy and risk management reporting to maintain GRC objectives for the rest of the year.
Contact our experts to know more about OpenPages with Watson implementation and GRC planning for 2024!