Social engineering attacks, or attacks on the human component of security, are a significant threat to businesses. With the proliferation of online tools and resources or attackers, the threat continues to grow. Although a business can spend money on firewalls, cameras, locks, and other security systems, it cannot ignore the human element. Without addressing the human component of the security system, a business may be at significant risk of cybercrime.
Although social engineering attacks are not technically cybercrime by themselves, the vast majority of cyber attacks involve social engineering tactics to some degree. According to the 2013 Verizon Data Breach Investigations Report, 29 percent of data breaches leveraged social tactics. An earlier report from Dimension Research suggests that phishing is the most common social engineering tactic at 46 percent. Advanced phishing techniques are usually used at some point during targeted attacks. According to a report from Trend Micro, Spear Phishing Most Favored APT Bait, 91 percent of all targeted attacks involve spear phishing.
Social engineering attacks are done either in person, on the phone, or electronically. Telephonic and electronic attacks are used more often. The reasons for their use include the following: one, there are no geographic limitations to such attacks; two, the likelihood of prosecution is minimized as there are usually geographic and jurisdictional issues. The electronic forms of social engineering attacks, such as phishing, are the most common. In addition to the aforementioned benefits, such attacks are easy to conduct and are easy to replicate. As stated earlier, spear phishing is used in almost all targeted attacks. One reason for this is that the custom tailoring to the email makes is seem more legitimate and which makes it more likely to accomplish the intended purpose, whether it is to install software such as a root kit, or having the recipient supply information. According to a Cisco report, Email Attacks: This Time It’s Personal, a spear phishing campaign can be 10 times more profitable for the attacker than a traditional mass attack.
Businesses of all sizes are affected. Previously, it used to be that only larger businesses had to deal with cybercrime, but this is no longer the case. Small businesses are being attacked and at a growing rate. According to a Symantec Internet Security Threat Report, targeted attacks on businesses with fewer than 250 employees increased the most over the previous year and accounted for 31 percent of all attacks. However, this does not mean that large businesses are immune from attack. Financial gain is a primary motivation for attacks and the theft of intellectual property provides such rewards. As such, research and development (R&D) job roles are common targets of attack, which are usually the domain of larger businesses. According to the same Symantec report, attacks on personnel in R&D accounted for 27 percent of all attacks in 2012.
The direct and indirect cost from a data breach, including those involving social engineering, can be significant. According to the report, Global Corporate IT Security Risks 2013 from security firm Kaspersky, the cost of IT security breach in 2012 averaged from $50,000 to $649,000 per incident. The report also suggests that a successful attack on a large company can cost upwards of $2.4 million in direct and indirect losses. Even a stand-alone phishing attack can be a significant expense to a company. According to a survey of IT professionals conducted by Dimensional Research, estimates range from $25,000 to $100,000 per successful phishing attack.
Companies can no longer ignore the threat posed from social engineering tactics. The human element must be considered when building a layered defense. Without doing so, management may be unnecessarily exposing their business to risk of loss. As the saying goes, a chain is only as strong as the weakest link.
Phishing kits are becoming one of the most accessible components within a cybercriminal's arsenal.
Deepfakes are on the rise with AI. Are you ready to defend against them?
We break down how to spot and avoid tax season phishing scams.
