Social engineering — a cyber tactic that scams employees into creating vulnerabilities in the company’s data and network security — has always been around but is fast becoming hackers’ attack vector of choice.
Statistics compiled by Fire Wall Times paint a cautionary “not if but when” social engineering attack possibility:
- Ninety-eight percent (98%) of all cyber-attacks involve a form of social engineering
- In 2022, 84% of organizations fell victim to a social engineering attack
- Eighty-six percent (86%) of companies were hit by large scale phishing, a fraudulent email from a seemingly legitimate source with an embedded hack
- Seventy-six (76%) percent were targets of smishing — phishing via text
Perhaps the most troubling statistic is this: Even as social engineering becomes more prevalent, barely half of employees — the social engineers’ favorite targets — recognized a phishing email in 2021. This is a 20% drop from 2020. The third quarter of 2023 ‘”saw ‘human hacking’ evolve from a long-standing security challenge to threat actors’ method of choice,” Kroll warns in its Threat Landscape Report.
How Does Social Engineering Differ From Cyberattacks?
Malicious actors find attacking people to gain unauthorized access to companies’ digital assets is easier than trying to crack the technology that protects them. “Social engineering is the intersection of psychology and technology,” as AT&T Security explains, calling it “hacking minds over bytes.”
Hackers scour various sources to acquire personal information — anything from email addresses to their bosses’ names. For instance, they can buy it from large-scale, technically proficient cybercriminals that sell stolen databases. They can also harvest details from social media or utilize fake websites.
That information becomes the leverage for gaining victims’ trust. As they believe the message is from a trusted source, the victim is less likely to be wary of disclosing sensitive information or performing actions that compromise security, such as clicking a link that can lead to an undetected malware infection.
Social engineers attack from many directions. In addition to phishing, smishing and vishing — a deep-fake voicemail from a “trusted” sender asking for personal information — other scams include:
- Scareware that often appears as a pop-up that warns the victim that their device has been compromised and lures them into clicking on a “cure” that actually infects the computer
- Baiting that entices the victim into clicking on a rare, attractive offer but opens a way in for malware
- Pretexting that allows scammers to pose as clergy, deposed government officials or other positions to obtain personal and financial information
“As with most cyber threats, social engineering schemes can come in many forms, but they all generally work the same way,” Norton summarizes.
What Is the Emerging Threat Landscape of Social Engineering?
The International Journal of Scientific Research in Computer Science, Engineering and Information Technology (IJSRCSEIT) has a dire warning for cybersecurity professionals. The organization investigated real-world cases of FraudGPT and WormGPT — as well as the popular ChatGPT — to understand how social engineers use them, examine the results and assess strategies for defense.
Its research found that social engineer hackers cloned large-language models of the popular Generative Artificial Intelligence platform ChatGPT to develop highly convincing, personalized and relevant phishing lures to manipulate employees. GenAI social engineering messages can, for instance, impersonate the writing style of trusted individuals or organizations, tailor one-off content for individual emails sent in a bulk phishing attack and zero in on the users most open to manipulation.
“As a result, there is a pressing need for adaptation and innovation in the cybersecurity landscape,” the organization notes.
What Are Defensive Tactics Against Phishing Attacks and Deceptive Practices?
Green Edge Computers advises its clients to adopt a multi-faceted defense strategy that includes, among several other tactics:
- Training employees to recognize social engineering attacks and how to report them to security operations
- Sending simulated phishing emails to test employees’ awareness
- Promulgating and enforcing strong password policies, which may include two-factor authentication
“Building a human firewall to resist social engineering attacks is a critical component of your organization’s cybersecurity strategy,” it says.
What Careers Are Key in Developing Defenses Against Social Engineering?
Companies rely on cybersecurity specialists, engineers and managers with advanced technical skills and a deeper managerial perspective to design, develop and deploy essential data and network protections.
La Salle University’s Master of Science (M.S.) in Cybersecurity – General online curriculum immerses students in real-time, relevant strategies to reduce vulnerability and mitigate damage through courses such as:
The Computer and Internet Fraud course focuses on understanding how computer fraud and manipulation is accomplished and what security measures should be instituted to prevent it. The Cybercrime, Cyber Warfare, Cyber Espionage course focuses on threat, vulnerability and risk analysis and strategies to avoid data and network breaches.
In the age of social engineering, cybersecurity experts with advanced insights and expertise are in high demand, according to CyberSecurity Dive, as “the available potential workforce isn’t keeping pace with demand.”
How an Advanced Degree Can Help
Social engineering is a unique cyberthreat that is growing in popularity. Professionals with the skills and knowledge to protect against social engineering will be well-served in modern cybersecurity.
Learn more about La Salle University’s online Master of Science in Cybersecurity – General program.