Gretel Egan | October 31, 2016

Three Scary Social Engineering Facts

Last updated: October 27, 2017

Wombat_Blog_Scary_October2016.jpgThere is perhaps no topic more relevant to the Halloween season than social engineering. Like those who revel in the spirit of Halloween, social engineers are all about the elements of disguise and surprise. Though, at heart, social engineers exhibit ghoulish tendencies, they would never show up on your doorstep dressed to scare. Instead, they will make every attempt to lead you to believe they are someone honest and trustworthy.

Unlike Halloween, social engineering isn’t a once-a-year activity. Rather, scam artists are running rampant — and they are becoming harder and harder to spot. If you think you haven’t come across any scams, the chances are you’re wrong. Here are a few tidbits that put this scary trend in perspective:

#1: Social Engineering Techniques Bear Fruit for Cybercriminals

Study after study has shown that social engineering is not going anywhere. As advanced as technology has become, it's often much easier for cybercriminals to expolit humans than networks and systems.

In it's 2016 Human Factor report, Proofpoint declared that social engineering was the most used infosec exploit of 2015, displacing hardware- and software-based attack methods. Not much has changed since then; the announcement for this year's Human Factor report stated, "Proofpoint researchers have increasingly observed that threat actors leverage natural human curiosity rather than exploits to trick users into opening malicious emails, clicking on links, transferring funds, and more."

It’s not terribly surprising, given that social engineering scams are relatively low-tech, low-cost, and easy to execute. Phishing emails — which are fraudulent messages designed to steal sensitive data or deliver dangerous malware — are particularly prevalent.

But email is far from the only attack medium being used; vishing (voice phishing) phone calls, smishing (SMS phishing) text messages, social media traps, and pretexting (people pretending to be someone they are not, either in person or online) are all viable — and successful — social engineering scams being perpetrated on a daily basis.

color_bar.png

Learn to spot and avoid social engineering attacks.

View Our Vlog

color_bar.png

#2: Technology Is Rapidly Accelerating the Sophistication of Attacks

Frank Abagnale, a reformed con artist whose 1960’s exploits were immortalized on film in Catch Me If You Can, has spent more than 50 years studying and employing social engineering techniques. He has seen major advancements in technology over the decades and has said many times, “What I did 50 years ago as a teenage boy is 4,000 times easier to do today because of technology. Technology breeds crime. It always has, and always will.”

The simple reality is that the new devices, software, and services that make our lives easier also make it easier for hackers and fraudsters to commit crimes. A late-2016 New York Times article explored the threat potential associated with the evolution of artificial intelligence. The piece noted that James R. Clapper, then the US Director of National Intelligence, cautioned that though AI is destined to simplify some things, it will “also expand the vulnerabilities of the online world.”

It is a wicked cycle; new technology becomes mainstream and cybercriminals work to exploit it. Unfortunately, technical advances aren’t as successful at protecting against social engineering attacks as they are at enabling them. As Abagnale once told SearchCloudSecurity, “There is no technology in the world, nor will there ever be, that beats social engineering.”

#3: Everyone Is a Potential Target

It's critical that you realize that you are not exempt from social engineering; you are a target. This is not just a “big business” problem:

  • A 2016 study by the UK’s Federation of Small Businesses showed that social engineering is extremely taxing to small businesses. The report indicated that “smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.”
  • Millennials have been raised with technology, which has led them to be highly reliant on their devices — and they often opt for convenience over security. A recent Raytheon survey showed that, though these users are tech-savvy, they freely share passwords and use open-access WiFi, even though they know the risks involved. 
  • If you are reading this, you have access to a device and electronic data, and both of those things are of interest to a cybercriminal. According to the Identity Theft Resource Center, between 2005 and October 25, 2017, there were more than 8,100 data breaches in the U.S. that put personally identifiable information (names, Social Security numbers, medical information, passwords, etc.) at risk. More than 1 billion records have been breached during that same time frame.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now