in Resources

What is Social Engineering and Why Should you be Concerned?

Hello friend! Social engineering has become one of the most insidious cybersecurity threats today. As a technology geek and data analyst myself, I want to provide you with helpful insights into this rising risk.

Social engineering refers to hackers manipulating human psychology and emotions to gain unauthorized access to systems and data. According to the 2022 Verizon Data Breach Investigations Report, social engineering constitutes 37% of confirmed data breaches, making it the leading cause across all industries.

Unlike technical exploits that target software vulnerabilities, social engineering relies on natural human tendencies – our desire to be helpful, fear of missing out, reflexive reactions to authority, and other cognitive biases. Even security-aware individuals can fall victim when approached the right way.

The Evolution of Social Engineering

While social engineering itself isn‘t new, its usage and sophistication have increased drastically with thedigitization of business and rise of remote work. Consider the following statistics:

  • Social engineering hacks increased by an average of 15% YoY from 2018-2022 according to the FBI.
  • Losses due to business email compromise, a form of social engineering, went from $1.7 billion in 2019 to $2.4 billion in 2021 per the FBI.
  • 55% of businesses surveyed by Proofpoint reported an increase in successful social engineering attacks after transitioning to remote work.

Cybercriminals now leverage social engineering at scale by automating campaigns through chatbots on messaging platforms. With so much "surface area" in the form of remote employees and digital communication channels, it‘s extremely lucrative.

Psychological Tactics Used by Social Engineers

Social engineering exploits various aspects of human psychology to manipulate us into lowering our guard. Some common tactics include:

Phishing – Fraudulent emails/websites mimicking trusted sources to trick users into inputting sensitive data. A 2022 Google report found phishing websites increased by 65% YoY.

Pretexting – Using a made-up identity and falsified scenario to persuade victims to hand over login credentials or bank details.

Baiting – Leaving infected USB drives or devices in public places to entice unsuspecting users to insert and activate malware.

Quid Pro Quo – Offering a small gift or service in exchange for data or system access. This reciprocation triggers a subconscious desire to return the favor.

Tailgating – Piggybacking on authorized access by physically following someone into a building or through a secured door.

These tactics leverage emotional triggers like fear of missing out on a deal, reflexive tendencies to reciprocate, and our natural desire to be perceived as helpful and cooperative. Even vigilant users can slip up when approached the right way.

Real-World Examples of Devastating Social Engineering

Social engineering enables serious cybercrimes that result in massive losses for businesses and individuals:

  • In 2019, a social engineer masquerading as a building contractor tricked Facebook‘s staff into providing access badges granting him entry into their premises, all through well-crafted pretexting.

  • Through 2021-2022, the prolific Lapsus$ hacking group relied heavily on social engineering to breach major tech corporations like Samsung, Nvidia, Microsoft, Okta, and Uber. Tactics included recruiting insiders, phishing, and posing as employees.

  • In March 2022, a social engineering scam dubbed "Pig Butchering" conned a Hong Kong woman into transferring over $1.3 million to scammers who had befriended her online using fake personas.

These examples showcase how easy it is to exploit human tendencies for profit at scale. Billions have been lost to business email compromise scams and wire transfer fraud stemming from social engineering across all sectors.

Individuals and Organizations Must Bolster Defenses

The rising threat of social engineering means both individuals and organizations need to re-evaluate defenses:

For individuals

  • Verify requests and contact information instead of blindly trusting emails, messages, and calls.

  • Exercise caution sharing personal data like account numbers, SSNs, passwords. Legit entities don‘t need these to communicate.

  • Never send money or items of value to strangers who "befriend" you online – a tactic of romance and pig butchering scams.

For organizations

  • Institute security awareness programs to train employees on policies regarding data, communication channels, and social engineering red flags.

  • Use email security tools to filter out phishing attacks before they reach your staff. This reduces reliance on human detection.

  • Implement principle of least privilege to limit employee access to only systems needed for their role.

  • Employ technologies like multi-factor authentication and endpoint detection tools to contain breaches.

Hybrid defenses combining savvy security policies, user education, and proactive technology provide the best protection. Don‘t leave the human element out of your security strategy.

I hope these insights into the psychology and risks of social engineering have been helpful! Please feel free to reach out if you have any other cybersecurity questions. Stay safe out there!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.