The art and science of manipulating human behavior is called social engineering. In a social engineering scenario, the goal is to get the target to take some sort of action, from buying a ticket to starting a new diet. For example, all advertisements are a form of social engineering. Advertisers have the goal of enticing their targets, consumers into buying their products, like a certain brand of cereal. Sometimes, this technique can be used for good purposes, like encouraging people to recycle. But cybercriminals aren’t so altruistic. They use social engineering to entice their victims into taking an action that harms their company’s security and helps the bad guys accomplish their goals – and in a year of record cybercrime, they’re having historic success. Get the facts about social engineering to really understand how to stop them from successfully pulling one of their schemes on your business. 

The vast majority of cybercrimes contain an element of social engineering. That’s what makes these schemes hard to spot and hard to resist. Cybercriminals want to evoke a feeling in you that will spur you on to take an action, and the clever ones are extremely clever. There are really two main feelings that they prey on: fear and trust. Bad actors need to entice their target into clicking their link or downloading their attachment, so they use tricks like spoofing to trick you into buying into their lies by impersonating trustworthy sources. They’ll also capitalize on chaos and uncertainty. That’s a big reason for 2020’s massive cybercrime boom – a wealth of targets who were disconcerted, frightened and stressed created a target-rich environment.

Cybercriminals have grown increasingly more sophisticated in designing and delivering their bait, utilizing extensive dark web resources to create tailor-made spear phishing lures for their prospective victims. Social engineering scams that employ spear phishing can be as simple as a bogus email from a store asking you to change your online account password and as complex as mimicking an executive’s identity believably. It’s also a tried-and-true way of tricking victims into downloading ransomware. It’s quick, easy, and profitable – socially engineered ransomware attacks are already up 40% year-over-year, and that’s comparing 2021 to 2020’s record-breaking cybercrime numbers. Scams like these will only become more influential in the future as the pool of information available to bad actors grows on the dark web. In 2020 alone, 22 billion more records were added.  

These are a few examples of social engineering as it relates to cybersecurity: 

• Luring a victim to a fake website to “update their password” when they’re really handing it over to cybercriminals. 
• Convincing victims to download a document outlining a new company policy that’s actually a ransomware bomb. 
• Coaxing a victim into sending bad actors sensitive information by pretending to be an executive at the target organization 

Plus, cybercriminals aren’t the only people doing the social engineering in many cases, nor are they providing the only influences. Cybersecurity culture, company policy, fear, stress, exhaustion – all of these factors combined can engender circumstances that can cause employees to take certain actions around cybersecurity.

• Take a look at these statistics to see the real picture of this threat. 
• 98% of cyberattacks rely on social engineering. 
• 43% of IT professionals say they have been targeted by social engineering in the last year. 
• 45% of employees click emails they consider to be suspicious “just in case it’s important.” 
• 47% of employees cited distraction as the main factor in their failure to spot phishing attempts 
• On average, social engineering attacks cost $130,000   
• The number one type of social engineering attack is phishing. 
• IC3 reports that socially engineered business email compromise is the costliest cybercrime.  
• Socially engineered cyberattacks are just under 80% effective. 
• An estimated 70 – 90 % of breaches are caused by social engineering. 
• 45% of employees don’t report suspicious messages out of fear of getting in trouble

Creating a healthy cybersecurity culture is essential for defending businesses from the consequences of cybercriminal social engineering. By making cybersecurity a priority and training everyone to recognize threats, you’re making every employee feel like they’re part of the security team too. That’s what makes phishing resistance training so vital. If just one employee spots and stops a phishing email because they’re invested in maintaining a strong defense, that can save a company millions of dollars as well as uncountable headaches in recovering from a cyberattack. 

Fuente: ID Agent.