The following social engineering misconceptions remain widespread in businesses, which makes it far easier for cybercriminals to breach their victims’ defenses.
Table of Contents
Emotions Are the Weak Link
Social engineering, the psychological manipulation of people into performing actions that are against their best interest, has become one of the most common attack vectors, used in 82 percent of all successful data breaches, according to Verizon’s 2022 Data Breach Investigations Report (DBIR).
Unlike other threats, such as viruses, ransomware, and Distributed Denial of Service (DDoS) attacks, it doesn’t exploit the weaknesses in physical and cloud-based infrastructures.
Instead, its target is human weaknesses; which is why social engineering is sometimes called human hacking.
Unfortunately for organizations of all sizes, human weaknesses are generally more difficult to address than technical or digital system vulnerabilities because people often repeat the same mistakes over and over again.
That’s why the following social engineering assumptions are still so widespread, making it easier for cybercriminals to breach their victims’ defenses.
Avoid the Following Social Engineering Misconceptions
1. SMBs Are Rarely Targeted by Social Engineering Attacks
Perhaps the most dangerous assumption commonly made by small and medium-sized businesses is that cybercriminals only target the big fish…
…the large enterprises that store and process massive quantities of sensitive data and can afford to pay millions in ransom.
However, this assumption is simply not true.
In reality, an employee of a small business with less than 100 employees typically experiences 350 percent more social engineering attacks than an employee of a larger enterprise. This was revealed in a report published by researchers at cloud security company Barracuda Networks.
2. Social Engineering Attacks Prioritize Quantity Over Quality
It would be difficult to find anyone who hasn’t been on the receiving end of the infamous Nigerian Prince Scam, also known as a 419 scam.
The premise hasn’t changed much since the 1990s.
If you’re unfamiliar, they’re phishing scams where fraudsters pose as wealthy royalty needing urgent help with a money transfer. These mass-distributed emails range in quality – from laughably bad to downright poor.
But not all social engineering attacks are as primate as the Nigerian Prince Scam.
Spear phishing messages, for example, are meticulously crafted to appear to come from someone the victim already trusts.
They’re often supported by weeks or even months of research and reconnaissance. Such messages are becoming significantly more common, and those who are not aware of their existence are most likely to fall for them.
3. Email Is the Only Channel for Social Engineering Attacks
It’s true that most social engineering attacks occur through email, but they’re certainly not limited to it.
Because organizations have been training their employees to be on the lookout for suspicious messages, cybercriminals are increasingly exploring other communication channels beyond email.
Social engineering attacks that come in the form of a text message and frequently include a malicious link are called smishing.
There’s also vishing, which involves fraudulent calls or voicemails that solicit personal information from a victim.
Plus, popular social media platforms like LinkedIn, Twitter, and Facebook are also being used to execute social engineering attacks. Sometimes attackers pretend to be customer service representatives or employees of partner companies.
4. Social Engineering Attacks Are Limited to the Digital Realm
The digital nature of modern work and the ubiquitous use of email allows cybercriminals from around the world to launch a variety of social engineering attacks on individuals and organizations alike.
But social engineering doesn’t always involve digital technology.
Some social engineers are not afraid to get up close and personal with their victims and use deception to obtain access to restricted areas, such as an office building.
They may go as far as to dress as delivery drivers or HVAC technicians, create fake IDs, and do other things to make their intrusion seem legitimate.
Once these physical social engineers obtain access, they can install hidden cameras to spy on people, steal sensitive documents, set up keyloggers, and more.
5. You Can Always Trust a Phone Call....
When cybersecurity-savvy employees receive an unusual email message from a superior, they verify its legitimacy…or at least they should.
But when the same employees receive an unusual phone call, it rarely occurs to them that the person on the other side could actually be someone else.
That’s exactly what happened in 2020 when a bank manager, fooled by a deepfake impersonating a company director, transferred $35 million to an attacker-controlled account.
Because of recent advances in artificial intelligence and machine learning, as well as the growing accessibility of solutions based on them, voice deepfake attacks are becoming more and more common.
So, even phone calls can’t be trusted anymore.
The Bottom Line: Assumptions Can Be Dangerous
Social engineering attacks show that the cybersecurity chain is only as strong as its weakest link.
To strengthen it, it’s important to stop making the social engineering assumptions described in this article because their consequences can be extremely costly.
Cybersecurity awareness training remains the best protection against the latest and most widespread social engineering threats.
It becomes even more powerful when you combine it with sound cybersecurity policies, detection and response capabilities, and other protective measures.
Learn how to implement an engaging and successful cybersecurity awareness training program.
To learn more about security awareness training and other cybersecurity best practices, get in touch with a Teal advisor today.
