Things are not looking great for companies in the current threat landscape. Yet another report shows that social engineering attacks are on the rise, reaching jaw-dropping numbers.
What is Social Engineering?
Social engineering consists of manipulating the user through different malicious tactics to provide private information like passwords and bank account information or access your device to install malware.
Social engineering-based scams are crafted around the way people think and behave. Therefore, social engineering attacks are all about manipulating users’ behavior. Once the attacker understands the motivation of the victim’s actions, they can successfully trick them into giving away sensitive data.
Phishing is a special form of social engineering attack in which the hacker poses as a reputable entity or person, using diverse ways of online communication to distribute malicious links or attachments that can perform a variety of functions, but to one single end: stealing the victim’s data and money.
Phishing is the most widely spread of social engineering attacks
A recent report from cybersecurity firm Barracuda confirms that companies continue to face an ever-growing wave of phishing attacks throughout the current year.
The same report notes that 43% of malicious phishing emails pretend to be from Microsoft. In addition, more than 700 social engineering attacks target the average organization every year.
Almost 80% of these attacks target employees with roles other than financial or executive. The report also highlighted how the average CEO receives 57 targeted phishing attacks per year and IT staffers getting an average of 40 targeted phishing attacks annually.
Another concerning finding is that cryptocurrency-related attacks nearly doubled between October 2020 and April 2021. The number of attacks saw an increase of 192%, alongside the rise of the general price of various cryptocurrencies.
Nearly half of all socially engineered scams are phishing impersonation attacks, the majority of them using a malicious URL.
“Although phishing emails are nothing new, hackers have started to deploy ingenious ways to avoid detection and deliver their malicious payloads to users’ inboxes. They shorten URLs, use numerous redirects, and host malicious links on document sharing sites, all to avoid being blocked by email scanning technologies,” the report said.
“Phishing impersonation attacks have also been trending upwards. These attacks made up 46% of all social engineering attacks we detected in June 2020 and grew to 56% by the end of May 2021.”
Only 10% of the social engineering attacks examined by Barracuda compromised business emails. However, they have cost companies in various sectors, such as education, healthcare, commercial, and travel millions.
Attackers haven’t changed their tactics much, choosing to impersonate big names to gain the victims’ trust. The top three reputable giants used in phishing attempts are Microsoft, WeTransfer, and DHL, followed by Google, DocuSign, and Facebook.
Senior vice-president of Email Protection at Barracuda, Don MacLennan, noted that cybercriminals usually target weak links in organizations – lower-level employees.
“Targeting lower level employees offers them a way to get in the door and then work their way up to higher value targets,” MacLennan said. “That’s why it’s important to make sure you have protection and training for all employees, not just focus on the ones you think are the most likely to be attacked.”
How can you defend your company against Phishing?
Experts recommend layering security controls to prevent phishing messages from reaching users, which include:
- choosing a reliable antivirus software;
- enabling both desktop and network firewalls;
- installing antispyware programs;
- installing an antiphishing toolbar in web browsers;
- gateway email filter;
- web security gateway;
- a spam filter;
- phishing filters from trusted vendors, such as Microsoft.
All these security measures are even more recommended for enterprises. Mail servers should make use of at least one email authentication standard to verify inbound emails and block all messages except for those that have been cryptographically signed.
Although software tweaks can prove to be helpful in preventing phishing, phishers prey on human interaction, deeming the psychological factor as the prime target, which is why Cybersecurity Awareness Training is highly recommended.
Get your quote here for ATTACK Simulator’s solid and comprehensive Security Awareness Training program.