06/21/2021 | News release | Distributed by Public on 06/21/2021 11:05
Key Points:
An employee receives an email at work asking them to share network login details. Because it's from a company executive, they do. The problem: They just fell victim to a social engineering attack, and now the organization's data - or finances - are at risk.
Social engineering is a category of cyberattack that aims to trick people into sharing sensitive information that gives an attacker access to a system, physical space or data. These attacks don't stem from social media as some may think; social media does, however, make it easier for attackers to gather personal details to create convincing social engineering attacks.
For businesses, social engineering attacks can be devastating. They're the driving force behind business email compromise (BEC) - the U.S.'s costliest phishing scam in recent years, accounting for more than $1.8 billion in losses during 2020.[i] With the proper employee cybersecurity awareness training, however, organizations can reduce the risk and likelihood of these attacks.
What Is Social Engineering?
Social engineering is a psychological manipulation technique that coaxes victims into divulging sensitive information in order to gain access to systems, data or physical spaces. Rather than an attacker searching for a software vulnerability to exploit, they take advantage of human psychology: A hacker might fabricate a pretense to gain the trust of an individual and ultimately convince them to share access credentials to systems or an office space, or wire funds, for example. Social engineering attacks tend to target individuals who have special access to these assets.
Importance of Social Engineering Training
Social engineering is a difficult cybersecurity threat to protect against because the tactics that attackers use prey on an individuals' reasoning. When employees haven't been trained to recognize social engineering attacks, the risk of falling victim rises. Because social engineering training plays such a critical role in minimizing threats, many organizations take cyber awareness training very seriously.
By 2022, for example, research firm Gartner projects that 60% of large organizations will have a full-time equivalent dedicated to security awareness.[ii] Social engineering training, which is often a part of security awareness programs, gives employees the tools they need to recognize these types of attacks, which helps groom more discerning, responsible employees who are better equipped to protect both themselves and their organization.
Top Social Engineering Attack Techniques
Attackers use a variety of tactics to gain access to systems, data and physical locations. The top social engineering attack techniques include:
What Are the Potential Repercussions of a Successful Social Engineering Attack?
Social engineering is an exceptionally effective form of cybercrime. In 2019, for example, phishing, a subset of social engineering crimes, was responsible for a quarter of all data breaches - more than any other type of attack.[iii]
The repercussions from these common attacks can be significant. Because most social engineering attacks are driven by financial gain, organizations stand to suffer considerable financial loss. In 2020, for example, U.S. losses topped $4.2 billion, according to the FBI.[iv]
Companies might also experience a major business disruption - loss of productivity, a decline in employee morale and downtime as the organization recovers. The process of recovering from a social engineering attack can carry a hefty price tag: Often, organizations must hire an incident response team, purchase security software to help prevent future attacks and retrain employees. Moreover, businesses that fall victim to a social engineering attacks could suffer damage to their reputation if customers no longer feel confident that the organization can protect itself.
9 Tips to Defend Against Social Engineering Attacks
As social engineering attacks become more sophisticated, they become more difficult to prevent. Nevertheless, there are important actions that cybersecurity awareness training can teach employees to take.
There are also leading practices that IT and IT security organizations can take:
The Bottom Line: Social Engineering Training Can Help
Increasing knowledge through social engineering awareness training is one of the most effective ways to reduce the risk of a social engineering attack. Leading security awareness training solutions address social engineering and more in three- to five-minute modules to ensure that employees aren't burdened by a big time commitment and remain productive. Mimecast Security Awareness Training uses humor to engage users - a proven tactic that the American Psychological Association says engages employees, helps them retain critical information about emerging security topics, and ultimately changes their behavior.[v] Not only does social engineering awareness training help employees understand the role they play in helping to combat social engineering attacks, it acquaints them with best practices and behavio
[i] 'Internet Crime Report 2020,' FBI
[ii] 'Hire the Right Teachers for Better Security Awareness,' Gartner
[iii] 'Verizon Money makes the cybercrime world go round,' Verizon
[iv] 'Internet Crime Report 2020,' FBI
[v] 'How laughing leads to learning,' The American Psychological Association
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly