Regardless of how robust an organization’s cybersecurity defenses are, cyber threat actors employing social engineering attacks remain a substantial threat. Unlike technologically-focused attacks that exploit vulnerabilities in an organization’s networks or the overall IT infrastructure, social engineering attacks leverage human psychology to gain network access. Phishing represents the most common form of social engineering attack.
How the Most Common Form of Social Engineering Works
Cyber threat actors execute social engineering scams by leveraging psychological vulnerabilities such as emotional triggers and tendencies to gain system access. Phishing, the most common form of social engineering, exploits peoples’ trust. When a phishing attack succeeds, various access points to an organization’s networks become compromised.
The most critical of these include:
- Vulnerabilities exploited via web applications and activity
- Vulnerabilities exploited via mobile applications
Phishing Statistics
According to both the FBI’s “2020 Internet Crime Report” compiled by the Internet Crime Complaint Center and an August 2021 statistics report published on Statista, phishing represents the most common form of social engineering attack.
Note that while both sources present one other type of attack as more prevalent than phishing, the leading attacks are a type of phishing or commonly executed via phishing methods.
Request a Free Consultation
2020 Internet Crime Report—Phishing Data
The FBI reports that business email compromise [BEC] attacks accounted for 19,369 complaints with an adjusted loss of roughly $1.8 billion. In comparison, phishing scams accounted for [a much more frequent] 241,342 complaints with an adjusted loss of more than $54 million.
However, the FBI’s definition of business email compromise [BEC]—“criminals send an email message that appears to come from a known source making a legitimate request”—is, categorically, a type of phishing attempt.
“Increases in cyber attacks according to IT professionals in 2021, by type”
In a survey published on Statista on August 18, 2021, over half of the responding IT professionals identified a recent increase in the frequency of phishing emails. Most of the survey respondents identified data exfiltration and leakage as the fastest-growing cyber attack.
However, the National Institute of Standards and Technology [NIST] defines “exfiltration” as “the unauthorized transfer of information from an information system.” These unauthorized transfers are often facilitated by a malicious intruder gaining access to a network or deploying viruses or malware via phishing attempts.
Vulnerabilities Exploited Via Web Applications and Activity
Phishing targets vulnerabilities in web applications such as email. Threat actors behind phishing attacks may send fake emails designed to elicit sensitive information from victims. The pretext is typically information that evokes emotional responses from an unsuspecting recipient, such as fear or anticipation.
Threat actors can also execute a spear-phishing attack, targeting a specific group of people. In addition, personal information such as names, emails, or addresses provides threat actors with sufficient enough legitimacy to trick victims.
Spoofing is another commonly used social engineering attack, exploiting vulnerabilities in human psychology and email protocols. With spoofing, threat actors leverage legitimate-looking communications to convince victims to divulge sensitive information [e.g., BEC]. Threat actors can also launch spoofing attacks by encouraging victims to click on a malicious link that redirects to a fake website where victims unsuspectingly provide sensitive information.
Identifying Common Social Engineering Threats Via Web Applications
The most common form of social engineering relies on inherent human vulnerabilities to breach web application access points. A web application security assessment can help identify phishing threats, the most common of which include:
- Emails from suspicious and seemingly legitimate addresses, but with spelling errors
- Unusual spelling and grammatical error in either email subject line or body, or both
- Unfamiliar and false sense of urgency in emails, requiring immediate response
- Emails asking recipients to click on attachments or embedded links
- Linked URLs that do not match text or use shortened addresses or that navigate to websites with unverified SSL certificates
A thorough web application risk assessment can help identify vulnerabilities in your organization’s web apps, minimizing risks to the latest social engineering attacks via phishing.
Vulnerabilities Exploited Via Mobile Applications
Similar to email phishing, the most common form of social engineering may be executed via mobile devices and applications.
Threat actors execute vishing attacks by eliciting a false sense of urgency, fear, or anticipation over voice communication. Social engineering impersonation techniques such as caller ID spoofing via VoIP can help hackers convince unsuspecting victims to provide sensitive information.
Some of the common indicators of the latest social engineering attacks executed via vishing include:
- Callers requesting personal information, including:
- Member IDs
- Passwords
- Personal identification numbers [PINs] or similar personally identifiable information [PII]
- Protected health information [PHI]
- Unexpected phone calls from trusted institutions such as healthcare providers
- Callers claiming to call from trusted institutions such as banks, or federal institutions including the IRS, SSA, or the FBI, requesting personal information in response to suspicious activity or suspended accounts, or criminal activity
The complexity of these latest social engineering attacks requires consistent cybersecurity awareness training to help your organization’s employees be better-prepared and vigilant of possible vishing attacks.
Mobile Application Vulnerabilities Exploited by Smishing Schemes
Threat actors can also use smishing, the most common form of social engineering that is conducted via text messages, to gain network access.
Unlike vishing, which leverages voice communication to obtain sensitive information, threat actors use text message phishing attacks to access connected web applications, opening further access to the broader suite of networked applications. By eliciting a false sense of urgency, hackers can convince victims to click on malicious links, dial a number, or provide sensitive personal information.
Working with a trusted and reliable cybersecurity program advisor can help your organization design and build a security awareness program, guiding employees in identifying and appropriately responding to phishing threats.
Prevent the Most Common Form of Social Engineering Professionally
When faced with robust cybersecurity defenses, hackers can still use phishing—the most common form of social engineering—and similar methods to launch a cyberattack by exploiting the vulnerabilities associated with human emotions, such as fear and anticipation.
Professional managed security services and advisory are often the best way to keep all forms of phishing at bay. If your organization is seeking help building a customized and effective cybersecurity awareness program, contact RSI Security today for a quick consultation.
RSI Security
RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts [GRC]. RSI Security is an Approved Scanning Vendor [ASV] and Qualified Security Assessor [QSA].