Social engineering cyberattacks and how they’re impacting businesses

Dec. 21, 2020
If businesses cultivate a culture of security and zero-trust, they can avoid falling prey to social engineering

Cyberattacks, perhaps more so than any other type of crime, follow trends. As security professionals find ways to protect against old techniques, cybercriminals find opportunities elsewhere to infiltrate businesses’ defenses. One of the most prevalent trends in cybercrime right now is social engineering.

Cybercrime can be a lucrative endeavor, as experts expect it to cost the world $10.5 trillion annually by 2025. The world’s digital defenses have grown in response to this rising threat, but many cybercriminals have adopted a new strategy. Through social engineering, they target businesses’ most vulnerable assets, those that software can’t fully protect — people.

What Is a Social Engineering Attack?

Most cybercrime techniques revolve around finding and exploiting weak points in a company’s digital infrastructure. Social engineering is different in that it targets employees, not the network itself. Since worker mistakes and misbehavior are the leading cause of data breaches, this method can be painfully effective.

Social engineering attacks are typically more psychological than they are technological. Instead of using sophisticated hacking techniques or in-depth knowledge of computers, they rely on tricking people into giving away information. Cybercriminals that engage in social engineering are digital con artists, gaining vulnerable people’s trust to steal money or data easily.

Criminals don’t need to be expert hackers to pull off a successful social engineering attack, which is part of why it’s become so popular. Since it targets people and not systems, traditional cybersecurity techniques can only do so much to stop it. No matter how sophisticated a network’s defenses are, they won’t do much if an insider gives away access freely. 

A New Wave of Cybercrime

Social engineering is dangerously effective and has been trending upward as cybercriminals realize its efficacy. According to Verizon’s 2020 Data Breach Investigations Report, phishing, a subset of social engineering, was responsible for 25% of data breaches in 2019. That’s more than any other type of attack, and it’s only become more popular in 2020.

In a recent report, 53% of cybersecurity professionals say they’ve noticed an increase in phishing attacks since the COVID-19 pandemic started. More alarmingly, 30% say these attacks have become more successful during the same period. The chaos of the pandemic has made people more vulnerable as they’ve become less skeptical of unexpected news and eager for answers.

Amid widespread uncertainty, people are more likely to click a link they would otherwise be suspicious of if it promises help. As many businesses adjusted their operations, emails requesting information or asking for unusual actions seemed less out of place. All of this shows that social engineering attacks are more prevalent and threatening than ever.

Direct Costs of Social Engineering

It’s evident now that social engineering is a prominent threat to businesses of every type and size. What makes this trend even more troubling is how harmful these attacks can be to a company. The FBI’s 2019 Internet Crime Report shows that scammers stole more than $1.7 billion through business email compromise alone.

On average, social engineering attacks cost $130,000 through money stolen or data destroyed. That number is typically just the beginning of the costs for a targeted business, too. After a breach, companies must pay recovery fees such as credit monitoring for affected parties or new cybersecurity software.

Many social engineering attacks also target customers, often using phishing to install ransomware. If these attacks expose client data, companies can find themselves in the middle of a costly legal battle. Breach settlements frequently cost millions of dollars in compensation, which doesn’t include legal fees.

Indirect Losses

These direct monetary losses aren’t the only way social engineering attacks cost businesses, either. Every time an incident occurs, the affected company has to take time to address it, which results in lost productivity. Severe breaches could even lock employees out of systems, leading to more lost time and costing more money.

After an incident, companies typically have to hold meetings, readdress their cybersecurity policy and more. These steps are crucial in preventing future attacks, but every minute spent in them is a minute not spent on profitable tasks. Productivity losses are just the beginning of the indirect costs of social engineering, too.

Perhaps the most damaging side effect of any data breach is a tarnished reputation. A Ponemon Institute study found that 65% of surveyed consumers lose trust in a business after a data breach. Furthermore, 27% ended their relationship with a company, and stock prices fall an average of 5% after a breach. 

Common Signs of Social Engineering

It’s difficult to overstate the importance of preventing social engineering attacks, and the first step in defense is awareness. When businesses and employees know the signs of an impending attack, they can better avoid it. The three most common giveaways of social engineering attacks are inconsistency, urgency and pressure.

Phishing is the most prevalent form of social engineering, and these fraudulent messages typically show signs of inconsistency. If the tone or structure is different from a usual note from the supposed sender, it’s likely a fake. Inconsistencies in email addresses or links also indicate phishing.

Many social engineering attacks deliver an urgent message to inspire fast, thoughtless action from targets. They may impersonate government agencies or officials to add to this sense of urgency, so users should always double-check messages seeming to come from these sources. Anything that looks unusually urgent, especially if out of nowhere, is likely a scam.

Similarly, cybercriminals tend to put a lot of pressure on targets in their attacks. They may urge users to act quickly or tell them to avoid standard behavior in a situation. This pressure is an attempt to get people to make a mistake before they can think about their actions.

Preventing Social Engineering Attacks

Since social engineering attacks target people, the most effective defenses against them involve people as well. Training employees to recognize the signs of social engineering will make them less likely to fall for these scams. Holding regular meetings where security professionals go over common attack techniques will help workers remember these signs.

Instilling a lack of trust is crucial to defending against social engineering attacks. The Cybersecurity and Infrastructure Security Agency says to be suspicious of all unsolicited messages and calls. If someone claims to be an official source, always verify their identity before complying with their requests.

Behaviors are the best defense against social engineering, but technological steps can help, too. Network segmentation can ensure only people that absolutely need access to a system have it. That way, if an employee does fall for a scam, the system’s design will mitigate any potential damage.

Advanced email filters can detect potential scams and filter out fraudulent emails before they reach employees. The more comprehensive a system’s anti-malware is, the better it will be at mitigating the risk of things like ransomware. Multifactor authentication can help prevent social engineering attacks by making it harder for scammers to get the information they need to access a system.

All Businesses Need to Defend Against Social Engineering

Social engineering can affect any business at any time. These threats are dangerous, prevalent and growing, so all companies need to ensure they have defenses in place against them. Thankfully, preventing these attacks is often straightforward.

If businesses cultivate a culture of security and zero-trust, they can avoid falling prey to social engineering. Humans are a company’s most vulnerable asset, but they can also be its most effective defense.

About the author: Devin Partida covers cybersecurity topics for International Security Journal, AT&T's Cybersecurity blog and, where she is the Editor-in-Chief. Find her there to read more of her work.