Social Engineering Continues to Dominate as the Cost of Cyberattacks Rises

Social engineering is the art of manipulating, influencing, or deceiving someone into taking an action that isn’t in their best interest or the best interest of their organization. The goal of social engineers is to obtain your trust, then exploit that relationship to coax you into either divulging sensitive information or giving them access to your network. The best social engineers use your emotions to create a sense of urgency, and their attacks can be very convincing.  

Social engineering incidents have almost doubled since last year to account for 17% of all breaches, according to Verizon’s 2023 Data Breach Investigations Report (DBIR), which analyzed more than 16,312 security incidents, of which 5,199 were confirmed data breaches.

Among these attacks, BEC, or business email compromise, has become more popular. In this attack, the perpetrator uses existing email communications and information to deceive the recipient into completing a seemingly ordinary task, like changing a vendor’s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. 

It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the vendor’s.

Attackers can make subtle changes to trick their targets, especially if they receive similar legitimate requests. This could be one reason BEC attacks have nearly doubled and now make up over 50% of incidents in this category. 

Timely detection and response are crucial when dealing with social engineering attacks, as well as most other attacks. The median cost of BECs now averages around $50,000, emphasizing the significance of quick detection. The cost of ransomware attacks has also doubled since last year, reaching the million-dollar range.

The evidence points to a gaping need for organizations to get in control of the security basics — or else face a spiraling cycle of inflation for data breach costs. Security solutions provide solid coverage for most social engineering attacks. Still, for that small percentage of attacks that make it to the user, it’s only Security Awareness Training that will be the difference between a protected organization and an enabled attack.

Information used in this article was provided by our partners at KnowBe4.