By Bob Ackerman | January 14, 2025

Virtually all adults connected to the digital world are familiar with social engineering. They should be more informed, however, it’s financially toxic and keeps growing. According to Amsterdam-based cybersecurity company Surfshark, hundreds of thousands of Americans annually are losing more than $8 billion in aggregate.

For those a bit hazy about the topic, social engineering is a psychological manipulation tactic used to gain access to information or systems, or to trick people into performing actions. Impersonation is widespread, as hackers pretend to be a trusted organization or someone the victim knows. Social engineering attacks are often successful because cybercriminals use human emotions, such as fear and greed, to make their attacks more convincing.

In fact, social engineering has replaced malicious software as the weapon of choice for cybercriminals. Why is this?

IT giants such as Microsoft and Apple have invested billions in improving the security of their products, making hardware and software really difficult to break and conventional hacking less effective. So, cybercriminals increasingly turn to social engineering, the easiest tool in their toolbox. Much of social engineering is based on emotional response, a tactic many criminals have mastered. According to cybersecurity giant FireEye, phishing emails, as an example, have ten times the click-through rate of marketing emails.

A typical social engineering attack often begins with a seemingly harmless email. 

Say that you’re a mid-level finance office worker at a large company. One day you receive an email from an Internet domain that closely resembles your domain. The message appears to come from the company’s financial vice president. He tells you he needs your help with something. Eventually, the “vice president” tells you he would like you to transfer money to a new company supplier. If you make the payment, you have been hacked. Global organizations are especially vulnerable to attacks because employees don’t always know their colleagues in other departments.

No one is guaranteed to never fall for a social engineering attack. Many cybercriminals are very adept. Their techniques tend to hinge on the attacker’s use of confidence and persuasion to convince their targets to take actions that would otherwise be out of character. And, too, it’s the rare human who doesn’t have a few mild weaknesses social engineering can exploit.

It’s often said that cybercriminals have three effective levers – urgency, emotion, and even habit. Habit is debatable. Urgency and emotion are not. In the case or urgency, few people want to miss out on a time-sensitive opportunity or fail to meet an important deadline. Cyber attackers also have an upper hand in emotional manipulation because they create a sense of urgency and sometimes even fear, knowing that flustered humans are more likely to take risky actions. 

Curiously, business email compromise (BEC) attacks are particularly common because this where the most money is. BEC attackers target businesses and organizations by impersonating trusted individuals or compromising email accounts, typically to trick a manager into performing a financial transaction or unauthorized actions. Hackers commonly target senior executives. They also single out human resources and payroll and sometimes impersonate high-ranking executives to pressure lower-level employees to perform unauthorized actions.

In 2023, the FBI's Internet Crime Complaint Center (IC3) received 21,489 BEC complaints, resulting in losses of more than $2.9 billion. This means that a single BEC attack costs a business an average of $137,132. The IC3 received a record 880,418 complaints, a 10% increase over 2022, according to the FBI/

The relative ease of success among social engineering cybercriminals was underscored a few years ago at the yearly prodigious DEF CON security and hacking conference. Hackers made an exercise of their social engineering techniques in front of an audience at Caesars Palace in Las Vegas. Their goal was to con their way through the call centers of multiple large companies, pretending to be a co-worker calling in for some help, to probe for security weaknesses.

What amazed the audience was how easy and successful it was for the attackers to get detailed information about the companies and even get some of their “victims” to browse potentially malicious web sites. Hackers had asked the victims a range of questions about their companies, and they mostly cooperated, underscoring how important it was not to underestimate security in the simplest of attack vectors.

What steps can companies take to mitigate social engineering?  Below are a few suggestions:

+ Security Awareness Training. Educate employees about common tactics, such as phishing, pretexting, and baiting, so they can identify red flags and respond appropriately. Creating a culture of security awareness is pivotal in preventing attacks of any kind.

+ Phishing Simulations. Regularly conduct simulated phishing campaigns to assess employee awareness and identify areas in need of improvement. Conduct different types of phishing attacks. Measure the results afterward to better tailor security awareness programs.

+ Embrace Multi-factor Authentication. This adds an extra layer of security, making it harder for attackers to gain access even if they acquire credentials through social engineering.

Probably the most effective step would be the embrace of zero-trust, whose goal is to make sure that no part of a company’s IT systems should assume that any other part – human or software – is who or what it claims to be. Microsoft and a few other IT giants have made big steps here. It’s challenging for many other companies, however, because it essentially necessitates a very expensive renovation of its systems.

In addition, zero-trust systems can create friction for users and employees. Security is always a balance between giving people the access they need and demanding that they prove their identity. Still, zero trust warrants organizational review, even on a small scale, because security constantly requires improvement. The aforementioned mitigation steps should also be a priority.

Read article here.