Payment Security 101
Learn about payment fraud and how to prevent it
High-profile hacks emphasise the threat of social engineering.
Large enterprises like Toyota, Sony Pictures, Target, and other well-known brands have fallen victim to social engineering attacks, according to Gatefy. Along with phishing, smishing, or spear phishing attempts, social engineering statistics demonstrate a highly effective strategy for attackers to gain access to sensitive information and credential logins.
What makes social engineering dangerous is the ability to use psychological manipulation.
Relying on human error rather than penetrating vulnerable system systems directly. With enough background research and investigation processes, external perpetrators become threatening. We break down key social engineering statistics that impact organisations annually.
According to MAT journals, social engineering is a human behaviour-based technique for cyber attackers to compromise security vulnerabilities to steal sensitive information. What makes social engineering difficult for organisations to prevent, is because of its trickery and psychological manipulation of employees.
Other key findings involve external threat actors being the primary perpetrator (90%) and financial gain (91%) as the main motivation behind these social engineering attacks. According to the Data Breach Investigations Report (DBIR), these social types of attacks have increased over 5 years.
The most common social engineering attacks include phishing, spear phishing, whaling, smishing, vishing, baiting, piggybacking, tailgating, pretexting, business email compromise (BEC), and scareware. Sophisticated cybercriminals are always investigating and targeting employees on social media, website information, and public google information.
Cyber security awareness training should include theory and simulations for employees and employers to understand how these cyber-attacks are orchestrated. Unfortunately, very few understand the process behind a socially engineered attack. Social engineering is a multistep process that involves investigation, fetching, execution, and exiting.
Social engineering is being less spoken about in security awareness training. This is the same for smishing, vishing, role-based training, and multi-factor authentication. According to social engineering statistics, only 25% of respondents said their organisation allocates two or more hours to formal employee training each year.
Previous CISO at Horizon Power Jess Campbell said, “With the increase in maturity over the years of edge security, the easiest way in is through the weakest link, which generally tends to be individuals.” Employees are still being fooled to click on malicious links or reveal sensitive information.
The cost of cybercrime does not stop after the attack happens. After a data breach, businesses must pay recovery fees such as credit monitoring for affected parties and new cybersecurity software to prevent such attacks. Indirect costs are another consequence like tarnished reputation, productivity losses, and more.
One mistake organisation does after an employee departs from the company is not removing access to company information in time. Other than financial gain, revenge is another motivation behind an attack from former employees.
According to VPN alert, one reason why social engineering attacks are effective is that managers are not protecting sensitive data that do not to be accessed by employees. This also involves protecting data from deletion or modification. This fundamental cybersecurity practice, known as the CIA, is not currently being implemented.
Social engineering statistics demonstrate most attacks involve malicious attachments like Microsoft documents, invoices, PDFs, excel spreadsheets, or presentations. These types of messages involve some form of impersonation like accounts payable managers or CFOs.
Microsoft and Google Drive are reputable trusted brands that employees use daily. External attackers understand this and impersonate companies like Microsoft to abuse the company’s trust. A key takeaway is how much businesses underestimate cybercriminals’ abilities and the boldness of attacks.
Baiting is a type of social engineering attack where an attacker uses a false promise to trap victims to steal personal information or inflict their operating system with malware. This is also known as a reconnaissance attack. This technique allows attackers to assess specific email addresses in hopes to find targeted victims.
Baiting feeds on human curiosity and greed. This human component allows attackers to produce many types of baiting attack techniques such as tempting offers or dropping malware-infected devices. In one 2016 case, Australia’s Victoria Police Force issued a warning regarding unmarked USB flash drives containing malicious software (malware) dropped in random letterboxes in Melbourne.
Awareness and vigilance are the only defence mechanisms against baiting attacks. Individuals should think carefully before taking any action regarding finding random USB sticks. Especially if they are planted on your desk or in your drawer.
The goal of a baiting attack is to verify the existence of an email address or have the targeted individual involved in a conversation. Attackers may have thousands of business emails evaluated in order to identify any emails that may bounce back as “undeliverable”. These are being sent by newly created email accounts from email providers like Gmail or Outlook.
Gmail tops the most used domain to send email bait attacks compared to any other free email service provider. On average, an organisation may receive three distinct emails per company. The contents of baited emails may include an empty body with the subject line as “hi” to see if the email has been delivered or replied to.
AI-powered email security solutions are great for businesses that are looking to automate their email security. AI systems are programmed to identify emails that may seem suspicious and track phishing activities using algorithms. There are existing solutions that combat phishing attacks that could prevent you from falling victim.
Techniques like baiting and business email compromise are often targeted at senior executives like the CEO, CFO or CTO. Social engineering statistics highlight that senior executives are attacked by phishing scams twice as often as lower-tier employees.
Krishna Simha senior security strategist at Barracuda states that “we can speculate that executives have better disposable incomes and are therefore a higher priority target.”
Pretexting is a type of social engineering attack that involves a situation or pretext created by the attacker such as a fictional scenario. Common pretexting attacks include romance frauds, cryptocurrency scams, whaling attacks, and impersonations. Attackers manipulate the victim’s emotions like anger, fear, lust, guidance, and greed to lure them into a trap.
The difference between phishing and pretexting is phishing is the attack medium while pretexting is the attack method. Phishing and pretexting are typically used in combination to conduct a scam or to defraud an organisation.
Emails remain the top attack medium used to launch social engineering attacks. Along with financial gain as the main driver for phishing and pretexting attacks, this was divided into corporate espionage (41%).
A general pretexting attack works when a cyber-criminal has planned their next target. Through an investigation process, they gain as much public information as they can such as their name, business, email, social networks, suppliers, and access to systems and applications. Then they create spoofed email accounts to spark a conversation and then execute the pretext.
More than two-thirds of the Australian population has been contacted by a scammer in the last 12 months through spoofed text messages. According to Nine News, a common scam going around is the Flubot scam where scammers impersonate a legitimate business and message the recipient that they have missed a call. In the body text, it contains a malicious link or fake voicemail.
Not enough senior executives and managers are educating their staff on the importance of social engineering tactics and prevention methods. According to research, the type of attack that was taught was phishing. Businesses must keep up with the increasing threat landscape to combat cyber threats, involving all types of social engineering like baiting, pretexting, and more.
According to the Australian Competition & Consumer Commission (ACCC), whaling or spear phishing is defrauding businesses specifically senior management through personalised spoofed emails. Scamwatch statistics highlight the significant monetary loss businesses incur when they are faced with spear phishing attacks.
Scammers love to target their victims through mobile devices because of the behaviour that comes with using a mobile phone. Oftentimes, executives have tight schedules daily. With the daily consumption use of mobile devices, individuals can pre-emptively click on malicious links without realizing the intent of the message.
The volume of bulk phishing attacks rose 12% year over a year involving spear phishing, whaling, and BEC. Large enterprises are the most targeted when it comes to cybercriminals using the three combinations of attacks.
According to the 2022 state of the phish report, attackers were more successful in 2021 than in 2020. Millions of malicious emails are blocked every day from email gateways yet the attacks that do become successful do a lot of damage.
Organisations that are looking to combat targeted spear phishing threats should consider implementing an email-security solution that can detect and block email attacks. Some solutions offer better technology than others like AI algorithms that can detect malicious messaging or spam.
According to Symantec, the motivation behind the attack of hacker groups conducting spear phishing was intelligence gathering. This could mean several situations such as playing a bigger attack, gaining information for another competitor, or monitoring any signs of internal fraud.
It is no surprise that these types of attacks occur on the weekends. Attackers have more time to plot a cybercrime against organisations and follow through. Leaving senior management unaware of the attack.
Fireeye reports state that a spear phishing attack can display one or more characteristics like blended or multi-vector threats, use of zero-day vulnerabilities, multi-stage attacks, or well-crafted email forgeries.
Instead of using technological tools to conduct a cyber-attack, cyber criminals use a psychological attack against a targeted individual or organisation. Victims are normally targeted in two ways, on mobile devices like text or phone impersonations or online through email phishing attacks.
The objective of this attack is to lure into a false sense of security to reveal sensitive data or access to perform fraudulent activities.
According to Proofpoint, there are six social engineering types such as phishing, vishing and smishing, CEO fraud, baiting, tailgating or piggybacking, and quid pro quo. Usually, these techniques involve using email or text messages.
With the increased use of technology, social engineering is recognised to be one of the most effective methods to steal information and breakthrough cybersecurity defences. They are effective because it is often easier to exploit lower-tier employees who are not aware of these attacks or how to respond.
Employees should be suspicious of every unsolicited phone call, email, or message from unknown senders. Individuals should read the contents of the message before clicking on any suspicious links or email attachments as well as verify by using another form of contact like phone calls. You can look out for links, emails that look off, logos or images that look off, suspicious requests, or messages that include a sense of urgency.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.