Social Engineering Hacks—Are They a Bigger Threat than Ransomware in 2023?


Nicholas McCourtWe’re making a dent in hacking. Cybersecurity tools are better, and employee security training is better, too. The emergence of the cloud means that hacker delights like uninstalled security patches happen far less. Now that most companies are backing up and operating in the cloud, continuously updated cybersecurity coverage is baked into your platform. Great news, right? It is. However, evidence is emerging that hackers are starting to change their tactics. Cybercriminals have become so sophisticated with social-engineered phishing attacks that it’s hard to see them coming. They can arrive at your employees with a good impersonation or a plausible reason and get them to hand over their emails. It can be all they need to infiltrate your systems.

The numbers bear that out. According to Verizon’s 2023 DBIR (Data Breach Investigations) Report, ransomware is leveling off a bit after the recent “gold rush” period, while social engineering attacks have doubled. When hackers do get in, they’re costing companies more—breaking the $1 million dollar per breach mark for the first time this year. A full 74 percent of all hacks reported involved human error of some kind, nearly half of them starting as social engineering emails.

All these troubling stats beg the question: should we be getting more concerned about social engineering than ransomware? I think the answer could be yes. Cloud-based technologies and mobile applications that tie into your systems are fantastic productivity boosters. With just a couple of credentials, you can access your company’s systems from anywhere and operate systems remotely. Access is simpler than ever. And if it’s easy for your employees, it’s easy for the hackers, too.


Social Engineering:  The Simple Threat That’s More Sophisticated Than Ever

So, let’s get clear about exactly what social engineering is. Simply put, it’s the “ask” that hackers make. It’s personal. Social engineering could be the call to your receptionist, asking for an email so they can send a proposal to an employee. Or perhaps it’s a hacker spoofing an email from the head of HR telling you to download the latest employee manual. Or maybe you’ve received a fake  request from a client who’s asked your accounting staff to resubmit banking information so “they can pay your latest invoice.” More than 90 percent of all hacks involve some social engineering element. Now that crude methods like brute force hacks don’t work like they used to, hackers are showing an alarming level of sophistication in their attacks. They’re getting harder to spot.

All it takes is one lousy click from your employees for a hacker to get past your cybersecurity protections. Verizon has been following the likelihood of that happening for years. The company has come up with this number:  2.9 percent. That’s the percentage of employees in your organization who are likely to fall prey to a “social-engineering ask.” It’s a number that’s stayed consistent, year after year. If that’s not making you nervous, it should. We have a lot of work to do to get that number to zero.


Types of Social Engineering Attacks We’re Seeing Now

Social engineering attacks these days have come a long way from the “Nigerian prince needs a loan” phishing messages. Sometimes the hackers are so slick that you never see it coming. Here are a few particularly scary examples.


The Fake Sales Call

A hacker does a little research on LinkedIn to look at your employee base and figure out who the sales leaders are in your company. They read related posts. Figure out what they like to sell the most. Then they call your company, asking to speak to that employee directly. They talk to them, spinning a yarn about how their email service is down this afternoon, but they’d like to send you some bullet points about this RFP they’re about to send out. The employee hands out his work email. The hacker sends a document for him to download with the RFP. But it’s filled with malicious code that unleashes a worm into the system. The salesperson never hears anything more. But the bug sits in your system for months, scraping data, until the day the ransomware request comes in.


Mining LinkedIn for Extortion

Most of us post our contact information on LinkedIn without a second thought. After all, these people are your connections. Why wouldn’t you want them to be able to reach you easily? Who wouldn’t want to grow your LinkedIn network? The more people you know, the more influence you have—right?

It’s not bad advice. But be advised—social media platforms have become a social engineering paradise.

Here’s an example. You’ve been careful. You set most of your contact information only for your connections to see. Yet, you get a LinkedIn connection request from someone in your industry. There’s a picture. The profile looks legit, so you click connect and don’t give it a second thought. But that LinkedIn connection has your email address now. They take that email address and use it to sign you up for accounts on every nefarious website on the internet. Maybe it’s a child porn site. Or some repellent political activism group that contradicts your company’s values. They’ll send you screenshots of your “accounts” and tell you that they’ll send all this out–destroy your career, marriage, and reputation.

They’ll tell you it could all go away if you just let them have a few company passwords. Or maybe they want money. Either way, it’s a difficult situation to navigate.


Slick Impersonations

Most people know to look for bad grammar, poor email layouts, or other little tells that someone is not who they are pretending to be. But social engineering attacks are getting so good that it’s hard to tell the fakes from the real thing. Here are some examples of social engineering “spoofing” hacks that might fly under most people’s radar.


How Spoofing’s Gone Up Market:

A message from the CEO arrives, asking you to enter your company password information. Then, it says you can receive new information about the company insurance plan changes. You find out later you were the only one to get the message, and there are no insurance plan changes. You just downloaded malware in the company system and gave away your credentials.


You work in accounting. You receive a phone call from someone who sounds exactly like your CEO, saying a new vendor needs a profile in the accounts payable system. The message asks you to transfer money into an account to get a new vendor’s service up and working. The vendor is reputable and one you’ve seen advertised. You follow his directions on the phone, generate a profile and a PO, and wire transfer the money to the account per his instructions while you’re on the phone. Everything looks legit. Later, you bump into the CEO in the hall and ask him if the vendor received the payment. He has no idea what you’re talking about. Congratulations. A hacker has infiltrated your company, using deep fake technology to mimic your CEO’s voice. Sound far-fetched? It happened to an energy company in the UK.


You receive an email from a current vendor saying new plans for the year are out, and there’s been a price revision. It directs you to open a document that looks like an Excel spreadsheet. When you go to open the Excel sheet, it’s blank. A pop-up appears that directs you to enter your M365 cloud credentials again. Supposedly, this will open the document. However, it never does open, and you go about your day. Only now, hackers have your login and can access everything you can, anywhere. This attack was rampant among M365 users in 2021.


All a Hacker Needs Is One Slip

Hackers will seek to exploit your trust in your co-workers and institutions like banks, healthcare organizations, insurers, clients, vendors, and so much more. They’re also banking on people being busy and not noticing the slight differences in the bogus emails or website addresses they’ve used. Modern hackers can use social engineering to steal more than Al Capone ever thought about making without firing a single shot. The better our tech tools become, the more hackers can use them for evil. So, what can you do about it?


What Your Company Can Do to Fight Against Social Engineering Attacks

If you’re not actively fighting against social engineering, chances are good you’re already a victim. And yes, it’s scary. Thankfully, there are things you can do to stop or at least slow down these attacks. Here’s what we recommend:


Parting Thoughts

“You’re only as strong as your weakest link.” It’s an overused adage, but it applies here. Your employees are your best—and sometimes your only—defense against these attacks. Empower them with security education so they can learn to think critically about the messages they receive. Give them the channels to report suspicious messages and the clearance to admit when they’ve clicked on something they wished they hadn’t. It could be the best thing you’ve ever done for your bottom line.

Nick McCourt is a vCISO, CISSP at Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...