Phishing and social engineering pose a considerable threat to your corporation's revenue and brand reputation, but they are considered two different attack strategies. Some cybercriminal groups use both to trick targeted victims into divulging credentials, downloading malware, or transferring funds to an attacker's account. Even though social engineering and phishing are two different kinds of attacks, businesses need to have cyberdefense in place to stop both strategies.
Did You Know?
cyber attacks begin with phishing
to seamlessly install PhishTitan
estimated global cybercrime cost
to stop & spot a phishing attack
How Much Does Social Engineering Cost Businesses?
Social engineering could be a phone call from an attacker or an attacker gaining access to the physical office location using piggybacking. Piggybacking is when a valid employee opens the door for a threat actor. It's a kind gesture, but it can lead to illegal activity and physical theft of corporate property. After gaining access to the premises, other employees assume the attacker is a legitimate staff member and provide additional access to physical equipment or data.
According to the IBM 2023 Cost of a Data Breach report, social engineering costs businesses over $4.5 million. The most common goal for attackers in social engineering is credential theft. With credentials in hand, attackers can then authenticate into the corporate environment and silently exfiltrate data from local storage to a third-party server.
More worrisome for businesses and staff in charge of overseeing data protection is that cybersecurity infrastructure takes an average of 11 months to detect threats installed on the environment from credential theft. The length of time a threat persists is due to credential theft, meaning that the threat uses legitimate user accounts to view and steal data. It's much harder for security infrastructure to detect threats when data theft happens from legitimate user accounts.
Social engineering costs businesses over $4.5 million.
How Much Does Phishing Cost Businesses?
In the same IBM report, phishing costs businesses $4.76 million annually. Both social engineering and phishing were among the top attack vectors for data breaches, but phishing was the top concern for businesses. Social engineering is often used to access data and credentials, but phishing can be used for long-term malware and threat installation in a business environment.
A business can fall victim to credential theft by using a phishing scam. The attacker can authenticate on the business network with a legitimate user's credentials. Since authentication is done with legitimate user credentials, many monitoring systems, including intrusion detection, won't identify the authenticated user as malicious. Credential theft is categorized as a threat but often starts with a phishing message.
Malware injection is also familiar with phishing. Phishing threats have the same goals as social engineering but have much more potential for additional damage. Phishing threats can inject malware like remote control trojans or ransomware to encrypt and steal data from the network environment. These threats have a lot of potential for an attacker, but a victim business can suffer much more damage. Even after incident response, sophisticated malware can copy itself to network storage, leaving backdoors for persistent data theft.
Phishing costs businesses $4.76 million annually.
Types of Phishing and Social Engineering
Both phishing and social engineering should be a primary concern for your administrators. Small businesses might need more expensive equipment to stop threats, so understanding the types of phishing and social engineering threats helps with data protection and cybersecurity. It's best to ask experts for help, but you can take note of the attack types. Here are several common threats to be aware of:
Baiting
A common main goal for attackers is to steal user credentials. To get user credentials, attackers use bait to convince email recipients to divulge their information. Usually, the message includes a link to a phishing page that looks like an official business page. It could be a page that looks like your official business page or a page built to look like a third-party vendor site asking for authentication. Once credentials are stolen, the attacker can access business applications, including email, to send additional phishing messages.
Phishing and baiting strategies are similar, but a phishing message could have other goals besides stealing credentials. Attackers use phishing to convince users to download malware, run malicious macros in Microsoft documents, or steal credentials. Most phishing email messages include text that compels recipients to forget security awareness training, so they leverage human emotions and push for activity that the user might not normally do. Users must be aware of these attack strategies and report messages with requests to perform actions immediately without following standard operational protocols.
Pretexting
In a social engineering attack, pretexting builds a storyline and character to trick a targeted victim into performing a specific action. Usually, the attacker impersonates a known person to the victim. Pretexting can last briefly until the attacker convinces the targeted victim to send money or provide authentication credentials. It's often used in spear-phishing to target a specific high-privilege user account.
Tailgating
Not all attacks are virtual. Some are physical, and tailgating is a social engineering attack to gain access to the physical location of a targeted victim. In an enterprise organization, employees have access cards swiped to open doors to the premises. The door opens, and the following employee swipes their card to walk into the location. With tailgating, an attacker follows a legitimate employee into the office location. Employees think they are being kind by holding the door open for the next person, but it allows an attacker to gain physical access to the premises. With physical access, an attacker can steal data with a USB or steal files from an open server or workstation.
Scareware
Both phishing and social engineering require users to forget their security training and feel a sense of fear. Fear can be about losing a job or making a mistake. An attack might seem like obvious fraud to an outsider. Still, attackers create a sense of urgency and cause a targeted victim to forget their training and ignore their standard operational procedures. The user might make a straightforward mistake that could open the environment to malware or create a loss of significant funds.
Business email compromise (BEC): Controlling an employee email account lets attackers send additional phishing messages. A phishing email is much more effective when sent from a known user account. BEC is much more common than it was years ago, and attackers have found that sending messages from high-privilege user accounts can lead to much better success. A high-privilege user controls many of a business's operating expenses and data. With a high-privilege user account, the attacker can send a phishing email to steal credentials, tell the recipient to pay a fraudulent invoice or convince the targeted victim to transfer money.
Honeytrap
If an attacker convinces a targeted employee to download malware or visit an illicit site, blackmail could be the next step. A targeted victim could be afraid for their job, or the attacker might threaten to expose illegal behavior to the victim's friends and family. Blackmail isn't always for legitimate activity. It's common for an attacker to send emails threatening to expose targeted victims for illicit behavior without any proof. The email sender hopes the target does not understand email-based threats and falls for the lie.
Quid Pro Quo
"Quid pro quo" translates to "something for something." In this attack, the phishing or social engineering strategy trades a service for sensitive data. The sensitive data is often user credentials, and the service is often technical support. The initial social engineering call could be incoming, where an attacker calls an employee pretending to be a technical support staff member. Attackers use web popups to trick users into contacting a scam call center where the receiver pretends to be helpful but tricks users into divulging their credentials.
Smishing
Most mobile smartphones are poorly protected. An antivirus solution will likely block a download from an email message, but a download or phishing link in a text message won't have the same security protections. Also, messages can be sent en masse to many recipients, and only one recipient needs to download malware to their device to open several vulnerabilities. Smishing is typical for bypassing local security infrastructure or tricking users into sending money by requesting shipping fees paid to the sender.
Watering Hole
If an attacker can gain access to a corporate site or application and inject malware into its functionality, attackers can allow targeted victims to come to them. A watering hole is a central location where most organization employees work, and it's named for the attacker's ability to let users come to the site and download malware without requiring additional effort. This type of attack is much more sophisticated than a standard phishing attack but is much more effective. A watering hole can spread remote control trojans or ransomware across the business network.
Whaling
Low-privilege users don't have permission on the network to access sensitive data, so attackers target high-privileged users, including executives, human resources staff, or financial staff. The more privileges a user has, the more data available to the attacker. The "whaling" name stems from the large payload available to an attacker after gaining access to a high-privileged account.
It's important to note that this list is not exhaustive. The cybersecurity landscape continually changes, and attackers create new ways to access sensitive information. Social engineering and phishing are the two most effective strategies, so the above tactics still work. Both strategies prey on human emotion, so they will likely persist as long as they work. Employees can be trained to detect phishing and social engineering, but even users with cybersecurity training sometimes fall for these scams. Instead of relying on human detection, corporations need the proper security infrastructure to protect data and stop malware.
What Corporations Can Do to Stop Phishing and Social Engineering
The most effective way to stop these attacks is to combine email-based security with security awareness training. Email-based security stops phishing attacks, and security awareness training helps employees better detect social engineering. Both security strategies work together to stop most threats and greatly reduce your organization's risk of a data breach.
Security awareness training uses real-world examples to show users what social engineering and phishing attacks look like. Training doesn't need to take up too much user time. A brief 15-minute video can describe concepts, and users can access the content when they have a moment in their day. Small quizzes are available, and users take a quiz to show they understand social engineering and phishing attacks. Administrators and stakeholders receive results from employee quizzes, so users with low scores can be offered additional training better to understand the red flags and signs of an attack.
Email security stops phishing attacks. Some attack strategies use social engineering and phishing, but email-based security blocks phishing email messages. A good email filtering solution blocks messages from reaching user inboxes. Suspicious messages are quarantined so that administrators can review activity, determine targets, and identify if the organization is a target for a sophisticated phishing attack.
False negatives are possible with email filtering solutions, so security awareness training acts as a failsafe. Employees trained to recognize phishing attacks are an added layer of security for your business network environment. Good cybersecurity is built in layers; security awareness training should be one layer in your infrastructure. It would help if you still had email filtering and antivirus software to block malware. Still, the small percentage of false negatives are stopped with employees after they take practical security awareness training and follow measures set by the organization's security policies.
TitanHQ offers a suite of security solutions for email, social engineering, phishing, and other email-based attacks. Witness our solutions in action and take proactive steps to secure your organization.
Susan Morrow
- DATA PROTECTION
- EMAIL PHISING
- EMAIL SECURITY