The dangers of social engineering have been clearly highlighted by a recent Agari email security study. Agari commissioned the Information Security Media Group to conduct a survey on 200 security leaders in the United States. Respondents came from a broad range of industry sectors including healthcare, the financial services, government and education. 42% of companies represented in the survey had annual revenues in excess of $1 billion and 32% employ more than 10,000 people.
The study revealed that 60% of security leaders believe they have been the victim of at least one social engineering attack in the past year. 65% of organizations that experienced an attack said the attackers gained access to employee credentials. 17% of firms that were attacked said criminals had gained access to their financial accounts.
Agari reports that social engineering attacks are a major threat to businesses and are the fastest growing threat. Social engineering is the manipulation of employees, usually via email, into revealing sensitive information. Usually, employees are fooled into revealing their email credentials. Access is gained to accounts, which can contain highly sensitive information that is used in further attacks on the organization. Social engineering attacks include phishing and spear phishing, CEO fraud and Business Email Compromise (BEC). As of May 2016, the FBI says losses from these attacks has exceeded $3.1 billion.
Agari reports that 89% of survey respondents said social engineering attacks had remained at a steady pace or had increased in the past year, with 69% of those attacks concerned with obtaining login credentials to be used for fraud.
Defenses against social engineering attacks were not up to the required standard at 49% of companies, who rated their defenses as average or poor. 20% of respondents said they did not know if their company name or branding was being used in attacks on customers.
More than one fifth of respondents said they had no confidence in the ability of their business partners to prevent social engineering attacks, while half of respondents were not auditing or encouraging their business partners to authenticate emails sent on behalf of their organization.
Markus Jakobsson said, “Most enterprises think that if they train their employees to be aware of malicious emails, it will be enough. However, this is delusional as it’s impossible for anyone to consistently distinguish malicious, social engineering-based emails from legitimate emails.”
Jakobsson expects the volume of social engineering attacks to increase significantly in the future due to the effectiveness and profitability of the attacks and the poor defenses organizations have in place to block attacks.