dishonest, evil, and extremely effective: why social engineering is a big problem for businesses

Dishonest, Evil, and Extremely Effective: Why Social Engineering is a Big Problem for Businesses

Imagine you’re about to enter an apartment building with a secure entrance when you hear someone call out:

“Hey! Can you get that for me?”

You turn around and see a woman holding what looks like thirty grocery bags. She smiles apologetically. She doesn’t look like a serial killer. She looks like a nice woman who could use some help.

“Sure!” you say. After all, you’ve got a heart.

Now, usually, this sort of thing is harmless. In fact, our innate kindness as human beings – our tendency to help each other out – is the glue that holds society together. If we all rigidly followed rules – like not holding open the door to a secure entrance – the world would be a much colder, bleaker, and meaner place. And yet…

When it comes to cybersecurity, the “better angels” of our nature can be our undoing. It’s our tendency to trust – to be polite, kind, helpful, etc. – which makes us so vulnerable to a particularly pernicious type of cyberattack known as “social engineering.”

In this blog post, we’re going to discuss what social engineering is, why it’s so effective, and what businesses can do to protect themselves from social engineering scams. This is info that could literally save your livelihood.

Social Engineering Defined

First, let’s define social engineering:

Social engineering is a strategy used by threat actors (hackers with bad intentions) in a wide variety of cyberattacks. It involves tricking people into giving up confidential information (e.g., passwords) or doing something they shouldn’t. Social engineering is a way to breach security without hacking computers directly; instead of technical tricks, it uses things like charm, deception, intimidation, and persuasion.

In short, social engineering is when humans hack humans to breach IT systems, instead of hacking computers directly.

What makes social engineering so devastatingly effective isn’t one thing; it’s three:

Social Engineering Exploits Human Nature…

A social engineering scam manipulates people using their own psychology. Just watch this 6-minute video) released by Conflict International to see how clever an experienced hacker is when it comes to using our emotions against us (in this case, the hacker – an ethical hacker who uses her skills to educate rather than harm – elicits sympathy and, in turn, cooperation).

The fact that social engineering exploits our very nature makes it powerful because we can’t just change our nature – if we could, it wouldn’t be our nature! Unlike an unlocked door, which can be remedied with a lock, the vulnerability that social engineering takes advantage of isn’t something we can simply ‘fix’ – not without rewiring our brains at least!

Social Engineering Bypasses Many/Most Technical Barriers…

Because social engineering targets human beings instead of IT systems directly, it can easily bypass most cybersecurity tools as those tools are only as strong as the people in charge of them. The late great Kevin Mitnick – the man who will appear at the top of your search results if you google “world’s most famous hacker” – said this about social engineering:

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”

Frank Abagnale, whom Leonardo DiCaprio portrayed in Catch Me If You Can, had a similar insight about social engineering:

“There is no technology today that cannot be defeated by social engineering.”

We’ll circle back to this idea that social engineering can defeat any security tool, but for now, just note that social engineering derives much of its effectiveness from the fact that it’s a way around technical barriers. Think of it this way: no matter how strong the lock on an apartment entrance is, it’s irrelevant if someone simply holds the door for a malicious intruder.

Social Engineering Defies Our Expectations

Picture a hacker. Quick. Or for a more fun experiment, go tell an AI image-generating platform to do so (here’s what Midjourney came up with).

Chances are, you (or the AI) imagined someone hunched over a keyboard in a dim and dank basement.

The fact is, societal depictions of cybercriminals have led us to associate hacking with socially ill-adjusted figures who move in the shadows and know more about computers than they do human beings.

Like many stereotypes, this isn’t just inaccurate; it’s dangerous. Because the fact of the matter is that hackers are often highly socially skilled – just like the ethical hacker in the video linked above – and it’s a big part of what makes them successful.

So while we’re expecting to get hacked by someone we’ll never see or interact with, oftentimes the bad actor who makes your life a living h*ll will do so to your face, or over the phone – and with a smile.

In short, the third reason social engineering is so darned effective is that it’s not what people are looking out for.

Some Stats

In a moment, we’ll discuss what individuals and organizations can do to avoid falling for social engineering scams. But first, let’s take a look at some numbers. If you’re not convinced social engineering is a HUGE problem by now, perhaps some good old-fashioned statistics will wake you up…

  • Social engineering is used in 98% of cyberattacks (source: PurpleSec).
  • Employees at small businesses (< 100 employees) are 3.5x more likely to be targeted by a social engineering scam than enterprise employees (source: Barracuda).
  • A CEO is, on average, sent 57 phishing emails a year (source: Barracuda).
  • 82% of data breaches stem from human error (source: Verizon).
  • A typical organization is targeted by 700+ social engineering attacks per year (source: Barracuda).

We could keep going. The point is, things have gotten bad. The digital world we live in is filled with convenience, but also, danger. Hackers know the easiest way to breach IT systems is typically by tricking people, not by pulling off some feat of technical wizardry.

So, the question is – what should good, honest, hardworking people and companies do to stay safe and avoid becoming a statistic?

Standing Up to Social Engineering

We’ve talked about what social engineering is and what makes it so effective. So let’s wrap this up on a positive note and discuss how to mitigate the risk of being victimized. The following advice is aimed at business owners and decision makers, but most of it applies to individuals outside of a corporate context as well.

Knowledge is Power

This might sound obvious, but it’s so important – and so often neglected – it cannot be overstated:

Train yourself and your people.

Oh, and one more thing – TRAIN YOURSELF AND YOUR PEOPLE! Social engineering is about exploiting the ‘weakest link’ in cybersecurity – human beings – and thus, the single best thing you can do at your organization is empower yourself and your employees with knowledge. Get this:

As reported by Forbes, organizations see a significant decrease in their average phish-prone percentage, which represents the proportion of users falling for social engineering scams, going from 32.4% to 5% after a year of training.

Of course it’s difficult to develop and execute training programs without specialized IT expertise, which is why partnering with a proactive IT provider (like an MSP) can do wonders for your company’s cybersecurity. Here at The 20 MSP, we offer a variety of training sessions and courses to help our clients avoid social engineering scams and other types of cyberattacks, comply with regulations, and fulfill cyber insurance requirements.

The Right Tool for the Job

As social engineering scams continue to wreak havoc on the business world, there is simply no excuse for any organization to forego multi-factor authentication (MFA). MFA is what it sounds like: it’s a security process whereby more than one proof of identity (multiple authentication ‘factors’) is required for access to some IT system (e.g., email). For instance, to access your email, you might need to provide your password, and then, in addition, an SMS code (a sequence of numbers or alphanumeric characters sent to your phone).

But wait a second, I thought you said social engineering can defeat any technology!

It can. But a robust MFA tool makes it a lot harder for hackers to breach your IT systems. And as any cybersecurity expert will tell you, there’s no such thing as 100% secure. Cybersecurity is about implementing multiple defenses (layered defenses) to make things drastically more difficult for bad actors.

Our own proprietary (and patented!) MFA technology, enshrined in our ID 20/20 software, has helped our clients repel numerous social engineering attempts, sparing them from the cataclysmic consequences of a successful cyberattack. Learn more about it.

If you’re worried about your organization getting hacked – or if you’ve already been hacked – it’s important to reach out for help. Don’t keep it quiet out of shame or fear. Here at The 20 MSP, we have decades of experience helping businesses achieve IT peace of mind, so don’t hesitate to reach out for more information or guidance.

Thanks for reading – and stay safe out there, everyone!