The biggest weakness in a cybersecurity strategy is humans, and social engineering takes advantage of a targeted user’s inability to detect an attack. In a social engineering threat, an attacker uses human emotion (usually fear and urgency) to trick the target into acting, such as sending the attacker money, divulging sensitive customer information, or disclosing authentication credentials. What is Social Engineering? Social engineering is the technique where unscrupulous actors manipulate, deceive, or influence an individual into divulging confidential information like personal or financial information. These include bank account information, passwords, transaction history, social security numbers, etc. These techniques can also manipulate individuals into performing specific actions that “help” the fraudster. For example, if someone tells you to download a particular app or software or share an OTP you received. Social engineering, by itself, isn’t an attack. It is the art of using psychological tactics to build trust and then using that information to commit crimes like theft, money laundering, account takeovers, remote takeovers, etc. The Global Impact of Social Engineering Social engineering has become a key element in the landscape of cyber fraud. It has become the primary technique behind many attacks targeting individuals, businesses, and government organizations. A report by the Association of Certified Fraud Examiners (ACFE) revealed that businesses lose up to 5% of their revenue every year due to fraud, and a significant portion of these frauds can be attributed to social engineering tactics. In India alone, the Reserve Bank of India (RBI) reported an alarming increase in fraud, with digital frauds rising by over 700% in recent years. Social engineering is not limited to the financial sector, although that is where the majority of its consequences are felt. Cyber-attacks based on social engineering techniques have far-reaching consequences: In India, bank frauds increased by nearly 300% over the last two years, with a major surge in digital frauds. A LexisNexis survey found that digital channels were responsible for 52% of overall fraud losses across the EMEA region. Social engineering attacks affect both businesses and individuals. Not only do victims suffer financial losses, but they also face emotional distress, feelings of guilt, and a lack of trust. Victims often hold themselves accountable, particularly in lower-income households, where such attacks can have a devastating impact on family dynamics. For businesses, the consequences go beyond financial losses; the erosion of consumer trust and the potential for high customer churn are significant challenges. For instance, the LexisNexis survey highlighted that 96% of companies in the Middle East reported a drop in customer conversion rates after incidents of fraud. Social Engineering Examples Social engineering attacks can take many forms, targeting both individuals and organizations: On an Individual Level: A retired Indian Administrative Service (IAS) officer fell victim to a scam where he was tricked into investing in a fake forex trading scheme. He ended up losing nearly Rs. 1.89 crore to the fraudsters. On a Corporate Level: The CEO of OCBC Bank, Helen Wong, described how her company battled against sophisticated phishing attacks, resulting in fraudulent transfers amounting to millions of dollars. National Security Level: Russian hacking groups have reportedly targeted Ukraine with multiple spear-phishing campaigns aimed at disrupting national security. The ripple effect of social engineering is significant. Victims may unwittingly become money mules, transferring illicit funds to further criminal activities. The emotional toll, combined with the financial impact, can be long-lasting. Common Social Engineering Tactics Fraudsters employ a variety of social engineering tactics to manipulate their victims. Some of the most common methods include: 1. Phishing Phishing is one of the most prevalent social engineering techniques. Fraudsters send fraudulent emails that appear to be from legitimate sources. These emails often contain malicious links designed to: Direct victims to fake websites to steal login credentials. Download malware onto the victim’s device, leading to account takeovers. Phishing is not limited to emails; it also manifests in other forms, such as smishing (SMS phishing) and vishing (voice phishing). In India, where literacy and email usage are lower, vishing is particularly dangerous. 2. Whaling Whaling is a form of phishing that specifically targets high-profile individuals, such as CEOs or other executives. The emails are often meticulously crafted to appear as if they come from trusted sources within the company. The goal is to steal sensitive information or request financial transfers. 3. CEO Scam This scam involves fraudsters impersonating high-level executives of a company, often through email or text messages. Employees of the targeted company may be tricked into following directives from the supposed CEO, such as transferring funds or sharing sensitive data, under the belief that the request is legitimate. 4. Baiting Baiting involves offering something enticing, like free software, services, or rewards, to lure the victim into a trap. The “bait” might include malicious files, which when opened, compromise the victim’s device. Physical baiting involves leaving infected USB drives in public places, hoping someone will pick them up and plug them into a device, unwittingly exposing themselves to cyber threats. 5. Quid Pro Quo This tactic involves offering a service or benefit in exchange for personal or confidential information. For example, attackers may pose as IT support personnel, offering to help resolve technical issues in exchange for login credentials or other sensitive data. 6. Pretexting Pretexting involves creating a fabricated scenario to persuade the victim to share confidential information. This can involve impersonating trusted figures like police officers, bank officials, or colleagues. Over time, attackers build trust with the victim before executing their fraudulent schemes. Who are the Most Likely Targets of Social Engineering? While anyone can fall victim to social engineering attacks, certain groups are more vulnerable: The Elderly: Older adults are often less familiar with digital technologies and cybersecurity practices, making them more susceptible to fraud. Common scams targeting seniors include fake government agent impersonations and investment scams. Young Adults and Teenagers: While they may be more tech-savvy, younger individuals often lack experience and may fail to recognize sophisticated scams, such as fake job offers or lottery wins. Low-Income Individuals:
