Agari has released the results of a commissioned survey, Email Security: Social Engineering Report, which examined the impact of social engineering on organisations across a range of industrial sectors in the US.
The results revealed that 60 percent of surveyed security leaders say their organisations were or may have been victim of at least one targeted social engineering attack in the past year, and 65 percent of those who were attacked say that employees' credentials were compromised as a result of the attacks. In addition, financial accounts were breached in 17 percent of attacks.
Social engineering attacks, which rely on human interaction and fraudulent behaviour to trick people, are the fastest growing security threat for enterprises today. While traditional attacks leverage technology-based system vulnerabilities, such as software bugs and misconfigurations, social engineering attacks take advantage of human vulnerabilities by using deception to trick targeted victims into performing harmful actions.
Examples of social engineering attacks, which are typically launched via email, include phishing, spear-phishing and Business Email Compromise (BEC). According to the FBI, BEC scams have resulted in losses of £2.4 billion ($3.1 billion) as of May 2016.
More than 200 respondents participated in the study, from the healthcare, government, financial services and education sectors. Thirty-two percent of these organisations employ 10,000 or more employees, and 42 percent have more than £800 million ($1 billion) in annual revenue. Highlights from the report include:
- Eighty nine percent of respondents have seen either a steady pace or an increase in spear-phishing and other targeted email attacks in the past year. Of these attacks, more than 69 percent are after user credentials to commit fraud against the organisations.
- Forty nine percent of respondents rate the effectiveness of the current controls they deploy to defend against social engineering attacks as average or below, with 20 percent admitting they didn't know if their brands have been used in social engineering attacks on customers or partners.
- More than one fifth of respondents have ‘no confidence' in their business partners' abilities to defend against social engineering attacks that could compromise the respondents' organisations. Half said they do not have a program in place to audit and encourage partners to authenticate email sent to their organisations, while 21 percent said they didn't know if they had this type of program.
“Most enterprises think that if they train their employees to be aware of malicious emails, it will be enough. However, this is delusional as it's impossible for anyone to consistently distinguish malicious, social engineering-based emails from legitimate emails,” said Dr Markus Jakobsson, chief scientist for Agari.
Jakobsson added: “Email-based attacks using social engineering are enabling cyber-criminals to steal corporate secrets, carry out politically motivated attacks and steal massive amounts of money. We expect to see a catastrophic growth of these types of attacks in the future, fueled by both their profitability and the poor extent to which businesses are protecting themselves, unless these organisations begin taking the necessary technology-based countermeasures to prevent these attacks.”