Mitigating the Rising Risks of Email Social Engineering

Social Engineering

The statistics that surround social engineering attacks are concerning. A Darktrace and Censuswide survey found that novel social engineering attacks had increased by 135% in 2023, largely due to the availability of ChatGPT.  According to the Acronis mid-year Cyberthreats Report 2023, email based social engineering attacks have increased by 464% in 2023 when compared with the first half of 2022. The report also revealed that 1.3% of emails are malicious – that’s one out of every 76 – and phishing remains the most prevalent form of attack at 73% while business email compromise (BEC) has increased 7.5 times compared to 2022.  

 

BEC, says Verizon, has more than doubled since 2022. It is smart, it is well-designed and it continues to catch people out. Human error remains the most common reason for a successful compromise while social engineering remains the most lucrative route for cybercriminals. Microsoft’s Cyber Signals report found that 35 million business email compromise attempts were made between April 2022 and April 2023 at a daily average of 156,000.  

 

This attack vector relies on people. BEC emails slide into inboxes alongside the daily deluge of to do lists and updates and notifications and they are designed to make people react emotively. They are designed to look exactly like emails from professional organisations or financial institutions and they ignite a response in people that makes them react without thinking. They click, they enter details, and they respond before checking that the emails are sent by valid companies and sources.  

 

It’s easy to be fooled. Threat actors are using tools such as ChatGPT to craft well-written and cleverly designed emails that spoof companies really well. These scams are also designed to look like they have been sent by someone from within your company so an employee is more likely to believe it is genuine and click on the link. Even with constant training and awareness, people who are tired and busy make mistakes. They fall for scams that cost them, and their companies. 

 

The cost of a click 

 

Currently, BEC attacks are among the most expensive forms of cyber-attack. The IBM Cost of a Data Breach 2022 report found this to be $4.89 million. The FBI has a different figure – a far higher one at $50 billion. This, the FBI says, is the total reported loss due to BEC both in the US and globally at an increase of $7  billion on 2022. The report said that since 2014 there have been almost 300,000 BEC incidents across 177 countries and in all 50 US states. 

 

The risk to company and individual is high, especially when making a mistake is very easy to do when people are sifting through litres of information on a daily basis. Statista estimates that 333 billion emails were sent and received globally in 2022 with an expected increase to 392.5 billion in 2024.  If unprotected, emails can be used to infiltrate, hack and impersonate organisations and an attack on your business can result in deposit fraud, ransomware attacks, identity theft or reputation damage. 

Which makes it important for your business to DMARC the spot… 

 

Domain-based Message Authentication Reporting and Conformance – DMARC 

 

DMARC is designed to verify the source of an email message and to then allocate it to the relevant route – an alert or delivered to inbox. This security check only allows legitimate emails to arrive in an inbox and provides the organisation with full visibility and control over email. The value of this technology is that it will also help identify what emails are fake – claiming to be from your organisation when they are, in fact, scams.  

 

It is an invaluable tool designed to help your organisation build a strong line of defence against BEC, ensuring that the risk of a scam email arriving in the inbox of an employee is significantly reduced (if not eliminated). DMARC with Mint can help you reduce your exposure to fraudulent email activities and protect your bottom line and your people.