For the most part, we're no longer falling for badly worded emails from "Grandma" asking us to wire her $10,000 immediately for back surgery.
So what are we falling for?
Phishing attacks aren't going away. They're just evolving into more targeted, more complex threats.
Social engineering is working
A recent study from Agari shows that 60% of organizations surveyed feel that social engineering is one of the biggest threats we face today.
60% of respondents also said they were victims of a social engineering attack (or may have been) in the previous year, and 65% of those say that their employee's credentials were exposed.
John Wilson, Field CTO for Agari, says:
"We are seeing an increase in the sophistication as well as the diversity of the attacks. The advent of social networking has made it very easy for criminals to research information that they may then leverage through social engineering. In the days of a Kevin Mitnick, he was dumpster-diving behind a company to come up with a couple of names of an employee, so he had an edge when he made a phone call to that organization. Those days are gone. You don’t have to do that anymore. You can simply go to sites like LinkedIn, or even a company’s “Management” page to do all of the intel you need to run one of these attacks."
So what's the best line of defense for preventing social engineering attacks that, according to the FBI, saw a 1,300% increase in fraud losses over a period of just two years?
It's time to make it a management issue
The survey found 30% of respondents were unsure whether social engineering is or should be a senior management or board-level issue.
In response to these numbers, Wilson says, "Once somebody wires a half-million dollars to an offshore account, I promise you that social engineering will very quickly become a board-level concern."
If attackers are targeting these top-level executives to commit fraud and extortion, all it takes for a successful attack is for other employees to remain silent.
If you get a suspicious email, report it. If you get a note from your CEO asking you to wire-transfer money, take a second to verify this in person.
Good communication and awareness could save your company a whole lot of trouble.