Social Engineering: The Art of Human Manipulation

Featured annually during October, and now in its 21st year, CIRMA observes Cybersecurity Awareness Month by highlighting the importance of staying safe online. We will share some of our most vital cybersecurity resources throughout October to help you and your employees understand and overcome existing and emerging cyber exposures. To kick things off, we will explore the topic of social engineering, what it is, and why it is so important.

Social engineering attacks are often highly profitable for cybercriminals and are one of the most common ways they exploit human instincts. Social engineering uses psychological manipulation instead of exploiting technical vulnerabilities and takes advantage of a victim’s instincts and emotions to obtain sensitive information. An attacker uses human interaction to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. Suppose an attacker cannot gather enough information from one source. In that case, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Pretexting, a social engineering tactic used in business email compromise (BEC) scams, remains the primary cause of cybersecurity incidents, with attackers targeting users through existing email threads in their relentless efforts to obtain sensitive data for their financial gain. BEC scams make up about 24% to 25% of money-driven attacks, with the typical transaction amounting to $50,000 annually (2023 Verizon Data Breach Investigations Report).  

Cyber threat actors use various methods to infiltrate network systems and expose sensitive and vulnerable information. Phishing is the most common method of social engineering, where a hacker often convinces their victim to click a malicious link or software in an email. Baiting is another prevalent method of social engineering, referring to bad actors luring their victims into relinquishing sensitive information by tempting them with a valuable object or offer. For example, an attacker may send an email that may appear to be from a coworker, business partner, or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to access the accounts. Attackers also use holidays, epidemics, and natural disasters to solicit personal information and use voice communication and text messages to deceive their victims. 

Attackers use holidays, epidemics, and natural disasters to solicit personal information and use voice communication and text messages to deceive their victims.

 Key findings in the 2024 Verizon Data Breach Investigations Report:

• 95% of cyber threat actors were motivated by financial gain
• 5% of cyber threat actors were inspired by espionage
• Techniques utilized to gain unauthorized access to an organization:
  • 49% were carried out through pretexting
  • 31% were carried out through phishing

Social engineering attacks are notoriously difficult to prevent, as they depend heavily on the human element. It takes one employee’s mistake to compromise a municipal network’s integrity, demonstrating the significance of training employees on cybersecurity awareness. Data security policies combined with cybersecurity awareness training can assist employees in understanding how to detect and respond to social engineering attacks.

Ensuring municipal and school board employees are aware of and adequately trained on cybersecurity best practices can help minimize the risk of a costly and disruptive data breach. Risk Management offers a Cyber Webinar Series through its exclusive CIRMA member Vector Solutions platform. This robust training and education tool features cybersecurity-related online training courses and webinars proven to educate employees and reduce costly and disruptive cyber exposures.  Courses and webinars are available for employees to learn at their own pace, 24 hours a day, seven days a week.

If you haven’t taken advantage of the many benefits available through CIRMA’s exclusive online training and education platform, contact your local CIRMA Risk Management representative to get started today. There is no additional charge to CIRMA members for this service. Visit CIRMA’s Cyber Center for helpful information on preventing and managing cyber exposures. Contact your local CIRMA Risk Management representative to get started today.

Helpful Cyber Resources for CIRMA Members:

Reporting Cyber Crimes

Download File

Faces of Cyber Crime

Download File

e-Learning Target Solutions

Download File

Cyber Flyer

Download File

Cyber Whitepaper

Download File

Security Resources

Download File

Four Point Risk

Download File

Increased Geopolitical Threats

Download File