Social Engineering: The Art of Human Manipulation

Held every October, and now in its 20th year, CIRMA observes Cybersecurity Awareness Month by highlighting the importance of staying safe online. We will share some of our most vital cybersecurity resources throughout October to help you and your employees understand and overcome existing and emerging cyber exposures.

To kick things off, we will explore the topic of social engineering, what it is, and why it is so important.

Social engineering attacks are often highly profitable for cybercriminals and are one of the most common ways they exploit human instincts. Social engineering uses psychological manipulation instead of exploiting technical vulnerabilities and takes advantage of a victim’s instincts and emotions to obtain sensitive information.

Cyber threat actors continue their relentless efforts to obtain sensitive data by impersonating employees for financial gain. Business Email Compromise (BEC) attacks have doubled over the past year, and represent more than 50% of incidents within a social engineering pattern (2023 Verizon Data Breach Investigations Report).  Social engineering can cost municipalities millions of dollars annually, but more importantly, data breaches can lead to identity theft and operational disruptions. Ensuring municipal and school board employees are aware of and adequately trained on cybersecurity best practices can help minimize the risk of a costly and disruptive data breach.

Cyber threat actors use various methods to infiltrate network systems and expose sensitive and vulnerable information. Phishing is the most common method of social engineering, where a hacker often convinces their victim to click a malicious link or software in an email. Baiting is another prevalent method of social engineering, referring to bad actors luring their victims into relinquishing sensitive information by tempting them with a valuable object or offer.

Attackers use holidays, epidemics, and natural disasters to solicit personal information and use voice communication and text messages to deceive their victims.

 Key findings in the 2023 Verizon Data Breach Investigations Report:

• 97% of cyber threat actors were motivated by financial gain
• 3% of cyber threat actors were inspired by espionage
• Techniques utilized to gain unauthorized access to an organization:
  • 49% stolen credentials
  • 12% phishing
  • 5% exploiting vulnerabilities

Social engineering attacks are notoriously difficult to prevent, as they depend heavily on the human element. It takes one employee’s mistake to compromise a municipal network’s integrity, demonstrating the significance of training employees on cybersecurity awareness. Data security policies combined with cybersecurity awareness training can assist employees in understanding how to detect and respond to social engineering attacks.

CIRMA Risk Management offers a Cyber Webinar Series through its exclusive CIRMA member Vector Solutions platform. This robust training and education tool features cybersecurity-related online training courses and webinars proven to educate employees and reduce costly and disruptive cyber exposures.  Courses and webinars are available for employees to learn at their own pace, 24 hours a day, seven days a week.

If you haven’t taken advantage of the many benefits available through CIRMA’s exclusive online training and education platform, contact your local CIRMA Risk Management representative to get started today. There is no additional charge to CIRMA members for this service. Visit CIRMA’s Cyber Center for helpful information on preventing and managing cyber exposures. Contact your local CIRMA Risk Management representative to get started today.