On May 14, the FBI marked a sobering milestone: the receipt of its six millionth digital crime complaint. It took just 14 months for the FBI’s Internet Crime Complaint Center (IC3) to reach its new threshold. Digital crime complaints are on the rise, and we have some ideas as to why. Check out what these statistics mean, where social engineering fits in and how you can protect your business or agency from cyber attacks.

Social Engineering Leads the Pack

Short answer: it took off. The FBI found that digital crime complaints increased by about 70% between 2019 and 2020. Many of those complaints involved some form of social engineering. Phishing attacks, non-payment or non-delivery ploys and extortion scams were the most prevalent types of ruses, with romance and confidence schemes, investment fraud attempts and business email compromise (BEC) campaigns costing their victims the most. The last method of attack accounted for $1.8 billion over the course of 2020, according to the IC3.

The FBI wasn’t the only group that observed an increase in the number of attacks like this in recent years. In its 2021 Data Breach Investigations Report, for instance, Verizon Enterprise found that social engineering was the most common attack vector in data breaches observed in 2020 and the third most common attack vector for that year. The firm also observed that most attacks (85%) involved attempts to prey upon the human element in some way.

Solving Today’s Cyber Problems

The findings above are clear: most digital attacks today involve some form of social engineering. Threat actors know that human beings can make rash decisions when they’re afraid or in a rush. Those attackers misuse that fact to trick users into doing something they might not otherwise do, such as clicking on a link or visiting a sketchy website.

As such, those studies show the following takeaway: businesses and agencies need to put special attention on defending against social engineering attacks. It’s not enough for them to train their employees once a year. Social engineering factors into most attacks, after all. So, employees need to be familiar with social attacks year-round.

Preventing Social Engineering Attacks

You can begin by accepting the fact that everyone is at risk from social engineering techniques. We’re all human, so we’re all targets. Contractors, managers and even security researchers can make mistakes. An employee’s position does not determine whether they should learn about social engineering. But it does say something about the types of training from which they might benefit over others.

With that mindset, you can create a security awareness training program. Target their entire workforce with modules that concern email best practices and other common topics, for instance. At the same time, they can create or use other modules to raise awareness of certain threats depending on a learner’s department. Educate HR about W-2 payroll scams, for instance, and spend extra time with finance on awareness of BEC scams. Approaching training in this way will help organizations to equip employees with empowering, action-oriented items that they can take to stay safe in their daily jobs.

Awareness training can help prevent a social engineering attack, of course, but it’s not as helpful for detecting them. That’s where technical controls geared towards the user come in. As an example, you can leverage behavior analytics to help monitor user activity. Anything strange might be a sign that someone compromised one of their authorized user’s accounts. If that’s the case, they can proactively lock down the account and take steps to contain the scope of the successful attack.

A Complex Response to a Complex Threat

Social engineering techniques come in many forms. It’s only natural that the response must do the same thing. By combining several levels of security awareness training with technical controls, you can help harden your business or agency against some of the most common attack techniques used by malicious actors today.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…