BlogHacking4TH APR 2024
AuthorSamir Yawar
8 min read

Social Engineering, Phishing Attacks behind 90% of Successful Attacks

Social engineering and phishing attacks constitute the bulk of cyber attacks
BlogHacking4TH APR 2024
8 min read

Social Engineering, Phishing Attacks behind 90% of Successful Attacks

AuthorSamir Yawar
Social engineering and phishing attacks constitute the bulk of cyber attacks

As far as initial hacking attempts are concerned, social engineering and phishing attacks result in 70-90% of all successful cyber attacks.

This is a fact we’ve known for a long time ever since the advent of networked computers, the first one which came out in 1969.

Fast-forward to 2024, and it’s alarming that this common method of gaining access to sensitive information and committing financial fraud is not a priority area for most organizations.

Most firms don’t even feel like spending a miniscule 3% of their IT security budget on how to fight against phishing and social engineering.

Which brings us to the problem:

There are not enough resources aligned and allocated against the number 1 reason people and devices keep falling prey to hackers, malware, ransomware and other malicious cyber threats.

The more things change the more they remain the same.

Our approach against social engineering needs a rethink

Technology has progressed by leaps and bounds. We’re being told about the million ways our computers and other connected devices can be broken into. We’re also being told that we ought to prevent everything. All at once.

Firms are being told they need to check a couple of boxes to be in the green with cybersecurity compliance regulations, which means having hundreds of controls to deploy and monitor. Failure to do so means fines.

Yet, despite all the heuristic anti-virus features, upgraded network security protocols, and software patches in the world, malignant actors keep one-upping us.

The reason is simple: We need to focus on the number one reason these attacks happen—social engineering.

We need to understand the human aspect of being hacked. And we need that to be our primary focus. 

The kicker? It gets worse.

It could be simple if the problem were only occurring at the individual or organizational level. Unfortunately, even national cybersecurity organizations whose primary job is to protect you against digital threats are guilty of focusing on the wrong problems. This is a global systemic problem.

How are these phishing and social engineering attacks so successful?

Let us use a simple example to explain the problem.

Imagine a town plagued by a rampant outbreak of food poisoning. Every week, numerous people fall ill after dining at various restaurants across the town. Investigations consistently reveal that the root cause of the illnesses is contaminated food served at these establishments, with ingredients being sourced from one specific farm. Despite this clear pattern, the town's health department decides to focus all its efforts on improving sanitation practices in the kitchens of the restaurants.

Meanwhile, the problem persists, with more and more people falling sick. Frustrated residents gather for a town hall meeting to address the ongoing health crisis. Experts from the health department present their findings, confirming that contaminated food is indeed the primary cause of the illnesses. They further reveal that this pattern extends beyond their town and is a widespread issue in the entire country, even globally.

Despite this acknowledgment, the proposed solution remains the same: enforcing stricter sanitation regulations in restaurant kitchens. Residents leave the meeting feeling bewildered and frustrated, wondering why the authorities are not taking decisive action to address the root cause of the problem i.e. the farm produce.

In this analogy, the town's health crisis represents the cybersecurity landscape, with the recurring food poisoning incidents symbolizing cyber attacks. Just as the health department focuses on kitchen sanitation instead of contaminated food originating from a particular farm, cybersecurity organizations often prioritize secondary measures over addressing the primary vectors of cybercrime like social engineering and phishing.

A real-world example involving ransomware

Throughout 2023, the Phobos ransomware continued to make headlines. A threat so serious that organizations like the Federal Bureau of Investigation (FBI) and Cybersecurity Infrastructure Agency (CISA) came out with a joint security bulletin about it.

This warning by two legit security agencies lists three main actions that network defenders should take to contain and minimize the risks posed by Phobos ransomware:

actions to mitigate the Phobos ransomware by CISA
CISA and FBI recommend the following actions against Phobos ransomware | Source: CISA

First, these are good tips and need to be implemented. The joint warning bulletin also discusses in depth the multiple ways the Phobos ransomware can enter the victim's environment.

The report also suggests repeatedly that social engineering and phishing are one of the primary attack methods used to propagate this ransomware:

Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

It even lists phishing as one of the “Initial Access” attack techniques:

Attack techniques used by Phobos ransomware. Phishing remains one of the top reasons.
Phishing gets a mention | Source: CISA

Indeed, phishing and spear phishing in particular remain the top methods of breaking into an environment. It is very rare to see anything other than phishing as the top reason behind a cybersecurity breach.

Spear phishing, which targets specific individuals, can do a lot of damage. A recent report states that despite accounting for just 0.1% of all email attacks, spear phishing was responsible for a whopping 66% of data breaches! Talk about having a small grasp yet a bigger reach.

Generally, social engineering is behind 70-90% of cyber attacks of all types. For ransomware specifically, social engineering is cited as the root cause behind 40-50% of cyber attacks. Another common reason why ransomware happens is due to the attacker using stolen credentials.

If you had to guess, how were those passwords stolen? Through social engineering of course. In 2023, 79% of credential thefts happened due to phishing.

Okay, so what seems to be the problem here?

The reason why we keep stressing social engineering as the top threat organizations need to combat is that it is usually the primary instigator behind most cybersecurity incidents.

Coming back to the CISA/FBI bulletin, the report's top three recommended mitigations do not mention the importance of combating social engineering tactics. In fact, CISA briefly tells readers to defend against social engineering and phishing attacks with a rather subdued focus.

The number one way those data breaches happen? Through the human element. And yet cybersecurity bodies continue to espouse other technical shortcomings to address the threats rather than focusing on inculcating security-centric mindsets through regular yet engaging security awareness training.

This is the problem in a nutshell - putting the horse before the cybersecurity cart.

The solution to growing cybersecurity problems

A change in approach is sorely needed. Instead of mentioning how to defeat phishing attacks at the end of the report, all cybersecurity bulletins need to prioritize addressing individual behavior and the role of cybersecurity awareness training in minimizing human error.

The CISA report mentions mitigation measures to defeat phishing as the 13th amongst 20 controls. How to defeat phishing and social engineering tactics needs to be the top 3 controls - the best way to prevent threats like Phobos is to nip them in the cyberspace bud with the right training.

In short, our primary focus needs to be on recognizing and preventing social engineering and phishing. Security bodies and organizations need to rely more on training people than on patching hardware or software-based loopholes.

Existing cybersecurity regulation and education needs a rethink

Because hey, all it takes is that one unsuspecting email, and all hell breaks lose.

After all, the issue of contaminated food can’t be solved by focusing on sanitation efforts. It can be resolved by checking the produce sourced from farms.

Also, security awareness training does not have to be dull and boring. Check out Cytadel, our gamified security awareness training platform to discover what we're talking about.

Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Social engineering is the manipulation of individuals into divulging confidential information or performing actions that benefit the attacker, typically by exploiting human psychology and trust. In the context of cybersecurity, social engineering attacks can lead to unauthorized access, data breaches, financial loss, and damage to an organization's reputation. Common social engineering tactics include phishing, pretexting, baiting, and tailgating.
Common signs of a social engineering attempt may include unsolicited communications, urgent or high-pressure requests, unusual payment methods, requests for sensitive information or access, and discrepancies between the sender's email address and the supposed organization. Being vigilant for these red flags can help individuals recognize and avoid social engineering attacks.
A few basic rules can help you minimize the likelihood of suffering from a successful social engineering attempt. Make sure you don't share information about you online, check your email and messages for any suspicious links, and adopt multifactor authentication methods.
Organizations can protect themselves from social engineering attacks by implementing a robust security awareness training program that educates employees about various tactics, red flags, and best practices for handling suspicious requests. Establishing clear policies and procedures for handling sensitive information, verifying the legitimacy of requests, and reporting incidents can also help mitigate the risk of social engineering attacks.
Phishing is a type of social engineering attack in which cybercriminals attempt to trick individuals into revealing sensitive information, such as login credentials, financial data, or personal information, by masquerading as a trustworthy entity. Phishing is a significant cybersecurity threat because it targets the human element, which is often the weakest link in an organization's security posture, and can lead to unauthorized access, data breaches, and financial loss.