Social engineering scams help spark uptick in cybercrime

Social engineering attacks are rising in the workplace, adding to widespread concerns about escalating cybersecurity threats, according to new data from Ernst & Young LLP.

Notably, Gen Z and millennial employees are less confident identifying and responding to cyber threats than their older colleagues.

Although they are a digital-first generation, Gen Z is losing confidence in its ability to recognize phishing attempts, in which a victim clicks on a malicious link that installs malware, reveals sensitive information or freezes systems as part of a ransomware attack. Only 31% of Gen Z feel confident they can identify phishing attempts, and 72% say they opened an unfamiliar link that seemed suspicious at work, far higher than millennials (51%), Gen X (36%) and baby boomers (26%), according to the EY 2024 Human Risk in Cybersecurity Survey, a study of 1,000 employed Americans across public and private sectors.

Social engineering manipulates human psychology, unlike traditional hacking methods that exploit technical vulnerabilities. “Even the most well-funded defenses, where investments in leading cyber technology has been built over years, can fail or be by-passed if an employee is fooled into giving access to a cyber thief,” says Jim Guinn II, EY Americas Cybersecurity Leader. “And it can happen quickly – in just a matter of minutes.”

Attackers may pretend to be a distraught fellow employee desperately trying to recover vital information on a lost phone, reset a password or need help wiring money to an account. The intended target wants to help a fellow employee in need. This desire to assist may quickly undermine even the best-laid security plans. A successful cyberattack could disrupt basic operations, compromise customer and company data privacy, threaten a company’s reputation and create significant legal and economic consequences. A severe cybersecurity incident at a major resort and gaming giant in 2023, for instance, was facilitated using an IT employee identified on a business and employment-focused social media platform and a 10-minute call to the Help Desk, according to reports.

“Even the most educated and experienced members of your security staff are vulnerable to social engineering,” Guinn says. “These criminals are very very good at what they do.”

The primary weapons

Three types of social engineering attacks are common:

• Phishing—Phishing emails look trustworthy but link to or contain malicious content that executes as soon as users click it, encrypting their data. That brings a ransomware attack. Spearphishing attacks target a specific person or group. Threat actors have also expanded to “smishing,” which is sending malicious text messages that can lead to the recipient authorizing an action or divulging personal information.
• Pretexting—Creating a fabricated scenario that gains a target’s trust to extract sensitive information. For example, an attacker might pose as a bank representative and ask for account details under the promise of sending a check.
• Baiting—Offering something enticing, such as a free download or prize, to lure victims into clicking on malicious links or downloading malware-infected files. Sometimes, an attacker might claim to be an IT support technician offering assistance and requesting login credentials.