Social engineering, or the art of manipulating people into divulging confidential information, is highly effective, as it exploits human psychology rather than technical vulnerabilities.

People are inherently social creatures, susceptible to persuasion and manipulation, and bad actors know this. They leverage these traits to gain unauthorised access to company systems, bypass security measures, or steal sensitive data from organisations in every industry.

Learn more about this topic from Arctic Wolf

One need only look at the cyberattacks against casino giants MGM and Caesars. All these breaches took was the unwitting participation of the companies’ outsourced IT helpdesk to succeed. Social engineering – in this case, impersonation over the telephone, known as vishing – gave the attackers the information they needed to commit a ransomware attack that cost both entities millions of dollars.

A steppingstone

In some instances, social engineering attacks are used to target an individual in the hope they can be fooled into divulging their banking credentials. In other cases, the motivation is more sinister. An increasing number of individuals are being used as steppingstones towards the real, high-value target as one phase in a greater, more complex attack.

In MGM’s case, the IT helpdesk gave the malefactors the access they needed to carry out a large-scale ransomware attack, shutting down the casino’s systems for days. Social engineering is also used in the middle of an attack to gain privileged access or as more of a side hustle for criminals to get their hands on data or financial details while a more significant attack is taking place.

Multiple kinds of social engineering attacks can all be used at once. For example, business e-mail compromise (BEC) attacks are a type of phishing attack; a vishing attack can lead to a mobile payment app attack, and a social engineer can use baiting within a phishing attack. All these techniques create a perfect storm, working together to add complexity and maximise the chances of success.

No one is safe

The figures speak for themselves. The 2023 Verizon Data Breach Investigations Report claimed that 74% of breaches involved a human element, such as “error, privilege misuse, use of stolen credentials, or social engineering”. Arctic Wolf’s research mirrored these findings, revealing that user action was the culprit of compromise for 28% of incidents in 2022.

Social engineering is so popular among adversaries around the world that one thing is clear: it’s not going away any time soon.

South Africa is no different, and social engineering tactics in the country range from phishing e-mails and pretexting phone calls to impersonation strategies. Exploiting increasingly ubiquitous internet connectivity in the region, cybercriminals are cashing in by deceiving unsuspecting individuals.

According to research from the South African Banking Risk Information Centre (Sabric), incidents of social engineering attacks have surged in recent years, impacting businesses nationwide.

The financial toll of social engineering on South African businesses is significant. In 2022 alone, businesses suffered an estimated loss of R2.2-billion due to such attacks, as highlighted by the Cybersecurity and Digital Forensics Institute. These assaults not only inflict immediate financial harm but also undermine customer trust, inflicting enduring damage on a company’s reputation.

In addition, research showed that in Africa, just over half of all security incidents (52%) involved social engineering, and in over a third (37%) of successful attacks, vulnerabilities were exploited. Alarmingly, in one out of 10 incidents, bad actors were able to gain access to business resources by compromising credentials.

Like many other regions, South African businesses face legal obligations to safeguard customer data under the Protection of Personal Information Act (Popia), which mandates stringent data protection measures.

Social engineering attacks resulting in data breaches can incur severe penalties, which underscored the need for businesses to augment their defences in every way possible.

However, while users serve a vital role in stopping social engineering, they are not the only tool organisations can deploy.

A wide range of tools

Multiple tools can help today’s businesses detect a social engineering attack, stop it before a user falls for potential exploitation, or even shut down the incident after initial execution.

Multi-factor authentication (MFA): This access control adds a layer of security to credentials, which can stop a BEC attack before it occurs or can contain a threat actor from making lateral moves if they gained credentials during a social engineering attack.
Identity and access management (IAM) tools: These follow a zero-trust approach and will prevent privileged access without verification.
A managed detection and response (MDR) solution: This can detect and respond to unusual account activity, suspicious logins, or suspicious user behaviour.