The Golden Age of Social Engineering.

• Position: CORPORATE SECURITY

According to the 2020 Verizon Data Breach Report, even though hacking reportedly is down, social engineering accounts for more than two-thirds of attacks. Of those, 96% arrive via phishing. Attackers are using increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information.

Social engineering attacks spiked dramatically during the first half of 2020. The FBI also previously reported that, as of May 28, it had received nearly the same number of complaints this calendar year as it did in all of 2019.

Every time an employee clicks on a malicious link--whether through phishing or other means--they are putting the entire organization at risk of exposure.

Phishing is the most-common type of social engineering attack today. Phishing attacks involve tricking a victim into revealing passwords and personal information, or handing over money. This occurs when someone clicks a malicious link--whether in a phishing email or a text message. This results in an account becoming compromised. User error also can be the result of someone leaving a laptop unattended, which subsequently leads to data theft.

Explains Juta Gurinaviciute, chief technology officer at NordVPN: "Criminals could trick an individual by posing as a legitimate business or government agency. For instance, you could receive an email asking for donations that's supposedly from a nonprofit, or a phone call from your bank requesting your Social Security number."

In a pretexting attack, meanwhile, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider and request the user's account details and passwords to assist them with a problem.

This gives the hacker a sense of the victim's personal and professional life, which helps establish the right pretext needed to approach the victim credibly.

"The reality is. cybercriminals are constantly attempting to manipulate their way into secure digital locations," says Gurinaviciute. "it often starts with a friendly "Hello' and ends with businesses losing thousands--sometimes millions--of dollars."

Baiting and quid pro quo attacks are common as well. In a baiting attack, bad actors provide something that victims believe to be useful: for example, free downloads or free health care advice about COVID-19. This also is known as "clickbait." It may be a software...