Please use this bank account number going forward.
There is a common misconception when it comes to distinguishing phishing from the more complex forms of social engineering. Raise your hand if you haven’t received an email with a dubious attachment or a malicious link requesting that you update your password. Nobody? Yeah, that’s what we thought. This is phishing, and it makes up 44% of Social Engineering incidents. Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top.
One of the more complex social attacks is the BEC. In these pretexting attacks, actors leverage existing email threads and context to request that the recipient conduct a relatively routine task, such as updating a vendor’s bank account. However, the devil is in the details, and the new bank account belongs to the attacker, so all payments the victim makes to that account will make zero dents in what they owe that vendor. These types of attacks are often much harder to detect due to the groundwork laid by the threat actors prior to the attack. For example, they might have spun up a look-alike domain that closely resembles that of the requesting party and possibly even updated the signature block to include their number instead of the vendor they’re pretending to represent. These are just two of the numerous subtle changes that attackers can make in order to trick their marks—especially those who are constantly bombarded with similar legitimate requests. Perhaps this is one of the reasons BEC attacks have almost doubled across our entire incident dataset, as can be seen in Figure 36, and now represent more than 50% of incidents within this pattern.
Attack type doesn’t appear to have much of an effect on click/open rate. The median fail rates for attachment and link campaigns are 4% and 4.7% respectively, and the median click rate for data entry campaigns is 5.8% (though the data entry rate is 1.6%).