Companies struggle to stop social-engineering attacks

Companies need to rethink their cyber defense strategies as cybercriminals fine-tune their social-engineering tactics to target vulnerable employees, experts told Axios.

Why it matters: Recent cyberattacks targeting casino giants MGM Resorts and Caesars Entertainment have highlighted the challenges companies still have in defending against social-engineering attacks.

Catch up quick: Caesars said in a public 8-K filing last week that hackers originally broke into its networks after targeting one of its outsourced IT vendors with a social-engineering attack.

• Reports suggest that the apparent cyberattack on MGM started in a similar way.

The big picture: As companies have gotten better at detecting traditional phishing emails, malicious hackers have had to turn to new techniques to make their lures more believable.

• For instance, one group known as Scattered Spider has made text-message phishing and fake phone calls a core part of its attack strategy.
• The group has been linked to the MGM and Caesars incidents, and its hackers have successfully broken into more than 100 other companies during the group's roughly two-year existence.

By the numbers: 74% of data breaches between November 2021 and October 2022 involved a human element via an error, privilege misuse, social engineering or use of stolen credentials, according to Verizon's 2023 data breach investigations report.

• The number of cyber incidents involving a fake story or other pretext — the form of social engineering seen in recent high-profile attacks — also doubled last year, per Verizon.

Between the lines: Personalizing employee training and awareness programs can go a long way in preventing successful social-engineering attacks, Ashley Rose, CEO and co-founder of Living Security, told Axios.

• Companies are often already collecting data about which employees reuse passwords, who needs access to sensitive data for their roles, and which teams are receiving the largest volume of scam emails.
• Using that data, organizations can easily tailor internal security controls, such as implementing stricter email filters, for those who are most at risk of being duped by an email or call, Rose said.

The intrigue: To go beyond awareness and training programs, companies should also prepare for the inevitability that their employees will be duped by a phone call, text message or email, Kimberly Goody, head of cybercrime analysis at Mandiant, told Axios.

• Limiting the number of employees who have access to sensitive corporate data, as well as employing stricter password reset and multifactor authentication tools, could help prevent attackers from getting too far into a network, she added.

What they're saying: "They don't need the social engineering to work every single time," Goody said of malicious actors. "They just need it to work sometimes — once in a blue moon is enough for them."

Threat level: The rising availability of artificial intelligence tools will only make social-engineering attacks easier to fall for in the coming years, experts say.

• AI tools could help cybercriminals do everything from dig up the information they need about an organization's employees on the dark web to writing more believable phishing emails, Rose said.
• Already, researchers have found that generative AI tools have allowed cybercriminals to build an entire copy of someone's voice for scam calls using as little as three seconds of a clip.

The bottom line: Companies shouldn't stop their human-centered defenses at baseline awareness and trainings.

• Leaning on data to determine which employees are most at risk of falling for a phishing attempt and building stronger internal data controls are the best defenses.

Sign up for Axios' cybersecurity newsletter Codebook here.