Social Engineering The #1 Root Cause Behind Most Cyber Crimes In FBI Report

Evangelists-Roger Grimes

The following paragraphs were cited directly from my recent article highlighting social engineering.

"Social engineering and phishing are involved in 70% to 90% of all successful cybersecurity attacks. No other initial root hacking cause comes close.

This is not a recent development. Social engineering has been the number one type of attack since the beginning of networked computers. Despite this long-time fact, most organizations do not spend 3% of their IT/IT Security budget to fight it.

It is this fundamental misalignment of resources against the ways people and devices are hacked that allows hackers and their malware programs to continue to be so successful for decades. This is the number one problem for why we are hacked so much so successfully." 

Just a few months ago, Barracuda Networks stated that although spear phishing was only 0.1% of all email attacks, it accounted for 66% of all successful data breaches. One attack method is responsible for two-thirds of all successful cyberattacks.

Most cyber defenders know that social engineering and phishing are top reasons why people and networks are successfully attacked, but do not understand exactly how big of a problem they are, especially when compared to other types of initial root hacking causes. There are many reasons why this is the case, but part of the problem is how companies, surveys and the authorities incorrectly cover initial root hacking causes. The most common mistake they make is conflating initial root hacking causes with outcomes of root hacking causes.

Let me use the FBI’s most recent IC3 report as an example. It is one of the most well-respected reports, with great data and shows trends over many years. Below is a screenshot (from page 20 of their report) showing types of cybercrime. 

Source: IC3 Report

It is great data, showing many other types of reported crime that you do not typically see reported anywhere else, such as “Threats of Violence.” It is helpful information.

And KnowBe4 readers will absolutely notice that Phishing/Spoofing is the top crime by far. Just using the FBI’s numbers and categories, it is 43% of all crimes listed. The next closest category, Personal Data Breach, is just 8% of crime.

Social Engineering: A Much Deeper Root Cause

But the problem is that almost all of those other crime categories largely happened because of social engineering, spoofing or phishing being involved. For example, the FBI lists BEC scams. BEC scams are when someone receives a fake email, often an invoice or request, asking for fraudulent payment.

The victim, thinking the request for payment is legit, pays it. According to many entities, including the FBI, BEC scams are only second to ransomware as to causing the most monetary damage (i.e., $2.9 billion in losses, even surpassing ransomware, as tracked by the FBI). 

The question is how are most of those BEC scams committed? Almost all arrive as phishing scams. 

Another example, how are most confidence/romance scams committed these days? Most through some sort of phishing and social engineering, either through email or on a social media channel. How does most ransomware (a separate category on the FBI’s report) get into a victim’s environment? The biggest cause is phishing and social engineering. We wrote a report on this a few years ago.

Indeed, for most of the crimes reported by the FBI, social engineering and phishing were the primary ways they were launched on the victim. If you accurately accounted for how many crimes involved social engineering/phishing/spoofing, the majority of them would involve some sort of social engineering aspect. If you counted correctly, I am very certain that social engineering and phishing would be involved in 70% to 90% of them, as has historically been the case for decades. Nothing has changed.

Note: Not all crime involves social engineering. Sometimes the thief just steals what they want or shows a weapon. There are no false pretenses involved. 

The Numbers Tell The Story

The overall reporting problem is many entities, including the FBI, are conflating initial root causes with outcomes of initial root causes. For example, ransomware is not an initial root cause. It is an outcome of an initial root cause. How did the ransomware get into an environment? Likely through social engineering. 

The attacker could have done anything else with the access they got using social engineering, but in that case, decided to execute ransomware. They could have installed password-stealing malware, exfiltrated confidential data (which they do over 90% of the time anyway), or robbed the person or company’s bank account. Instead, they used the access they had gained illegally to spread ransomware. 

If you are ever going to stop crime from happening, you need to recognize how it is happening. And in most cases, it involves social engineering and phishing. If we want to stop most crime, we need to teach people how to spot social engineering scams, no matter how they arrive (e.g., email, social media, phone calls, etc.), and what to do to mitigate them (i.e., report, delete, etc.). 

The problem is that most readers will think that social engineering is only 43% of the problem when it is really almost all of the problem. Either way, a defender needs to concentrate on social engineering as the primary problem and respond accordingly. But, in this case, the FBI presents 26 different things you need to worry about. All crime comes across to readers as bubbles in a glass of champagne.

What they are not telling you is that one of those bubbles is far larger than the rest added up all together and fills up most of the glass. If you do not take care of that one bubble, the rest probably do not matter. The success of yourself and your organization will mostly be attributed to how well you address the elephant in the room. 

There is a common thread among a large percentage of crimes committed today. And it is not just 43% of the problem. That is 70% to 90% of the problem. It is almost all the problem. It is what everyone needs to be more focused on until it is no longer the majority of the problem by far. 

Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews