If Social Engineering Accounts for up to 90% of Attacks, Why Is It Ignored?

Evangelists-Roger GrimesSocial engineering and phishing are involved in 70% to 90% of all successful cybersecurity attacks. No other initial root hacking cause comes close. 

This is not a recent development. Social engineering has been the number one type of attack since the beginning of networked computers. Despite this long-time fact, most organizations do not spend 3% of their IT/IT Security budget to fight it.

It is this fundamental misalignment of resources against the ways people and devices are hacked that allows hackers and their malware programs to continue to be so successful for decades. This is the number one problem, and why we keep getting hacked.

When I tell people of this long-time conundrum, they ask why it is so. Many reasons ultimately, including that there are a lot of different ways that you could be broken into. All of which you're expected to prevent, all at once. Cybersecurity compliance regulations often have hundreds of controls you are expected to deploy and oversee. But every control that focuses on something far less likely to happen while ignoring what is very likely to happen is an inefficient, likely failed defense. 

We are being told that we need to focus on everything…or the wrong thing, and not being told what the biggest part of the problem is, by far, and that we need to focus, first and best, on it. And the problem is not just occurring at the individual cyber defender level, or even at the individual organization level. It is a global systemic problem. Even the national and global organizations specifically created to protect you against cyber threats are letting you down and telling everyone to focus on the wrong problems. 

Letting the Wrong Ones In

Let me use a parable to better explain the problem. Imagine you had a house that was broken into all the time. And nearly every time it was broken into, the criminals broke in through the windows to do it. Not all the time, but nearly all the time. You knew this, but in response, you decided to put more locks on your front door. And then you wondered why your house continued to be broken into successfully, again and again. 

But it gets worse. Imagine that your entire neighborhood’s houses are all being broken into successfully over and over, and each time, it is because the thieves entered through a window. Your neighbors decided that they had enough of the continued crime wave and so they got a community meeting together and invited the local law enforcement department to address all the housing crime. 

Local law enforcement speaks at the meeting and confirms that most of the houses are being broken into through the windows. Further, they say they have spoken to national law enforcement who confirms that nearly all the housing break-ins occurring in the country are occurring because of thieves entering through the windows.

They have spoken with global law enforcement agencies and confirmed that nearly all the houses broken into nationally and globally are occurring because of the thieves breaking in through the window. Upon hearing this information, everyone nods in agreement. They, too, personally have experienced that most break-ins occurred through the windows. No one disagrees. Law enforcement then recommends that everyone buy stronger, metal doors. That should do the trick! And everyone runs out and buys stronger metal doors.

If this scenario sounds insane, and it is, it is what is happening in the cybersecurity world. The world’s leading cybersecurity organizations know that social engineering and phishing are the reason why most of the world’s cybercrime is happening, and yet they keep recommending solutions that address everything but preventing social engineering and phishing. It happens all the time, but let me give you a recent example.

Social Engineering and Ransomware

On February 29, the Cybersecurity Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint warning bulletin about Phobos ransomware. Phobos ransomware has been causing a lot of harm over the last year and especially in the last few months. At the top of the bulletin, they list the top three actions cyber defenders need to take to mitigate Phobos ransomware (see below).

Source: CISA

These three top-priority defense recommendations are not bad things. Implementing them can only help. But none of them help address the top cause of how the Phobos ransomware got into an environment in the first place. The Phobos ransomware bulletin describes multiple ways the ransomware gains access to a victim environment (including RDP abuse and previously stolen credentials).

However, the report mentions over and over that one of the primary attack methods is social engineering and phishing. In the report snippet shown below, it states, “Phobos actors TYPICALLY [emphasis added] gain initial access to vulnerable networks by leveraging phishing campaigns…”

Source: CISA

Phishing is even presented in multiple tables in the report, including this one (shown below) listing “Initial Access” attack techniques. 


Source: CISA

This is not unexpected. Phishing and spear phishing are usually the top ways attackers break into an environment. It is the nearly rare exception when phishing is not the top method. Just a few months ago, Barracuda Networks stated that although spear phishing was only 0.1% of all email attacks, it accounted for 66% of all data breaches. One attack method is responsible for two-thirds of all successful attacks.

In general, across all cyber attacks of all types, social engineering is involved in 70% - 90% of them. It is possibly a bit lower in ransomware attacks. Officially, social engineering is involved in at least 40-50% of attacks, which is still the highest root cause, but it is likely even higher than that. Another top root cause is the ransomware attacker gaining unauthorized access using previously stolen credentials.

How are those credentials usually stolen? Social engineering, of course. Seventy-nine (79%) of credential thefts came through phishing. When you add 79% of credential theft to direct social engineering, you get a phishing rate far closer to the general 70% - 90% range. It is clear that social engineering is the top root cause for all cyber attacks, including ransomware attacks and very likely, Phobos ransomware attacks.

And yet only in a few almost incidental places in the bulletin does CISA tell any readers to defend and mitigate social engineering and phishing attacks. It is certainly not in any of the top three recommended mitigations highlighted in red at the top of the report. The first recommended mitigation under the official “MITIGATIONS” section is “Secure By Design,” which is a recommendation to software vendors to decrease vulnerabilities when designing their software, which has almost zero impact on Phobos ransomware. 

Getting Priorities Straight

When trying to defeat phishing is finally recommended as mitigation at the end of the report, it is mentioned 13th amongst 20 controls. It is hundreds of sentences and many thousands of words below other far less relevant recommendations. How likely is any reader supposed to realize that the 13th recommended mitigation is likely THE BEST WAY to prevent Phobos ransomware from getting into their environment?

Even then, it is mentioned that defenders should use “phishing-resistant multi factor authentication (MFA).” That is great advice and one we wholly support. But it likely does not stop a Phobos attack. Why?

Because according to the bulletin, Phobos uses phishing file attachment execution to infiltrate victim computers. Once a user is tricked into executing malware on their computer, it is game over for the entire organization. The attacker is in. Phishing-resistant MFA may stop remote RDP attacks, but the attacker already has their hold inside the victim’s network. They do not need remote RDP anymore. They can set up their own hidden remote back doors. They can easily exfiltrate data and they can easily kick off their ransomware.  

Nowhere in the report does it mention training employees on how to recognize and prevent social engineering and phishing. The report even mentions that Phobos attackers even use social engineering using phone calls to the victim. MFA of any type is not going to stop that sort of attack vector. 

So, we have a report warning about how a ransomware group frequently (i.e., “typically”) uses social engineering in their attacks, both using email and phone calls, and yet, how to prevent those things is either not covered at all or barely covered, weakly covered, and presented late in the report. And the three top mitigations presented at the top of the report, highlighted in red, that tells readers what they need to do to prevent this ransomware attack, do not address the social engineering attack vector at all.

That very much seems like we are being asked to build stronger doors when the attacks are coming through the windows.

Note: Over a year ago, I saw a few CISA/FBI ransomware bulletins that recommended fighting social engineering as one of the top three things a defender could do at the top of the report, but unexplainably, this seems to have been reversed and stopped. 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews