In a world where virtual communication has become an integral part of our lives, the risk of falling victim to phishing and social engineering attacks is higher than ever. Are you confident in your ability to spot a phishing attempt or defend yourself against a skilled social engineer? This post will guide you through understanding phishing and social engineering virtual communication awareness and our learnings from advising customers and empowering you to stay vigilant in the digital landscape.

This rise in social engineering was seen alongside significant increases in phishing, smishing, vishing, the use of valid accounts and other tactics – adding up to the highest volume of incidents seen in 2023. These, as well as other notable trends from the previous quarter, are discussed in the report, Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory describing the Scattered Spider cybercriminal gang’s activities. The group, believed to be unusual both for the relative youth of its members and their native proficiency in English, was responsible for this summer’s compromises of MGM Resorts and Caesars Entertainment. It also excels at social engineering.

Social engineering in its many forms took center stage in Q3 2023. The quarter saw “human hacking” evolve from a long-standing security challenge to threat actors’ method of choice. This was evidenced by our observations of the dramatic escalation of social engineering tactics, with significant increases in phishing, smishing, valid accounts, voice phishing and other tactics—adding up to the highest volume of incidents we have seen in 2023.

As ransom payments reach an all-time high, it’s time to look at attacks from a data perspective and find the greatest opportunities to stop these attacks. Every quarter, I’ve been covering the Quarterly Ransomware Reports from ransomware response company Coveware. In their latest report covering Q3 of this year, we get a greater sense of what trends their security researchers are seeing from the data: This last one is interesting.

When a ransomware group launched twin cyber attacks on casino giants MGM and Caesars, they only needed the accidental participation of the organizations’ outsourced IT help desk to get started. It was social engineering — in this case impersonation over the phone, or vishing— that gave the hackers the information they needed to launch a ransomware attack that cost both casinos millions.

Let me give you a quick introduction. My name is Stu Sjouwerman. I’m the Founder and CEO of KnowBe4, my 5th startup. I have been in IT for 40+ years, the last 25 of those in information security. In my last company we built an antivirus engine from scratch and combined it with intrusion detection, prevention and a firewall. And we ran into a persistent problem nobody seemed to be able to address; end-users being manipulated by bad actors to let them in.

Social engineering attacks have a very long history, though the Internet has made it easier to launch these attacks en masse, according to Sean McNee at DomainTools. McNee points to an advance-fee scam from 1924, in which a crook sent a letter pretending to be trapped in a Spanish debtors prison. The sender requested that the recipient send a check for $36,000 to pay off his debt. After the sender is freed, he promises to pay the recipient back, with an extra $12,000 for the trouble.