UK businesses underestimate the threat of social engineering despite increase in attacks

Less than a quarter (22%) of businesses believe social engineering will be a major threat in the next two to three years, despite the fact that 42% of fraud prevention managers are frequently experiencing phishing attacks, according to our recent research.

The research highlights the anomaly between the growing risk which social engineering poses and the perception of businesses, in terms of where it sits in their fraud prevention priorities.  Of the 105 fraud prevention managers and directors surveyed, only 31% had clear policies in place to address social engineering, yet 75% acknowledged that when their organisation fell victim to fraud it was, either occasionally or more frequently, a result of an individual being exploited, rather than a technology-based attack.

Social engineering is defined as the way to gain access to buildings, systems or data by exploiting human psychology yet, shockingly, the research found that only 19% of businesses have a good understanding of social engineering techniques employed by fraudsters against their staff or customers. 

The topic was addressed at our annual Fraud Summit last week by Dr. David Modic, Research Associate at the Computer Laboratory, University of Cambridge, who said: “There is a growing awareness of the danger of social engineering, but more needs to be done. Businesses that don’t already recognise the scale of the threat soon will, as it will only increase in the coming years.  It’s easier, and cheaper, for fraudsters to exploit humans, than it is machines, so of course this is an avenue they will continue to pursue. The onus is on businesses to put in place the right tools and training to address the risks and to do their best to protect their customers, and their staff, from falling victim to this kind of fraud.”

The recent report from CIFAS – the UK's largest cross-sector fraud sharing database – confirmed a 7% increase in the number of fraudsters hijacking the accounts or services of innocent victims in 2017, with those aged over 60 being most at risk and accounting for more than a fifth (21%) of these attacks, due to their increased susceptibility to scams and social engineering.

Staff can also be a target, with 70% of the businesses we surveyed stating they felt more vulnerable to human based attack where employees were exploited. Recognising the importance of robust training, two thirds (66%) of businesses have implemented employee education programmes to help prevent fraud resulting from social engineering.

John Cannon, Managing Director, Fraud and ID, Callcredit, said: “Overall, the research suggests that social engineering is still a major problem, and we saw different levels of understanding and a wide range of approaches amongst those surveyed. It’s great that businesses are educating employees but that’s only part of what needs to be a much broader strategic approach. Technology is key in the fight against fraud, where advanced analytics and biometrics will have a part to play alongside core tactics such as identity verification which, as our research has shown, rightly remains a top priority for nine out of ten fraud leaders.”

Register for the full research eBook here.

To hear more from Dr. David Modic, view our interview.

Research Methodology

105 fraud prevention managers and directors working in companies with over 100 employees completed an online survey in May 2018. The research was conducted by London-based research agency, Loudhouse.