Social Engineering: The Weapon of Choice for Email Scammers

5 min readAug 23, 2019


Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By John Wilson

The recent Internet Crime Report from the FBI showcasing the growth of business email compromise (BEC) from a $700 million problem to a $1.3 billion problem over the course of only one year was certainly alarming. It showcases just how much cybercrime is growing, despite increased defenses across organizations worldwide.

But one key element stands out for me — the fact that none of these attacks involve malware or malicious links. The fraudsters’ weapon of choice continues to be plain-text email messages, and they’re clearly becoming more successful. These emails rely on identity spoofing and social engineering tactics to manipulate recipients into wiring millions of dollars by making them believe they were reacting to a known and trusted sender.

Though it’s true that some email attacks still include phishing links or attachments with spyware, ransomware, or any kind of “-ware” you can think of, it is the criminal use of human psychology in simple, innocuous-looking email messages that is quickly becoming the number one cybersecurity threat to businesses and consumers alike.

Double Trouble with BEC

But how can this really be possible? How can smart people be fooled into revealing sensitive information or wiring money (and apparently lots of it), simply by receiving an email purporting to come from a known business or individual?

You’d be surprised. For one thing, we’re not talking simple spam here. Today, networked cybercrime rings produce emails that can be so well researched and so exquisitely targeted that they can be virtually indistinguishable from messages sent by a trusted colleague or brand.

Adding to the impersonation? Ploys such as display name fraud, look-alike domains, and, when possible, previously compromised email accounts that can be used to easily defraud their prey. Sometimes, it even involves meticulous grooming over weeks or even months as fraudsters gain the trust of unsuspecting employee or consumer targets. As a whole, these efforts appear to be well worth the effort.

Angles of Attack with Social Engineering

Today, a typical business email compromise campaign will snare its first victim in just under four minutes, often with queries about a past-due invoice or updates to payment details. More recently, we’ve seen criminals asking for gift cards, which are typically easier to obtain and less likely to raise alarm across the organization.

Sometimes, these social engineering schemes entail a late-afternoon message purported to come from a top executive, but recent research shows that they typically arrive in the morning — often as employees are just settling in for the day.

Because they are sent right as employees are sitting in traffic on their way into the office, criminals are effectively increasing the odds the recipient will read the message on a mobile device. Why? Because most mobile email clients display only the sender’s name as a default — not the email address. Recipients pressured to act quickly while late to the office may react to messages that appear urgent without thinking to confirm legitimacy.

The SEC report makes clear just how financially remunerative these rackets can be. In fact, according to the FBI, more than $13 billion has been pilfered through such cons since 2013.

But this isn’t the only email problem impacting your business.

Fast Money, Long-Lasting Effects from Email Scams

Phishing attacks targeting consumers typically involve impersonating well-known brands from a variety of sectors. Consumer packaged goods, media, retail, fast food, real estate, banking, government, and just about any other industry you can imagine can be leveraged as the bait in a phishing scam.

Here too, social engineering is central to success. By projecting urgency — ”Password Check Required,” “Your Payment Has Been Declined,” or “Security Alert,” for instance — these emails are designed to fool recipients into responding quickly before facing some perceived consequence. Last year alone, consumers lost $172 billion through these and similar online scams.

When it is your brand that gets impersonated, victims often unfairly blame your company, sharing their outrage on social media. Even when a customer hasn’t been personally duped, publicity about cons bearing your brand name can mean they’ll be hesitant to open the next email you actually do send. And with these scandals living on Google for years, it’s not easy to put the past behind you, even when extra security measure have been taken to prevent it from occurring again.

Not only can victims face financial ruin, but the ripple effect can also have serious repercussions to your bottom line. Among other things, it can hobble marketing efforts in a channel that’s 40 times more effective at generating revenue than any other digital medium at your disposal. The impact can be long-lasting, despite your best efforts to move forward.

Traditional Email Security Isn’t Enough

Unfortunately, while traditional secure email gateways (SEGs) and other email security solutions are generally quite good at ferreting out malicious links and malware, they haven’t proven effective at countering fraud attacks that are primarily propelled by social engineering.

Instead, some organizations are finding they need to deploy artificial intelligence-based technologies that apply behavioral analytics to understand the relationships between sender and receiver to detect and prevent socially-engineered email attacks.

As for protecting customers? That can be even harder. While many organizations have implemented the Domain-based Message Authentication Reporting and Conformance (DMARC) standard that can help recipient systems spot brand impersonators, only 12% of the Fortune 500 have set up the DMARC policy parameters needed to do this effectively. Organizations across the FTSE 100 and ASX 100 show even worse numbers.

Emails attacks continue to be a money-maker for cybercriminals because organizations continue to be powerless against them. It is only my implementing the tools available as part of the next-generation Secure Email Cloud that we can protect against them — no matter which tactics they use and who they plan to target. It is time that organizations worldwide take proactive steps to protect customers and employees alike with solutions that combine machine learning and globally crowdsourced threat intelligence to defeat sophisticated con artists. Otherwise, these cybercriminals will rob us all blind.

To learn more about how the next-generation Secure Email Cloud is changing the game for cybersecurity, download an exclusive report.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.