How Do Laws Address Social Engineering Used in Scams and Cyber Attacks?
According to the FBI's 2022 Internet Crime Report, victims of scams lost $10.3 billion collectively that year. This marks a 50 percent increase compared to the 2021 data. On the other hand, the Federal Trade Commission's Sentinel Network Data Book 2022 shows that losses to fraud increased by over 40 percent compared to 2021 numbers.
One of the biggest reasons for these massive losses to scams is social engineering, which is one of the most enduring tactics in cybercrime. It continues to be effective because people have barely improved in how they deal with it. Many still click on links or download files without ascertaining safety. Phone and SMS scammers continue to find new victims. Governments acknowledge these problems, and they are introducing legislation to try to provide solutions. The question is, are these working? Are laws making a dent in the scam and cyber attack problems driven by social engineering?
Anti-fraud and anti-theft laws
Social engineering attacks essentially become part of a scheme to defraud someone, since they aim to manipulate people into doing things they are unlikely to do without the influence or schemes of a threat actor. However, the legal charges filed against someone involved in social engineering depend on the specific attack consummated.
For example, someone who creates fake websites to steal login credentials or account details will be charged for identity theft, computer fraud, privacy violations, and phishing. If it is proven that the stolen credentials are used to log in to accounts, charges for unauthorized access to computer systems may also be filed.
There are no laws that specifically penalize social engineering as a standalone offense. Prosecutors examine the underlying actions and outcomes when deciding on the charges to be filed. Laws are usually aimed at addressing criminal or harmful activities that are facilitated or enabled by social engineering techniques.
Still, it can be said that anti-fraud laws help address the scourge of social engineering since they criminalize the greater schemes and end goals that involve social engineering tactics. They may not always stop bad actors from deceiving people into revealing their private information or unwittingly transferring funds or secrets to unintended recipients, but they provide the legal basis to go after the perpetrators of social engineering campaigns that manage to steal data or funds and illegally access accounts.
Cybersecurity laws
In 2021, President Biden signed an executive order on improving cybersecurity in the United States. One of the main goals of this order is to rebalance cyberspace defense by changing the norm of expecting individuals, small businesses, and local governments to be responsible for their cybersecurity. Instead, the federal government demands organizations that are in the best position and have the suitable capabilities to take most of the burden of cybersecurity.
This executive order has a broad impact on cybersecurity, and it can affect the way social engineering is dealt with. In particular, the order tells organizations to put in place all essential security mechanisms that prevent threat actors from achieving their felonious goals. These include controls like multi-factor authentication to stop hackers from accessing accounts even if the usernames and passwords are compromised.
Additionally, the executive order imposes compulsory incident reporting. Federal government agencies, contractors, software providers, and others are required to report attacks or serious security incidents, including social engineering, as soon as possible. The rationale for this reporting requirement is to disseminate threat intelligence quickly and broadly to support efficient detection and response. With more institutions and organizations informed about the most recent attacks, it becomes easier to address threats and vulnerabilities.
Moreover, the Biden order on cybersecurity emphasizes the need to invest in better security for all organizations. These security investments include the upgrading of security controls and strategies as well as cybersecurity training to reduce the likelihood of employees falling prey to social engineering attacks. It is important to keep up with the changing threat landscape, especially when it comes to techniques that take advantage of human weaknesses in cybersecurity.
There are other laws that also have an impact on combating social engineering tactics. The General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA), for example, require those involved in data control and processing to implement appropriate security measures including social engineering solutions. They do not specifically mention social engineering, but it is understandable that this problem is a priority given that social engineering is employed in around 98 percent of cyber attacks.
The existence of cybersecurity laws does not automatically eliminate social engineering. However, these laws prevent perpetrators from scaling up and repeatedly deploying their attacks unhindered.
Data privacy and consumer protection laws
Many social engineering attacks target specific consumers, so they require the collection of customer data before they can be initiated. Phishing and vishing, for example, are only possible if the attackers know the email addresses, messaging app IDs, and contact details of the targets. Perpetrators do not simply generate random addresses or contact numbers for them to attack. Also, scammers that take advantage of social engineering may also use personal details and sensitive information about their victims to make their schemes more convincing.
One of the ways to prevent cybercriminals from obtaining the contact details of consumers is the strict implementation of data privacy laws. GDPR, HIPAA, and other data protection laws help prevent businesses from carelessly handling the data they collect. Also, the Federal Trade Commission Act (FCTA), Telephone Consumer Protection Act (TCPA), and other consumer welfare laws in different states reduce the leakage of private data that can be used by threat actors in their social engineering campaigns. They include provisions that explicitly outlaw the sale of consumer data to advertisers and other parties.
Data protection and consumer protection laws are far from perfect, and they cannot stop all data from going into the wrong hands. However, they can provide a good first line of defense. They stop organizations from abusing data collection and utilization. Without them, everyone would probably be getting a deluge of spam and scam messages and calls.