Phishing and Social Engineering Threats in Florida

Phishing and social engineering attacks represent one of the most persistent threat categories affecting Florida's public agencies, private businesses, financial institutions, and individual residents. These attacks exploit human decision-making rather than technical vulnerabilities, making them effective across industries regardless of the sophistication of an organization's technical defenses. Florida's large population, high concentration of retirees, dense tourism infrastructure, and active financial sector create a target-rich environment for threat actors deploying these methods. This page describes the structure, variants, operational mechanics, and decision boundaries relevant to phishing and social engineering threats within the state.

Definition and scope

Phishing is a category of cyberattack in which threat actors use deceptive communications — most commonly email, but also SMS, voice calls, and social media — to manipulate recipients into disclosing credentials, transferring funds, or installing malicious software. Social engineering is the broader discipline: it encompasses any technique that exploits psychological principles (authority, urgency, reciprocity, fear) to bypass human judgment rather than technical controls.

The Cybersecurity and Infrastructure Security Agency (CISA) classifies phishing as a primary initial access vector and has identified it as the leading delivery mechanism for ransomware campaigns — which are separately covered at Florida Ransomware Threats.

Within Florida, phishing threats fall under the jurisdiction of multiple regulatory frameworks. The Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, imposes breach notification obligations on covered entities when phishing attacks result in unauthorized access to personal data. The Florida Digital Bill of Rights (2023) expands consumer data protections, adding legal context for phishing-related disclosures. Federal frameworks including the FTC Act, 15 U.S.C. § 45, and sector-specific rules (HIPAA for healthcare, GLBA for financial services) impose parallel obligations. The regulatory landscape for these intersecting requirements is detailed further at Regulatory Context for Florida Cybersecurity.

Scope boundary: This page covers phishing and social engineering threats as they apply to entities operating under Florida law or within Florida's geographic jurisdiction. Federal criminal prosecution of phishing (e.g., under 18 U.S.C. § 1343 wire fraud statutes) and international threat actor attribution fall outside this page's scope. Sector-specific phishing risks for healthcare, financial services, and government are covered in greater depth on their respective sector pages within this Florida cybersecurity reference authority.

How it works

Phishing and social engineering attacks follow a structured sequence that security practitioners often map to the MITRE ATT&CK framework's Reconnaissance, Resource Development, and Initial Access tactics (MITRE ATT&CK Enterprise Matrix).

  1. Reconnaissance — Attackers gather target information from public sources: LinkedIn profiles, company websites, Florida Department of State business records, and data brokers. The more targeted the attack, the more reconnaissance precedes it.
  2. Pretext construction — A believable scenario is built around the target's role, relationships, or current circumstances. A pretext may impersonate a vendor, a government agency such as the Florida Department of Revenue, a financial institution, or an internal executive.
  3. Delivery — The deceptive message is delivered via the chosen channel. Email remains primary; however, SMS-based phishing (smishing) and voice-call phishing (vishing) have grown as secondary vectors, particularly targeting Florida's older adult population.
  4. Manipulation — The communication creates urgency, fear, or authority pressure to compress decision time. Common triggers include account suspension warnings, wire transfer requests, IRS or law enforcement impersonation, and invoice fraud.
  5. Exploitation — The victim clicks a malicious link, submits credentials to a spoofed page, opens a malware-laden attachment, or initiates a fraudulent wire transfer.
  6. Persistence or exfiltration — Once access is obtained, attackers either establish persistence within the network or immediately exfiltrate data or funds.

The NIST Cybersecurity Framework (CSF) 2.0 maps mitigations against these phases across its Identify, Protect, Detect, Respond, and Recover functions.

Common scenarios

Florida-specific threat intelligence and FBI Internet Crime Complaint Center (IC3 Internet Crime Report 2023) data identify the following as the most operationally significant phishing and social engineering scenarios affecting the state:

Business Email Compromise (BEC): BEC attacks impersonate executives or vendors to redirect payments. Florida ranked among the top 5 states for BEC losses in the IC3 2023 report, with Florida victims reporting over $87 million in BEC-related losses that year. Real estate wire fraud — a BEC variant in which closing funds are redirected — is significant enough to maintain a dedicated reference at Florida Real Estate Wire Fraud Cybersecurity.

Spear Phishing Against Government Entities: Florida's municipalities, school districts, and state agencies are targeted by spear phishing campaigns tailored to public-sector workflows. Attacks targeting Florida government cybersecurity and Florida K-12 schools frequently begin with a phishing email referencing legitimate procurement or HR processes.

Credential Harvesting Portals: Attackers clone legitimate login pages for Microsoft 365, Citrix, or state agency portals to capture employee credentials. Florida's shift to remote and hybrid work environments — documented further at Florida Remote Work Cybersecurity — expanded the attack surface for this vector.

Smishing Targeting Financial Accounts: SMS-based phishing campaigns impersonating Florida-chartered banks and credit unions alert recipients to fraudulent account activity, then direct them to spoofed login pages. The Florida Office of Financial Regulation (OFR) has issued public alerts regarding smishing campaigns targeting state financial institution customers.

Vendor Impersonation and Third-Party Risk: Attackers impersonate legitimate vendors in an organization's supply chain, exploiting trusted relationships to deliver malicious invoices or payloads. This intersection with third-party risk management is covered at Florida Vendor Third-Party Cybersecurity Risk.

Elder Fraud and Consumer Targeting: Florida's population includes a disproportionately large segment of adults aged 65 and older. The FBI IC3 designated elder fraud as a priority category; Floridians over 60 reported losses exceeding $290 million to internet fraud in 2023 (IC3 Elder Fraud Report 2023), with phishing as a primary delivery mechanism.

Decision boundaries

Understanding where phishing and social engineering threats transition into adjacent categories is operationally important for incident classification, regulatory reporting, and response scoping.

Phishing vs. Malware Delivery: When a phishing email contains or links to a malicious payload that executes on a target system, the incident crosses from social engineering into malware/ransomware territory. Incident response obligations under Florida Statute § 282.318 (for state agencies) and FIPA (for private covered entities) activate at the point of unauthorized system access, not merely at the phishing attempt itself.

Phishing vs. Data Breach Triggering Event: A phishing email that is received but not acted upon does not trigger breach notification obligations. A phishing attack that results in unauthorized access to personal information as defined under Fla. Stat. § 501.171 — including Social Security numbers, financial account data, or medical records — does trigger notification requirements to affected individuals and the Florida Attorney General.

Spear Phishing vs. Generic Phishing: Generic phishing sends identical messages at volume with no target customization; spear phishing uses individualized pretexts constructed from reconnaissance. Whaling is a spear phishing variant directed specifically at C-suite executives or senior officials. These distinctions affect threat intelligence classification and the sophistication of countermeasures required under frameworks like NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide).

Social Engineering vs. Physical Intrusion: Some social engineering campaigns include a physical component — tailgating, impersonation of service personnel, or in-person pretext — that falls outside purely digital security controls and may implicate physical security standards. These hybrid scenarios are outside the scope of this page.

Florida Law Enforcement Jurisdiction: Criminal phishing conduct is prosecutable under the Florida Computer Crimes Act, Fla. Stat. § 815, which covers unauthorized access to computer systems, and under federal wire fraud statutes. The state's law enforcement response capacity is detailed at Florida Law Enforcement Cyber Units. Civil remedies, regulatory enforcement actions, and agency-level response protocols are separate tracks from criminal prosecution.

References

📜 6 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Key Dimensions and Scopes of Florida Cybersecurity Regulations & Safety Florida Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Florida Cybersecurity: Frequently Asked Questions