True or False? Stay Ahead of Disturbing Social Engineering Threat Trends
Social engineering is the primary cause of the cyberattacks today and those tactics change quickly. So, it is critical to keep your team informed of the latest social engineering threat trends to prevent falling victim to fraud, credential harvesting, malware and/or other cyber security risks.
Cybercriminals continue to steal from, defraud and ransom companies for billions of dollars annually. As soon as new defenses are created and put in place, these criminals find ways to defeat them. It is a constant battle.
It is important to strengthen defenses around your network infrastructure, but don’t forget to also educate your team. People are the most reliable and easiest entry point into your system and the starting point of most attacks.
How Social Engineering Overrides Our Instincts
“Something isn’t right!” It’s that feeling you get when something is too good to be true or something is suspicious. Social engineering seeks to override or short circuit those instincts and get you to take an action that provides criminals with access — often with a compelling or even frightening message.
In the past, it was easy to identify a fake email just by its appearance, but those days are long gone. Social engineering threats have evolved, with current trends involving the use of recognizable logos and designs that closely mimic legitimate emails you receive regularly. To make their request more urgent, a threat actor may also impersonate a high-ranking figure within your organization, such as a manager or CEO.
When a topic generates significant social interest, it can also hinder our ability to act rationally and ethically. At the onset of the COVID-19 pandemic, there was a widespread hunger for knowledge related to preventing and treating the virus. Threat actors tapped into that hunger by creating COVID-19-related content. It was appealing to everyone because of the universal relevance of the subject matter.
>>Download our free Phishing Prevention Cheat Sheet to share with your team
5 False Assumptions About Social Engineering Threat Trends
Most people don’t spend their time looking out for cyber attacks or malicious online activities, so they make false assumptions about the nature of these attacks. The most common are that:
- Cybercriminals won’t spend the time to build a connection with the people they are targeting before executing an attack, like by having regular conversations. They do.
- Services provided by trusted companies like Google or Microsoft are always secure and reliable. Wrong! Cybercriminals are devious and have learned how to use those giants to fool unsuspecting people.
- Cyber threats only come in the form of suspicious emails on computers and do not extend to mobile devices or other forms of communication such as text messages or phone calls. Again, wrong.
- Cybercriminals cannot access work or personal email accounts, and therefore existing email conversation threads, including replies and forwards, are secure. This is also untrue, unfortunately.
- Threat actors don’t use current events or social issues in the content of their attacks. In fact, they do often use timely, socially relevant or emotionally charged content to manipulate victims and provoke curiosity.
Let’s take a deeper look at each of these false assumptions:
Cybercriminals Don’t Build Relationships
Many people think cyber threats are passive and indiscriminate attacks that target anyone who happens to be vulnerable. But many modern cybercriminals take a more personal and strategic approach. They take the time to get to know their prey, build a relationship and earn trust before springing their trap.
These connections may not always be made face-to-face or through a phone call. Maybe it’s a string of emails, the first several of which are harmless and engaging to build a relationship. Then when your guard is down, the next email is the attack, prompting you to take quick action out of fear or panic. An urgent message from a familiar source tricks you into taking action without thinking — something you wouldn’t have done without the first set of emails.
One particularly effective tactic used by cybercriminals is to ask an innocent question to lure you in and get you to engage in conversation. This strategy is known as the Lure and Task Business Email Compromise.
Image: Lure/Task BEC Email
These are often innocent questions in a friendly, familiar tone, making it seem like you know the person. If you respond, you are presented with another threat technique, such as an invoice, gift card or a payroll fraud. That’s how companies and people lose thousands of dollars.
Companies Like Google and Microsoft Are Always Safe
Many people use products from top technology companies like Google and Microsoft. So if you get an email with a link to Google Drive or Dropbox, you are more likely to interact. That’s exactly why threat actors regularly use well-known services to distribute malware or create credential-harvesting portals.
Proofpoint reported that Google URLs were more commonly used in cyber attacks in 2021, but Microsoft links were more often clicked, with more than twice as many clicks on Microsoft URL based threats than on Google.
The most frequently abused services by top cyber criminals that year was Microsoft OneDrive, followed by Google Drive, Dropbox, Discord, Firebase and SendGrid.
Cybercrime Happens in Cyberspace
It may seem obvious that cyber threats only happen in cyberspace. But recent social engineering threat trends involve attacks that are multi-faceted — involving a combination of digital and phone-based threads. This means it involves human interaction.
For example, you receive an email that does NOT contain any malicious attachments or links but it does prompt you to call a customer service number to resolve an issue. The number is answered by a threat actor who will try to lure you into taking an action that will lead to a breach. Proofpoint reports that there are more than 250,000 of these threats taking place every day.
There are two types of these call center threats called telephone-oriented attack delivery (TOAD). The first steals money using legitimate, free remote assistance software. The second installs malware disguised as a document to compromise a computer or load additional malware (such as the Bazar Call Scam).
Here’s a TOAD threat email pretending to be a PayPal invoice:
Image: TOAD lure spoofing PayPal.
Falling for a TOAD threat can be costly. Proofpoint noted one case where the victim was scammed out of nearly $50,000 by a cybercriminal posing as a representative from Norton LifeLock.
Existing Email Threads Are Safe
Think of how many times a day you reply to an email or forward one to a colleague. Those replies and forwards are conversation threads and cybercriminals use them to catch people with their guards down. It’s called conversation hijacking, thread hijacking or reply chain phishing attacks. Attackers add to your existing thread with a malicious attachment or to request an action that leads to a breach.
This hijacking is possible because threat actors have gained access to someone’s email inbox— either yours or a contact’s — through phishing, malware, dark web credential lists or techniques like password spraying. Cybercriminals can also hijack entire mailboxes or email servers and send replies automatically with botnets.
Thread hijacking can be very hard to spot, making this attack tactic more and more popular.
Trendy and Topical Topics Are Not Threats
The term clickbait gets overused, but in this case it is spot on. Those same topics that get you clicking in your newsfeed or social media are used in cyber attacks. The goal is to get you so engaged with the topic that you don’t think before taking an action. Current events, trending news and popular culture do that extremely well .
In January 2021, Proofpoint researchers found BazaLoader campaigns leveraging Valentine’s Day themes.
Image: BazaLoader Valentine’s Day lure
These chains prompt you to visit a website, make a call or download an attachment to get assistance with an incorrect purchase (as seen in the example image above) — actions that put you in direct contact with the cybercriminals.
In October 2021, cybercriminals impersonated an organization related to the Netflix show Squid Games to tempt targets with early access offers for the new season or to become a part of the show. They convinced users to click on malicious links or downloads that were used to distribute the Dridex banking trojan.
Image: Squid Game lure.
Key Takeaways for 2023 Social Engineering Threat Trends
So what can you learn from the latest social engineering threat trends we’ve discussed? Here are five important takeaways:
- Threat actors often spend time building trust with their intended victims through extended conversations.
- Attackers may use legitimate and trusted companies’ services to deliver their attacks.
- Socially relevant and timely themes are often leveraged by cybercriminals to carry out attacks.
- Attacks may involve a combination of online communication and phone calls.
- Cybercriminals can access and exploit existing conversation threads for their attacks.
>>Download our free Phishing Prevention Cheat Sheet to share with your team
Next Steps
Creativity is the strength of cybercriminals and as time goes on they are more than willing and become more and more willing to go the extra mile to gain access to your valuable information. Fortunately, finding the right cyber security partner in the area is easier than you think.
Book a meeting or contact us to discuss any cyber security issues you may have.
*The information and example images in this article were provided by Proofpoint, 2022.*
Are you aware of the most common cyberattack methods?
Did you know there are over 3.4 billion phishing emails sent every day? Phishing and other cybercriminal behavior are a lot more common than you’d think.
Our free “Phishing, Smishing, Vishing, Pharming? A Cyberattacks Guide” will inform you about cyberattack methods and give you the latest in data security tips.