Don’t Be Fooled by These Social Engineering Threat Trends

social engineering threat trends

Social engineering is the primary cause of cyberattacks today, so it is critical to keep your team informed of the latest social engineering threat trends. Cyber thieves are leveraging these trends to directly commit fraud, harvest credentials or install malware. 

Despite the best efforts of your company’s workers, cybercriminals continue to steal, defraud and ransom companies for billions of dollars annually. As soon as new defenses are created and put into place, these criminals find ways to defeat them. It is a constant battle.

Decision makers have strengthened defenses around physical and cloud-based infrastructure, but it’s people who are the most reliable and easiest entry point to compromise.

Social Engineering Suppresses Our Instincts

Something isn’t right… That’s the feeling you get when something is too good to be true or something is suspicious. Social engineering attempts to bypass or short circuit this response by presenting you with something familiar, compelling or even frightening.

Gone are the days when you can tell an email is fake just by looking at it. Now social engineering threat trends include using familiar logos and designs that may seem identical to real emails you receive daily. A threat actor might even pretend to be an authority figure at your company, like a manager or CEO, to give their request more urgency.

Any topic that is of significant social interest can also suppress our better instincts. At the beginning of the COVID-19 pandemic, there was a massive desire for prevention and treatment information. Threat actors took advantage of that desire and created COVID-19-related content people could be lured to act on.

5 False Assumptions About Social Engineering Threat Trends 

Most people aren’t sitting around at work looking for phishing attacks or cybercriminal activity. So, there are a lot of false assumptions people make about the nature of cyberattacks. The most common are that:

  1. Cybercriminals don’t spend time building a connection with the people they are targeting before executing an attack, like by having regular conversations.
  2. Real services from authoritative companies (e.g., Google, Microsoft), are always safe to use.
  3. Threats only come by email on a computer and never involve texts, phone calls or emails on mobile devices.
  4. Cybercriminals don’t have access to work or personal emails and therefore existing email conversation threads (replies or forwards) are safe.
  5. Threat actors won’t make use of timely, topical or socially relevant content to exploit emotions or pique interest.

Let’s take a deeper look at each of these false assumptions:

1. Cybercriminals Don’t Build Relationships 

Many people think cyber threats as something passive — sent shotgun-approach to nab whoever gets hit. But many modern cybercriminals are more like stalkers. They take the time to get to know you, build a relationship and earn your trust before springing their trap.

These may not be face-to-face (or phone call) connections. Maybe it’s a string of emails, the first 10 of which are innocent and engaging then the 11th is something urgent! Being familiar with the sender and frightened into quick action, you take that action without thinking — something you wouldn’t have done without the first 10 emails.

One particularly effective technique is to lure someone in with an innocent question. This draws the reader in to engage. It’s called the lure and task business email compromise

Image: Lure/Task BEC Email

These innocent questions are gateway emails. If the reader responds, they are presented with another threat technique, like gift card, invoice or payroll fraud. This is how people and companies lose thousands of dollars.

2. Google, Microsoft, Etc. Are Always Safe

They’re top technology companies and global brands, so people are more likely to interact with content that appears to come from Google, Microsoft or other well-known companies. That’s exactly why threat actors regularly abuse these services to distribute malware or create credential-harvesting portals. 

According to Proofpoint, Google URLs were more commonly used in cyber attacks in 2021, but Microsoft links were more often clicked, with more than twice as many clicks on Microsoft URL based threats than on Google.

It’s no surprise that the most frequently abused services by top cyber criminals that year was Microsoft OneDrive, followed by Google Drive, Dropbox, Discord, Firebase and SendGrid.

3. Cybercrime Only Happens in Cyberspace

It seems intuitive that cyber threats are always, well, cyber: coming in as email, texts or other digital communications. But recent social engineering threat trends use attacks that are multi-pronged and involve a combination of digital and phone-based threats. In other words, it involves human interaction.

For example, you receive an email that does NOT contain any malicious attachments or links. Instead it prompts you to call a customer service number to resolve an issue. When you call the number, you engage with the threat actor and are often convinced to take actions that will lead to a breach. According to Proofpoint, there are more than 250,000 of these threats taking place every day.

These call center threats are called telephone-oriented attack delivery (TOAD) and there are two types. The first uses legitimate, free remote assistance software to steal money. The second uses malware that is disguised as a document to compromise a computer or load additional malware (such as the Bazar Call Scam).

Here’s a TOAD threat email pretending to be a PayPal invoice:

Image: TOAD lure spoofing PayPal.

Falling for a TOAD threat is costly. Proofpoint noted one case where the victim lost almost $50,000 to an attacker masquerading as a representative of Norton LifeLock.

4. Existing Email Threads Are Safe

Emails going back and forth between colleagues and vendors is as common as office gossip. These are called conversation threads and cybercriminals use these threads to catch people with their guards down. Attackers may add a malicious attachment or request an action that leads to a breach. It’s called thread hijacking, conversation hijacking or reply chain phishing attacks

The hijacking is possible because cybercriminals have gained access to legitimate users’ inboxes through phishing, malware, dark web credential lists or techniques like password spraying. Threat actors can also hijack entire mailboxes or email servers and send replies automatically with botnets.

These can be very hard to spot making them a more and more popular form of attack. 

5. Trendy and Topical Subjects Are Not Threats

The same topics that get people clicking in their newsfeed and on social media are used in cyber attacks. After all, the goal is to get people so engaged with the topic that they don’t think before taking an action. Few things are better at doing that than current events, trending news and popular culture.

In January 2021, Proofpoint researchers found BazaLoader campaigns leveraging Valentine’s Day themes.

Image: BazaLoader Valentine’s Day lure

These infection chains required a lot of human interaction, like visiting a website, making a call or downloading an attachment to get assistance with an erroneous purchase (as seen in the example image above). All of these actions put the user in direct contact with the threat actors.

Another pop culture example happened in October 2021 when a Squid Game theme was used to distribute the Dridex banking trojan. The cybercriminals impersonated an organization related to the Netflix global phenomenon to entice targets with early access offers for the new season or to become a part of the show. They persuaded users to click on malicious links or downloads.

Image: Squid Game lure.

Key Insights for 2023 Social Engineering Threat Trends 

So what can you take away from the latest social engineering threat trends we’ve reviewed? Here are five key insights. Threat actors often:

  • Leverage timely and socially relevant themes.
  • Use legitimate and trusted companies’ services to deliver attacks.
  • Create attacks that combine online communication with phone calls. 
  • Can access and use existing conversation threads.
  • Build trust with their intended victims through extended conversations.

Next Steps

Cybercriminals are creative and willing to go the extra mile to gain access to your valuable information. Fortunately, finding the right cyber security partner in is easier than you think.

Book a meeting or contact us to discuss any cyber security issues you may have.

*The information and example images in this article were provided by Proofpoint, 2022.*

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Enterprise Password Management Promo Wide

Is Your Name or Birthday a Part of Your Password?

If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.

Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.

Download the Guide

Explore the Latest Trends in IT

Cybersecurity for Small Businesses Threat Management Strategies - Intrust IT

Cybersecurity for Small Businesses: Threat Management Strategies

The threat of cybercrime looms larger than ever before. With each passing year, we witness a staggering rise in cyberattacks,...
The Crucial Role of Data Backup in Business Continuity and Disaster Recovery - Intrust IT

The Crucial Role of Data Backup in Business Continuity and Disaster Recovery

Data is the lifeblood of any modern business operation. All organizations rely heavily on digital information, from customer and financial...
What is Two Factor Authentication, and Why Does it Matter - Intrust IT

What Is Two Factor Authentication, and Why Does It Matter?

You’ve likely seen security updates on your phone or computer asking you to set up 2FA or MFA to increase...
Should Information Technology Companies Allow Workers 9 Days AFK - Intrust IT

Should Information Technology Companies Allow Workers 9 Days AFK?

At Intrust IT, we know how powerful stepping away from work can be for our employees’ well-being. We became employee-owned...
The Advantages of Opting for a Managed SOC - Intrust IT

Benefits of Continuous Cybersecurity Monitoring with a Managed Security Operations Center (SOC)

Introduction: The Importance of Robust Cybersecurity in Today's Digital Age As a leading managed service provider, we’ve seen cyber threats...
Local Government Security Breaches Are City Managers Prepared - Intrust IT

Local Government Security Breaches: Are City Officials Prepared?

Virtually every day there’s a new headline about novel cyber threats, government security breaches and municipal government cyber attacks that...