Don’t Be Fooled by These Social Engineering Threat Trends
Social engineering is the primary cause of cyberattacks today, so it is critical to keep your team informed of the latest social engineering threat trends. Cyber thieves are leveraging these trends to directly commit fraud, harvest credentials or install malware.
Despite the best efforts of your company’s workers, cybercriminals continue to steal, defraud and ransom companies for billions of dollars annually. As soon as new defenses are created and put into place, these criminals find ways to defeat them. It is a constant battle.
Decision makers have strengthened defenses around physical and cloud-based infrastructure, but it’s people who are the most reliable and easiest entry point to compromise.
Social Engineering Suppresses Our Instincts
Something isn’t right… That’s the feeling you get when something is too good to be true or something is suspicious. Social engineering attempts to bypass or short circuit this response by presenting you with something familiar, compelling or even frightening.
Gone are the days when you can tell an email is fake just by looking at it. Now social engineering threat trends include using familiar logos and designs that may seem identical to real emails you receive daily. A threat actor might even pretend to be an authority figure at your company, like a manager or CEO, to give their request more urgency.
Any topic that is of significant social interest can also suppress our better instincts. At the beginning of the COVID-19 pandemic, there was a massive desire for prevention and treatment information. Threat actors took advantage of that desire and created COVID-19-related content people could be lured to act on.
5 False Assumptions About Social Engineering Threat Trends
Most people aren’t sitting around at work looking for phishing attacks or cybercriminal activity. So, there are a lot of false assumptions people make about the nature of cyberattacks. The most common are that:
- Cybercriminals don’t spend time building a connection with the people they are targeting before executing an attack, like by having regular conversations.
- Real services from authoritative companies (e.g., Google, Microsoft), are always safe to use.
- Threats only come by email on a computer and never involve texts, phone calls or emails on mobile devices.
- Cybercriminals don’t have access to work or personal emails and therefore existing email conversation threads (replies or forwards) are safe.
- Threat actors won’t make use of timely, topical or socially relevant content to exploit emotions or pique interest.
Let’s take a deeper look at each of these false assumptions:
1. Cybercriminals Don’t Build Relationships
Many people think cyber threats as something passive — sent shotgun-approach to nab whoever gets hit. But many modern cybercriminals are more like stalkers. They take the time to get to know you, build a relationship and earn your trust before springing their trap.
These may not be face-to-face (or phone call) connections. Maybe it’s a string of emails, the first 10 of which are innocent and engaging then the 11th is something urgent! Being familiar with the sender and frightened into quick action, you take that action without thinking — something you wouldn’t have done without the first 10 emails.
One particularly effective technique is to lure someone in with an innocent question. This draws the reader in to engage. It’s called the lure and task business email compromise.
Image: Lure/Task BEC Email
These innocent questions are gateway emails. If the reader responds, they are presented with another threat technique, like gift card, invoice or payroll fraud. This is how people and companies lose thousands of dollars.
2. Google, Microsoft, Etc. Are Always Safe
They’re top technology companies and global brands, so people are more likely to interact with content that appears to come from Google, Microsoft or other well-known companies. That’s exactly why threat actors regularly abuse these services to distribute malware or create credential-harvesting portals.
According to Proofpoint, Google URLs were more commonly used in cyber attacks in 2021, but Microsoft links were more often clicked, with more than twice as many clicks on Microsoft URL based threats than on Google.
It’s no surprise that the most frequently abused services by top cyber criminals that year was Microsoft OneDrive, followed by Google Drive, Dropbox, Discord, Firebase and SendGrid.
3. Cybercrime Only Happens in Cyberspace
It seems intuitive that cyber threats are always, well, cyber: coming in as email, texts or other digital communications. But recent social engineering threat trends use attacks that are multi-pronged and involve a combination of digital and phone-based threats. In other words, it involves human interaction.
For example, you receive an email that does NOT contain any malicious attachments or links. Instead it prompts you to call a customer service number to resolve an issue. When you call the number, you engage with the threat actor and are often convinced to take actions that will lead to a breach. According to Proofpoint, there are more than 250,000 of these threats taking place every day.
These call center threats are called telephone-oriented attack delivery (TOAD) and there are two types. The first uses legitimate, free remote assistance software to steal money. The second uses malware that is disguised as a document to compromise a computer or load additional malware (such as the Bazar Call Scam).
Here’s a TOAD threat email pretending to be a PayPal invoice:
Image: TOAD lure spoofing PayPal.
Falling for a TOAD threat is costly. Proofpoint noted one case where the victim lost almost $50,000 to an attacker masquerading as a representative of Norton LifeLock.
4. Existing Email Threads Are Safe
Emails going back and forth between colleagues and vendors is as common as office gossip. These are called conversation threads and cybercriminals use these threads to catch people with their guards down. Attackers may add a malicious attachment or request an action that leads to a breach. It’s called thread hijacking, conversation hijacking or reply chain phishing attacks.
The hijacking is possible because cybercriminals have gained access to legitimate users’ inboxes through phishing, malware, dark web credential lists or techniques like password spraying. Threat actors can also hijack entire mailboxes or email servers and send replies automatically with botnets.
These can be very hard to spot making them a more and more popular form of attack.
5. Trendy and Topical Subjects Are Not Threats
The same topics that get people clicking in their newsfeed and on social media are used in cyber attacks. After all, the goal is to get people so engaged with the topic that they don’t think before taking an action. Few things are better at doing that than current events, trending news and popular culture.
In January 2021, Proofpoint researchers found BazaLoader campaigns leveraging Valentine’s Day themes.
Image: BazaLoader Valentine’s Day lure
These infection chains required a lot of human interaction, like visiting a website, making a call or downloading an attachment to get assistance with an erroneous purchase (as seen in the example image above). All of these actions put the user in direct contact with the threat actors.
Another pop culture example happened in October 2021 when a Squid Game theme was used to distribute the Dridex banking trojan. The cybercriminals impersonated an organization related to the Netflix global phenomenon to entice targets with early access offers for the new season or to become a part of the show. They persuaded users to click on malicious links or downloads.
Image: Squid Game lure.
Key Insights for 2023 Social Engineering Threat Trends
So what can you take away from the latest social engineering threat trends we’ve reviewed? Here are five key insights. Threat actors often:
- Leverage timely and socially relevant themes.
- Use legitimate and trusted companies’ services to deliver attacks.
- Create attacks that combine online communication with phone calls.
- Can access and use existing conversation threads.
- Build trust with their intended victims through extended conversations.
Cybercriminals are creative and willing to go the extra mile to gain access to your valuable information. Fortunately, finding the right cyber security partner in the area is easier than you think.
Book a meeting or contact us to discuss any cyber security issues you may have.
*The information and example images in this article were provided by Proofpoint, 2022.*