If you have cybersecurity concerns or are experiencing an incident, IBM X-Force IRIS is here to help. Contact us. US hotline 1-888-241-9812; Global hotline (+001) 312-212-8034

Socially enterprising threat actors are getting bored with the low success rates of mass phishing campaigns and turning toward more advanced tricks. If there is any guarantee about the future of cybersecurity, it’s the fact that cybercriminals always follow the money. Tactics, techniques and procedures (TTPs) will continue to evolve to achieve the greatest returns on attacks. Social engineering is still among the most common TTPs employed by cybercriminals, either alone or in conjunction with other hacking methods.

Social engineering is defined as psychological manipulation of a target to fool them into a certain behavior — most often, handing over credentials, relinquishing access to sensitive data or funds transfers. It’s impossible to separate the social engineering vector from its best-known component, phishing, but phishing attacks aren’t all chief information security officers (CISOs) need to be worried about. Cybersecurity trends reveal that highly targeted social engineering attacks are growing in proportion to other TTPs within this category. Here’s what you need to know to defend your organization — and yourself.

4 Social Engineering Threats to Prepare For

While phishing emails are still a threat that plagues businesses, they’re not all you need to worry about. According to a recent PhishLabs study, threat actors are increasingly targeting software-as-a-service (SaaS) and financial credentials in emails, and fewer phishing emails than ever contain malware. Your business is more likely than ever to be hit with a carefully planned advanced social threat that targets the most vulnerable inadvertent insiders within your organization — including new employees, C-level executives and other individuals who hold the keys to sensitive data or funds.

Learn more about insider threat detection

1. Business Email Compromise

According to the 2019 IBM “X-Force Threat Intelligence Index,” 29 percent of attacks analyzed by X-Force Incident Response and Intelligence Services (IRIS) involved phishing emails. Forty-five percent of these attacks involved business email compromise (BEC), or highly targeted scams that involve hacking an individual’s email account to conduct unauthorized funds transfers.

The Internet Crime Complaint Center (IC3) described BEC as the $12 million-dollar scam and noted that BEC does not discriminate by industry or organization size. Without strong password governance practices or behavioral analytics to detect unusual patterns, BEC can be both easy and highly rewarding for cybercriminals.

2. Extortion

Direct attempts at extortion are on the rise. They’re also highly successful, according to a recent Digital Shadows study. Attackers take advantage of cheap, easy access to credentials compromised from other attacks to convince targets they’ve been breached. Sextortion is a common pattern, which involves well-coordinated campaigns to convince CEOs and other high-profile targets that attackers have embarrassing evidence. These attacks promise the release of the purported evidence if demands for payment aren’t met.

Looking at cybersecurity trends, attackers have also begun leveraging crowdfunding models to raise revenue for sensitive content instead of demanding ransoms directly from their victims. This can be a particularly profitable way to sell access to corporate intellectual property. Some of the most well-coordinated campaigns originate from what Digital Shadows calls “truly global operations, with servers scanning five continents.”

“In the three years that I’ve been at Digital Shadows, we’ve always seen these parallels [between the cybercriminal underground] and legitimate businesses,” said Digital Shadows CISO Rick Holland in an interview with MIS Training Institute. “It just keeps getting easier and easier for criminals.”

3. Pretexting

While pretexting comprises a small percentage of total social engineering attacks against organizations, it’s tripled from 60 attacks in 2017 to 170 attacks in 2018, according to Verizon’s “2018 Data Breach Investigations Report.” This highly targeted form of social engineering involves an extended dialogue between an insider and someone posing as a colleague or vendor. Under false pretenses, an outsider will communicate until they have built enough trust to obtain access to a secure internal system, sensitive data or secure money transfer. This emerging threat can result in the compromise of effective technical barriers.

4. Whaling and Catphish Scams

Last year, a wealthy Australian businessman lost $1 million due to a unique “catphish” scam that involved a combination of whaling and catfishing, or impersonation techniques. The individual’s assistant received an emailed request from a woman claiming to be the 87-year-old target’s girlfriend, Nancy Jones. Jones requested a $1 million money transfer, and the assistant complied.

The number of whaling attacks targeting major corporations is far lower than the millions of phishing emails sent out per quarter, but they hit significantly harder. It is estimated that emails aimed at executives and others who hold the keys to financial control have collected at least $1.8 billion from U.S.-based corporations alone, per the InfoSec Institute.

Responding to the Evolving Social Engineering Threat Vector

Although security awareness training remains a critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness. Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.

Open-source intelligence freely shared on employee and business social media profiles can be used as fodder to craft an intelligent social attack. This means it’s time to double down on the basics, such as strong user governance and education, but also look to cyber resiliency solutions for the most advanced social threats.

Behavioral analytics are another critical safeguard against the potential damages associated with BEC or pretexting, as well as older forms of social engineering attacks such as phishing emails that target cloud credentials. As cybercriminals continue to evolve, investment in a strong security ecosystem that includes cognitive capabilities can enable security teams to detect the most sophisticated threats before they result in a money transfer or similar costly damages.

Reduce the risk of cyber attack with privileged access management (PAM)

More from Risk Management

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…