Socially enterprising threat actors are getting bored with the low success rates of mass phishing campaigns and turning toward more advanced tricks. If there is any guarantee about the future of cybersecurity, it’s the fact that cybercriminals always follow the money. Tactics, techniques and procedures (TTPs) will continue to evolve to achieve the greatest returns on attacks. Social engineering is still among the most common TTPs employed by cybercriminals, either alone or in conjunction with other hacking methods.
Social engineering is defined as psychological manipulation of a target to fool them into a certain behavior — most often, handing over credentials, relinquishing access to sensitive data or funds transfers. It’s impossible to separate the social engineering vector from its best-known component, phishing, but phishing attacks aren’t all chief information security officers (CISOs) need to be worried about. Cybersecurity trends reveal that highly targeted social engineering attacks are growing in proportion to other TTPs within this category. Here’s what you need to know to defend your organization — and yourself.
4 Social Engineering Threats to Prepare For
While phishing emails are still a threat that plagues businesses, they’re not all you need to worry about. According to a recent PhishLabs study, threat actors are increasingly targeting software-as-a-service (SaaS) and financial credentials in emails, and fewer phishing emails than ever contain malware. Your business is more likely than ever to be hit with a carefully planned advanced social threat that targets the most vulnerable inadvertent insiders within your organization — including new employees, C-level executives and other individuals who hold the keys to sensitive data or funds.
1. Business Email Compromise
According to the 2019 IBM “X-Force Threat Intelligence Index,” 29 percent of attacks analyzed by X-Force Incident Response and Intelligence Services (IRIS) involved phishing emails. Forty-five percent of these attacks involved business email compromise (BEC), or highly targeted scams that involve hacking an individual’s email account to conduct unauthorized funds transfers.
The Internet Crime Complaint Center (IC3) described BEC as the $12 million-dollar scam and noted that BEC does not discriminate by industry or organization size. Without strong password governance practices or behavioral analytics to detect unusual patterns, BEC can be both easy and highly rewarding for cybercriminals.
Direct attempts at extortion are on the rise. They’re also highly successful, according to a recent Digital Shadows study. Attackers take advantage of cheap, easy access to credentials compromised from other attacks to convince targets they’ve been breached. Sextortion is a common pattern, which involves well-coordinated campaigns to convince CEOs and other high-profile targets that attackers have embarrassing evidence. These attacks promise the release of the purported evidence if demands for payment aren’t met.
Looking at cybersecurity trends, attackers have also begun leveraging crowdfunding models to raise revenue for sensitive content instead of demanding ransoms directly from their victims. This can be a particularly profitable way to sell access to corporate intellectual property. Some of the most well-coordinated campaigns originate from what Digital Shadows calls “truly global operations, with servers scanning five continents.”
“In the three years that I’ve been at Digital Shadows, we’ve always seen these parallels [between the cybercriminal underground] and legitimate businesses,” said Digital Shadows CISO Rick Holland in an interview with MIS Training Institute. “It just keeps getting easier and easier for criminals.”
While pretexting comprises a small percentage of total social engineering attacks against organizations, it’s tripled from 60 attacks in 2017 to 170 attacks in 2018, according to Verizon’s “2018 Data Breach Investigations Report.” This highly targeted form of social engineering involves an extended dialogue between an insider and someone posing as a colleague or vendor. Under false pretenses, an outsider will communicate until they have built enough trust to obtain access to a secure internal system, sensitive data or secure money transfer. This emerging threat can result in the compromise of effective technical barriers.
4. Whaling and Catphish Scams
Last year, a wealthy Australian businessman lost $1 million due to a unique “catphish” scam that involved a combination of whaling and catfishing, or impersonation techniques. The individual’s assistant received an emailed request from a woman claiming to be the 87-year-old target’s girlfriend, Nancy Jones. Jones requested a $1 million money transfer, and the assistant complied.
The number of whaling attacks targeting major corporations is far lower than the millions of phishing emails sent out per quarter, but they hit significantly harder. It is estimated that emails aimed at executives and others who hold the keys to financial control have collected at least $1.8 billion from U.S.-based corporations alone, per the InfoSec Institute.
Responding to the Evolving Social Engineering Threat Vector
Although security awareness training remains a critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness. Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.
Open-source intelligence freely shared on employee and business social media profiles can be used as fodder to craft an intelligent social attack. This means it’s time to double down on the basics, such as strong user governance and education, but also look to cyber resiliency solutions for the most advanced social threats.
Behavioral analytics are another critical safeguard against the potential damages associated with BEC or pretexting, as well as older forms of social engineering attacks such as phishing emails that target cloud credentials. As cybercriminals continue to evolve, investment in a strong security ecosystem that includes cognitive capabilities can enable security teams to detect the most sophisticated threats before they result in a money transfer or similar costly damages.