If you have cybersecurity concerns or are experiencing an incident, IBM X-Force IRIS is here to help. Contact us. US hotline 1-888-241-9812; Global hotline (+001) 312-212-8034

Socially enterprising threat actors are getting bored with the low success rates of mass phishing campaigns and turning toward more advanced tricks. If there is any guarantee about the future of cybersecurity, it’s the fact that cybercriminals always follow the money. Tactics, techniques and procedures (TTPs) will continue to evolve to achieve the greatest returns on attacks. Social engineering is still among the most common TTPs employed by cybercriminals, either alone or in conjunction with other hacking methods.

Social engineering is defined as psychological manipulation of a target to fool them into a certain behavior — most often, handing over credentials, relinquishing access to sensitive data or funds transfers. It’s impossible to separate the social engineering vector from its best-known component, phishing, but phishing attacks aren’t all chief information security officers (CISOs) need to be worried about. Cybersecurity trends reveal that highly targeted social engineering attacks are growing in proportion to other TTPs within this category. Here’s what you need to know to defend your organization — and yourself.

4 Social Engineering Threats to Prepare For

While phishing emails are still a threat that plagues businesses, they’re not all you need to worry about. According to a recent PhishLabs study, threat actors are increasingly targeting software-as-a-service (SaaS) and financial credentials in emails, and fewer phishing emails than ever contain malware. Your business is more likely than ever to be hit with a carefully planned advanced social threat that targets the most vulnerable inadvertent insiders within your organization — including new employees, C-level executives and other individuals who hold the keys to sensitive data or funds.

Learn more about insider threat detection

1. Business Email Compromise

According to the 2019 IBM “X-Force Threat Intelligence Index,” 29 percent of attacks analyzed by X-Force Incident Response and Intelligence Services (IRIS) involved phishing emails. Forty-five percent of these attacks involved business email compromise (BEC), or highly targeted scams that involve hacking an individual’s email account to conduct unauthorized funds transfers.

The Internet Crime Complaint Center (IC3) described BEC as the $12 million-dollar scam and noted that BEC does not discriminate by industry or organization size. Without strong password governance practices or behavioral analytics to detect unusual patterns, BEC can be both easy and highly rewarding for cybercriminals.

2. Extortion

Direct attempts at extortion are on the rise. They’re also highly successful, according to a recent Digital Shadows study. Attackers take advantage of cheap, easy access to credentials compromised from other attacks to convince targets they’ve been breached. Sextortion is a common pattern, which involves well-coordinated campaigns to convince CEOs and other high-profile targets that attackers have embarrassing evidence. These attacks promise the release of the purported evidence if demands for payment aren’t met.

Looking at cybersecurity trends, attackers have also begun leveraging crowdfunding models to raise revenue for sensitive content instead of demanding ransoms directly from their victims. This can be a particularly profitable way to sell access to corporate intellectual property. Some of the most well-coordinated campaigns originate from what Digital Shadows calls “truly global operations, with servers scanning five continents.”

“In the three years that I’ve been at Digital Shadows, we’ve always seen these parallels [between the cybercriminal underground] and legitimate businesses,” said Digital Shadows CISO Rick Holland in an interview with MIS Training Institute. “It just keeps getting easier and easier for criminals.”

3. Pretexting

While pretexting comprises a small percentage of total social engineering attacks against organizations, it’s tripled from 60 attacks in 2017 to 170 attacks in 2018, according to Verizon’s “2018 Data Breach Investigations Report.” This highly targeted form of social engineering involves an extended dialogue between an insider and someone posing as a colleague or vendor. Under false pretenses, an outsider will communicate until they have built enough trust to obtain access to a secure internal system, sensitive data or secure money transfer. This emerging threat can result in the compromise of effective technical barriers.

4. Whaling and Catphish Scams

Last year, a wealthy Australian businessman lost $1 million due to a unique “catphish” scam that involved a combination of whaling and catfishing, or impersonation techniques. The individual’s assistant received an emailed request from a woman claiming to be the 87-year-old target’s girlfriend, Nancy Jones. Jones requested a $1 million money transfer, and the assistant complied.

The number of whaling attacks targeting major corporations is far lower than the millions of phishing emails sent out per quarter, but they hit significantly harder. It is estimated that emails aimed at executives and others who hold the keys to financial control have collected at least $1.8 billion from U.S.-based corporations alone, per the InfoSec Institute.

Responding to the Evolving Social Engineering Threat Vector

Although security awareness training remains a critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness. Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.

Open-source intelligence freely shared on employee and business social media profiles can be used as fodder to craft an intelligent social attack. This means it’s time to double down on the basics, such as strong user governance and education, but also look to cyber resiliency solutions for the most advanced social threats.

Behavioral analytics are another critical safeguard against the potential damages associated with BEC or pretexting, as well as older forms of social engineering attacks such as phishing emails that target cloud credentials. As cybercriminals continue to evolve, investment in a strong security ecosystem that includes cognitive capabilities can enable security teams to detect the most sophisticated threats before they result in a money transfer or similar costly damages.

Reduce the risk of cyber attack with privileged access management (PAM)

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…