June 21, 2019 By Jasmine Henry 4 min read

If you have cybersecurity concerns or are experiencing an incident, IBM X-Force IRIS is here to help. Contact us. US hotline 1-888-241-9812; Global hotline (+001) 312-212-8034

Socially enterprising threat actors are getting bored with the low success rates of mass phishing campaigns and turning toward more advanced tricks. If there is any guarantee about the future of cybersecurity, it’s the fact that cybercriminals always follow the money. Tactics, techniques and procedures (TTPs) will continue to evolve to achieve the greatest returns on attacks. Social engineering is still among the most common TTPs employed by cybercriminals, either alone or in conjunction with other hacking methods.

Social engineering is defined as psychological manipulation of a target to fool them into a certain behavior — most often, handing over credentials, relinquishing access to sensitive data or funds transfers. It’s impossible to separate the social engineering vector from its best-known component, phishing, but phishing attacks aren’t all chief information security officers (CISOs) need to be worried about. Cybersecurity trends reveal that highly targeted social engineering attacks are growing in proportion to other TTPs within this category. Here’s what you need to know to defend your organization — and yourself.

4 Social Engineering Threats to Prepare For

While phishing emails are still a threat that plagues businesses, they’re not all you need to worry about. According to a recent PhishLabs study, threat actors are increasingly targeting software-as-a-service (SaaS) and financial credentials in emails, and fewer phishing emails than ever contain malware. Your business is more likely than ever to be hit with a carefully planned advanced social threat that targets the most vulnerable inadvertent insiders within your organization — including new employees, C-level executives and other individuals who hold the keys to sensitive data or funds.

Learn more about insider threat detection

1. Business Email Compromise

According to the 2019 IBM “X-Force Threat Intelligence Index,” 29 percent of attacks analyzed by X-Force Incident Response and Intelligence Services (IRIS) involved phishing emails. Forty-five percent of these attacks involved business email compromise (BEC), or highly targeted scams that involve hacking an individual’s email account to conduct unauthorized funds transfers.

The Internet Crime Complaint Center (IC3) described BEC as the $12 million-dollar scam and noted that BEC does not discriminate by industry or organization size. Without strong password governance practices or behavioral analytics to detect unusual patterns, BEC can be both easy and highly rewarding for cybercriminals.

2. Extortion

Direct attempts at extortion are on the rise. They’re also highly successful, according to a recent Digital Shadows study. Attackers take advantage of cheap, easy access to credentials compromised from other attacks to convince targets they’ve been breached. Sextortion is a common pattern, which involves well-coordinated campaigns to convince CEOs and other high-profile targets that attackers have embarrassing evidence. These attacks promise the release of the purported evidence if demands for payment aren’t met.

Looking at cybersecurity trends, attackers have also begun leveraging crowdfunding models to raise revenue for sensitive content instead of demanding ransoms directly from their victims. This can be a particularly profitable way to sell access to corporate intellectual property. Some of the most well-coordinated campaigns originate from what Digital Shadows calls “truly global operations, with servers scanning five continents.”

“In the three years that I’ve been at Digital Shadows, we’ve always seen these parallels [between the cybercriminal underground] and legitimate businesses,” said Digital Shadows CISO Rick Holland in an interview with MIS Training Institute. “It just keeps getting easier and easier for criminals.”

3. Pretexting

While pretexting comprises a small percentage of total social engineering attacks against organizations, it’s tripled from 60 attacks in 2017 to 170 attacks in 2018, according to Verizon’s “2018 Data Breach Investigations Report.” This highly targeted form of social engineering involves an extended dialogue between an insider and someone posing as a colleague or vendor. Under false pretenses, an outsider will communicate until they have built enough trust to obtain access to a secure internal system, sensitive data or secure money transfer. This emerging threat can result in the compromise of effective technical barriers.

4. Whaling and Catphish Scams

Last year, a wealthy Australian businessman lost $1 million due to a unique “catphish” scam that involved a combination of whaling and catfishing, or impersonation techniques. The individual’s assistant received an emailed request from a woman claiming to be the 87-year-old target’s girlfriend, Nancy Jones. Jones requested a $1 million money transfer, and the assistant complied.

The number of whaling attacks targeting major corporations is far lower than the millions of phishing emails sent out per quarter, but they hit significantly harder. It is estimated that emails aimed at executives and others who hold the keys to financial control have collected at least $1.8 billion from U.S.-based corporations alone, per the InfoSec Institute.

Responding to the Evolving Social Engineering Threat Vector

Although security awareness training remains a critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness. Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.

Open-source intelligence freely shared on employee and business social media profiles can be used as fodder to craft an intelligent social attack. This means it’s time to double down on the basics, such as strong user governance and education, but also look to cyber resiliency solutions for the most advanced social threats.

Behavioral analytics are another critical safeguard against the potential damages associated with BEC or pretexting, as well as older forms of social engineering attacks such as phishing emails that target cloud credentials. As cybercriminals continue to evolve, investment in a strong security ecosystem that includes cognitive capabilities can enable security teams to detect the most sophisticated threats before they result in a money transfer or similar costly damages.

Reduce the risk of cyber attack with privileged access management (PAM)

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today