Some of the most effective tricks used for social engineering attacks are being overlooked or underestimated.
That’s according to security vendor Proofpoint, whose 2022 Social Engineering report concluded that many companies are mistakenly assuming that cybercriminals are unwilling or unable to use tactics such as extended conversations, legitimate services and hijacked email threads in order to dupe their targets into opening malware and following phishing links.
Proofpoint, which specializes in tools and services to counter social engineering, argues that these assumptions are putting companies at heightened risk for network intrusions and malware infections.
“Despite defenders’ best efforts, cybercriminals continue to defraud, extort and ransom companies for billions of dollars annually,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, based in Sunnyvale, Calif. “The struggle with threat actors evolves constantly, as they change tactics to earn clicks from end users.”
In general, the report finds, companies are underestimating the resources attackers are willing to put into social engineering attacks. For example, many believe that hacking crews will not exchange multiple messages with their targets.
In reality, the study found that many hacking operations were not only willing to exchange multiple messages with their targets in hopes of gaining their trust, but were also looking to get the target to engage over multiple forms of communication, such as personal email messages and phone calls.
Not surprisingly, this trend is increasingly prevalent amongst Iranian and Russian hacking operations that target high-profile industries such as oil and gas and government agencies.
“If it’s something we are talking about as a society, if it’s something that elicits strong emotions, then it is content that is likely to be exploited,” DeGrippo told SearchSecurity. “Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software. This is the next frontier.”
In other instances, attackers are looking to make use of legitimate domains and file-sharing services to win the trust of their targets and convince them to install malware that provides a foothold for network takeovers.
While educating end users on these and other popular tricks is key, there are certain pitfalls to avoid when it comes to stopping social engineering attacks. DeGrippo said keeping up with evolving threats also means keeping education and training content fresh.
“Cybersecurity awareness programs with regularly updated content will help to train users to spot and report malicious email,” DeGrippo said. “We recommend interactive training that leverages real-world situations and is based on learning science principles. This ensures that individuals engage more deeply with the material, promoting longer-term retention.”