According to research from Beaming, in 2021 UK businesses had to deal with an attempted data breach every 47 seconds. The report goes on to highlight that remote working has been an opportunity to ramp up cyber attacks. This is notable, as according to the 2021 Verizon Data Breach Investigation Report (DBIR), 85% of data breaches need a human being to initiate them.
This perfect storm is being whipped up by social engineering; this tactic covers a wide range of activities that manipulate human behaviour. Cybercriminals will literally use any possible angle to exploit employees, using known psychological tricks to make us click before we think or download malware.
A recent report shows that social engineering-based cyber attacks increased by 270% in 2021. The are several reasons for this, but the bottom line is that social engineering techniques works and we need to find ways to protect our employees.
One way to prevent social engineers from manipulating our staff, and eventually our data and corporate networks, is through understanding how social engineering attacks work.
Here are some of the latest types of social engineering attacks to watch out for.
Social Engineering and Cyber Security
Cyber security threats are rarely purely technical in nature. Instead, cybercriminals have quickly realised that using employees, non-employees, and the wider vendor ecosystem to carry out their nefarious wants, is a good way to enter a protected network.
Recent research into the use of business emails to initiate a cyber attack found that in 30% of organisations, over 50% of links received via email ended up at a malicious website. That is an avalanche of malicious entry points into a corporate system and its business operations.
Social engineering attacks use common tactics that work, time and time again. But hackers may vary these as events unfold. The Covid-19 pandemic was one such event.
Some of the likely social engineering attacks to watch out for this coming year are:
Business Email Compromise (and Vendor Email Compromise)
The 2021 Verizon Data Breach Investigation Report (DBIR) noted that Business Email Compromise (BEC) was the second most common form of social engineering attacks. BEC and VEC represent social engineering at its most intricate and multi-part.
BEC fraudsters use surveillance to understand their target to create tailored, legitimate looking, but spoofed emails. Often a BEC attack will begin with a compromised email account. This gives the fraudsters the information needed to carry out sophisticated tricks.
Compromised accounts and passwords can also be redirected to allow the hacker to watch over the company’s operations and communications to gather all the information needed to manipulate employees into creating new or changing existing invoices to send company money to the fraudster.
The 2021 Business Email Security Landscape Report provides some important insights to help mitigate the success of these types of attacks:
- 72% of respondents had experienced a BEC attack in the past 12-months.
- Almost 50% of BEC attacks use a spoofed identity presented in the email name display.
- Spear phishing emails target individuals with the power to move money. These targeted phishing emails use company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to tailor the attack.
A new variant of BEC is Vendor Email Compromise (VEC). This type of BEC focuses on vendors to misdirect money. VEC attacks use a chain effect, with phishing propagating across the entire vendor ecosystem if left unchecked.
VEC attacks are typically carried out by well-funded professional cybercriminals as they involve in-depth surveillance and reconnaissance to understand their targets enough to create believable spoof communications. Social engineering techniques are at the core of VEC, just as it is at the core of BEC, the only difference is that the cybercriminals are focusing on an entire ecosystem.
Like BEC, the VEC fraudster’s goal is to defraud a business and steal funds. Timing is a key part of a VEC attack, and social engineering is used to trick employees into changing the details of an invoice at just the right moment so no suspicion is raised.
Phishing In All Its Forms
BEC is among many types of cyber attacks that use phishing or spear-phishing to initiate an attack. Phishing is a favourite amongst social engineers and was present in 36% of breaches according to the DBIR. Phishing is the ultimate tool in the social engineer’s armoury as its content and context can ultimately lead to control over a corporate network.
Phishing emails use a variety of psychological tricks and triggers to get recipients to either click on a malicious link or download an infected attachment. These tricks include spoofing well-known brands, using urgency and fear to encourage the click, and triggering emotions such as Fear of Missing Out (FOMO). More on the types of tactics used to trick employees can be found in the MetaCompliance “Ultimate Guide to Phishing”.
Phishing often follows events or targets users for specific purposes.
Emotional Manipulation and Event-Led Phishing: Events can often be an emotional trigger for a person. Fraudsters use these emotions to manipulate users into feeling they are missing out on something or must act urgently to take advantage of an event.
During the Covid pandemic, many phishing emails reflected the “World Health Organization” branding and played on the health concerns of email recipients. At one point during the pandemic, Google was blocking around 17 million scam emails per day, many fraudsters used the pandemic to play on people’s emotions and fears. A single scam email that makes it into an employee’s inbox can result in a catastrophic data breach.
Ransomware Attacks That Use Follow-in Phishing: Phishing leads to ransomware and now it can also lead to follow-on phishing: this was the case in the recent Lapsus$ attack on Portugal’s largest media conglomerate, Impresa. The group owns the country’s largest TV channel and newspaper, SIC and Expresso. The attack is thought to have started with a spear-phishing email which led to the takeover of the group’s Amazon Web Services (AWS) account. This led to the defacement of the group’s website, the takeover of Expresso’s Twitter account, and the use of a newsletter account to send out phishing emails to the Group’s subscribers.
Once a cybercriminal has access to a network, usually via stolen credentials from phishing or spear-phishing, they can then use that entry point to escalate privileges and create further attacks, as seen in the Lapsus$ attack. It is highly likely that these types of multi-faceted overlap attacks will become more normal.
Phishing will continue to be used to initiate cyber attacks as it is a way for cybercriminals to ‘communicate’ with people who are part of a corporate target. Using this method of communication is a perfect way to socially engineer a human, meaning that the cybercriminal does not need to ‘hack’ into technology that may well be protected; instead, they hack the human.
Social Engineering and Deep Fakes
Deep fakes are the ultimate in social engineering attacks and organisations should expect this technology to be used for nefarious reasons in coming years. The FBI has already published a warning stating:
“the FBI anticipates it will be increasingly used by foreign and criminal cyber actors for spearphishing and social engineering in an evolution of cyber operational tradecraft.”
The FBI suggests tactics that can be employed to reduce the risk of social engineering via deep fakes including “train users to identify and report attempts at social engineering and spearphishing which may compromise personal and corporate accounts.”
Tackling Social Engineering at Source
Social engineering has provided hackers with ways to gain access to resources since human beings existed. The fact that these criminals work within a digital realm does not change the fact that the target of the cybercriminal is human behaviour.
To stop social engineers from manipulating our employees, and the wider network of business associates, we must train these individuals in the ways of social engineers. Knowledge is power, and the power balance must be shifted from the cybercriminal to the business through education of employees and the capture of attempts using reporting systems.