Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Social Engineering Attacks to Watch Out For in 2022 and Beyond

Social Engineering

about the author

Share this post

According to research from Beaming, in 2021 UK businesses had to deal with an attempted data breach every 47 seconds. The report goes on to highlight that remote working has been an opportunity to ramp up cyber attacks. This is notable, as according to the 2021 Verizon Data Breach Investigation Report (DBIR), 85% of data breaches need a human being to initiate them.

This perfect storm is being whipped up by social engineering; this tactic covers a wide range of activities that manipulate human behaviour. Cybercriminals will literally use any possible angle to exploit employees, using known psychological tricks to make us click before we think or download malware.

A recent report shows that social engineering-based cyber attacks increased by 270% in 2021. The are several reasons for this, but the bottom line is that social engineering techniques works and we need to find ways to protect our employees.

One way to prevent social engineers from manipulating our staff, and eventually our data and corporate networks, is through understanding how social engineering attacks work.

Here are some of the latest types of social engineering attacks to watch out for.

Social Engineering and Cyber Security

Cyber security threats are rarely purely technical in nature. Instead, cybercriminals have quickly realised that using employees, non-employees, and the wider vendor ecosystem to carry out their nefarious wants, is a good way to enter a protected network.

Recent research into the use of business emails to initiate a cyber attack found that in 30% of organisations, over 50% of links received via email ended up at a malicious website. That is an avalanche of malicious entry points into a corporate system and its business operations.

Social engineering attacks use common tactics that work, time and time again. But hackers may vary these as events unfold. The Covid-19 pandemic was one such event.

Some of the likely social engineering attacks to watch out for this coming year are:

Business Email Compromise (and Vendor Email Compromise)

The 2021 Verizon Data Breach Investigation Report (DBIR) noted that Business Email Compromise (BEC) was the second most common form of social engineering attacks. BEC and VEC represent social engineering at its most intricate and multi-part.

BEC fraudsters use surveillance to understand their target to create tailored, legitimate looking, but spoofed emails. Often a BEC attack will begin with a compromised email account. This gives the fraudsters the information needed to carry out sophisticated tricks.

Compromised accounts and passwords can also be redirected to allow the hacker to watch over the company’s operations and communications to gather all the information needed to manipulate employees into creating new or changing existing invoices to send company money to the fraudster.

The 2021 Business Email Security Landscape Report provides some important insights to help mitigate the success of these types of attacks:

  • 72% of respondents had experienced a BEC attack in the past 12-months.
  • Almost 50% of BEC attacks use a spoofed identity presented in the email name display.
  • Spear phishing emails target individuals with the power to move money. These targeted phishing emails use company names (68%), names of individual targets (66%), and the name of boss/managers (53%) to tailor the attack.

A new variant of BEC is Vendor Email Compromise (VEC). This type of BEC focuses on vendors to misdirect money. VEC attacks use a chain effect, with phishing propagating across the entire vendor ecosystem if left unchecked.

VEC attacks are typically carried out by well-funded professional cybercriminals as they involve in-depth surveillance and reconnaissance to understand their targets enough to create believable spoof communications. Social engineering techniques are at the core of VEC, just as it is at the core of BEC, the only difference is that the cybercriminals are focusing on an entire ecosystem.

Like BEC, the VEC fraudster’s goal is to defraud a business and steal funds. Timing is a key part of a VEC attack, and social engineering is used to trick employees into changing the details of an invoice at just the right moment so no suspicion is raised.

Phishing In All Its Forms

BEC is among many types of cyber attacks that use phishing or spear-phishing to initiate an attack. Phishing is a favourite amongst social engineers and was present in 36% of breaches according to the DBIR. Phishing is the ultimate tool in the social engineer’s armoury as its content and context can ultimately lead to control over a corporate network.

Phishing emails use a variety of psychological tricks and triggers to get recipients to either click on a malicious link or download an infected attachment. These tricks include spoofing well-known brands, using urgency and fear to encourage the click, and triggering emotions such as Fear of Missing Out (FOMO). More on the types of tactics used to trick employees can be found in the MetaCompliance “Ultimate Guide to Phishing”.

Phishing often follows events or targets users for specific purposes.

Emotional Manipulation and Event-Led Phishing: Events can often be an emotional trigger for a person. Fraudsters use these emotions to manipulate users into feeling they are missing out on something or must act urgently to take advantage of an event.

During the Covid pandemic, many phishing emails reflected the “World Health Organization” branding and played on the health concerns of email recipients. At one point during the pandemic, Google was blocking around 17 million scam emails per day, many fraudsters used the pandemic to play on people’s emotions and fears. A single scam email that makes it into an employee’s inbox can result in a catastrophic data breach.

Ransomware Attacks That Use Follow-in Phishing: Phishing leads to ransomware and now it can also lead to follow-on phishing: this was the case in the recent Lapsus$ attack on Portugal’s largest media conglomerate, Impresa. The group owns the country’s largest TV channel and newspaper, SIC and Expresso. The attack is thought to have started with a spear-phishing email which led to the takeover of the group’s Amazon Web Services (AWS) account. This led to the defacement of the group’s website, the takeover of Expresso’s Twitter account, and the use of a newsletter account to send out phishing emails to the Group’s subscribers.

Once a cybercriminal has access to a network, usually via stolen credentials from phishing or spear-phishing, they can then use that entry point to escalate privileges and create further attacks, as seen in the Lapsus$ attack. It is highly likely that these types of multi-faceted overlap attacks will become more normal.

Phishing will continue to be used to initiate cyber attacks as it is a way for cybercriminals to ‘communicate’ with people who are part of a corporate target. Using this method of communication is a perfect way to socially engineer a human, meaning that the cybercriminal does not need to ‘hack’ into technology that may well be protected; instead, they hack the human.

Social Engineering and Deep Fakes

Deep fakes are the ultimate in social engineering attacks and organisations should expect this technology to be used for nefarious reasons in coming years. The FBI has already published a warning stating:

the FBI anticipates it will be increasingly used by foreign and criminal cyber actors for spearphishing and social engineering in an evolution of cyber operational tradecraft.”

The FBI suggests tactics that can be employed to reduce the risk of social engineering via deep fakes including “train users to identify and report attempts at social engineering and spearphishing which may compromise personal and corporate accounts.

Tackling Social Engineering at Source

Social engineering has provided hackers with ways to gain access to resources since human beings existed. The fact that these criminals work within a digital realm does not change the fact that the target of the cybercriminal is human behaviour.

To stop social engineers from manipulating our employees, and the wider network of business associates, we must train these individuals in the ways of social engineers. Knowledge is power, and the power balance must be shifted from the cybercriminal to the business through education of employees and the capture of attempts using reporting systems.

Risk of ransomware

Other Articles on Cyber Security Awareness Training You Might Find Interesting