Are you aware of these social engineering tactics?

Social engineering attacks rely on humans to succeed and organizations must focus on training that includes simulation exercises to mitigate risks.

A deepfake is a type of synthetic or manipulated content (audio, images or video) that is not real, but looks realistic. The FBI reported that attackers are using voice deepfakes to attend remote job interviews. (Photo: mike/Adobe Stock)

In a vast majority of cyberattacks and breaches, social engineering attacks continue to be a leading attack vector. According to the FBI, last year businesses lost nearly $7 billion due to scams and social engineering.

Why social engineering?

As human beings, we are susceptible to errors of judgment and biases. Cybercriminals leverage psychological weaknesses to steal identities, data and personal information. What’s more, manipulating a person is much easier than hacking systems or exploiting software vulnerabilities. Hacking systems requires a deep understanding of technology, while hacking people only takes an understanding of basic social psychology.

How does social engineering work?

Social engineering tactics can vary greatly, but the attack typically passes through five phases:

1) Targeting:  Threat actors identify an organization, an employee or a department to phish.

2) Information gathering:  Scammers conduct research on the target through a variety of open-source intelligence (OSINT) tools, social media accounts, websites and other public forums.

3) Pretexting:  Fraudsters impersonate a trusted source and create a scenario that tricks the target into divulging information or completing an action.

4) Exploitation:  Once attackers have a foot in the door, they can then move laterally, steal information or advance the attack.

5) Execution:  Final stage where attackers achieve their end goals, whether it’s financial, political, espionage or personal.

Top Social Engineering Tactics

 While email phishing is one of the most prolific social engineering tactics, there are other techniques to be aware of.

  1. Business Email Compromise (BEC)

BEC (business email compromise, a.k.a., CEO fraud) is a type of highly targeted social engineering attack where scammers impersonate a top executive (CEO, CFO, etc.) and instruct lower-ranking employees to execute any sort of wire transfer or update banking, payroll or invoice information, gift card purchases, or share sensitive information like employees’ personally identifiable information or company financial statements. The FBI received an estimated 20,000 BEC complaints in 2021, which reportedly cost the U.S. economy $2.4 billion.

  1. Smishing

From notifications of phony package deliveries to COVID-19 schemes, to fake money transfers to false one-time passwords or PINs, researchers believe that the increase in smishing is because people seem to respond more to SMS texts over calls or emails. Some people are quick to click text links before reading the message or raising suspicion about it. In 2021, the Federal Trade Commission received 378,119 complaints of text message fraud, which included smishing attempts; consumers indicated facing a loss of $86 million due to text messages.

  1. Deepfakes

Deepfake is a type of synthetic or manipulated content (audio, images or video) that is not real, but looks realistic. Social media enthusiasts and hackers are using deepfakes to create more realistic impersonations of trusted sources. In 2020, scammers cloned the voice of a company executive (using AI) and successfully convinced a bank manager to transfer $35 million to a criminal’s account. The FBI reported that attackers are using voice deepfakes to attend remote job interviews.

 

  1. Malicious Push Notifications

With remote work becoming the norm, more and more organizations are deploying

multi-factor authentication (MFA) to create an additional layer of security during a user’s authentication process. MFA fatigue is a new tactic in which adversaries flood the victim’s mobile device with push notifications.  According to researchers, users end up accepting the request because they are either distracted or overwhelmed by the notifications, misinterpret it as a bug, or get it confused with legitimate authentication requests.

  1. Vishing

Vishing (or voice phishing) is the telephone equivalent of phishing where attackers manipulate targets using voice (usually a phone call) to humanize the delivery and make the scammer more trustworthy. According to IBM, phishing campaigns that include phone calls are three-times more effective than regular phishing emails. Vishing attacks have risen by almost 550% in recent times, which indicates how attackers are increasingly employing voice-based tactics to gain the trust of victims. There have also been reports of vishing being used frequently in BEC attacks.

How organizations can reduce the risk of social engineering

Social engineering attacks rely on humans to succeed and therefore, organizations must primarily focus on end-user training that includes simulation exercises, meaning the use of real-world phishing attempts caught in the wild. Employees must be taught not to trust anything on face value and develop a habit of healthy skepticism. Organizations should use a combination of security tools such as endpoint detection and response, intrusion detection systems, advanced email security and phishing-resistant MFA. Finally, all policies and procedures must be documented clearly so that employees understand their responsibilities.

As technical defenses mature with time, social engineering will become the weapon of choice for many attackers. With the right awareness, tools and training, end users, who have traditionally been regarded as the weakest link in cyber defenses, have the potential to become an organization’s strongest ally against these threats.

Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with 50,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at ssjouwerman@knowbe4.com.

Related: