Social engineering is a prominent component of the overwhelming majority of recent cyber attacks.
Whether the goal of a threat actor is to commit fraud, harvest credentials, or install malware, at some point a human being must be coerced into taking an action on the actors’ behalf.
Cybercriminals continue to defraud, extort, and ransom companies for billions of dollars annually. Businesses are at constant defense against threat actors and cyber criminals, as their strategies and techniques continue to evolve over time. Ultimately, the cyber attack strategies which are successful will continue to be utilized and refined, and the techniques that aren’t effective are abandoned. As new defensive capabilities are developed and enforced, crafty and technically skilled threat actors find new ways to defeat them. With the result that threat actors constantly trial new exploitative methods, while improving those which have already been proven to perform.
As a result, threat actors continue to develop a wide array of techniques that exploit human behaviours. The most effective methods prey on natural human tendencies and undermine instincts which raise an alarm that “something isn’t right.” Often this means presenting the intended victim with content they may already be familiar with in their day-to-day job (invoices, receipts, documents, and spreadsheets). This content appears routine and therefore raises no alarm. A threat actor might impersonate a trusted partner or an authority figure to further enforce their phony contents legitimacy.
The continual threat from cyber criminals should be excellent motivation to implement security awareness programs and training within your business. Educate your staff to better recognize attempts to exploit them into facilitating malicious activity. As users and staff become more aware, threat actors will be forced to pivot.
Some common mistaken assumptions about threat actors that could put your business at risk:
Assumption: Threat actors don’t have conversations with you
Effective social engineering is about forging feelings within a user that drive them into engage with malicious content. Creating feelings of urgency and trustworthiness are both effective motivators. By sending benign emails with the intent to lure the user into a false sense of security, threat actors lay the groundwork for a relationship to be more easily exploitable.
Assumption: Content using legitimate services is safe
Users may be more inclined to interact with content if it appears to originate from a source they recognize and trust. However, threat actors regularly abuse legitimate services such as cloud storage providers, like Google Drive or Dropbox, to host and distribute malware as well as credential harvesting portals.
- For example: Threat actors often send emails containing Google Drive URLs that lead to a ransomware install. If executed, the ransomware can target security products such as antivirus and firewall software, with attempts to disable built-in security protections. The threat actor may also collect system information or phish for credentials.
Assumption: Threat actors don’t use the phone
It is not unusual for people to think email-based threats happen only through their computer. Recently researchers have identified an increase in attacks perpetuated by threat actors leveraging a robust ecosystem of call center-based email threats. The threats are unique in that they require a lot of human interaction. The emails themselves don’t contain malicious links or attachments, instead individuals must proactively call a fake customer service number in the email to engage with the threat actor.
There are two types of call center threat activity routinely observed:
- One uses free, legitimate remote assistance software to steal money.
- The second leverages the use of malware disguised as a document to compromise a computer and can lead to follow-on malware.
Assumption: Replies to existing emails are safe
Assumption: Threat actors only use business-related content
- Example 1: In 2021, a known malware distributor used pop culture themed lures attempting to capitalize on the popularity of the Netflix smash hit Squid Game. The threat actor purported to be entities associated with the Netflix global phenomenon using emails enticing targets to get early access to a new season of Squid Game or to become a part of the TV show casting, when in reality the emails were used to distribute a malicious banking trojan.
- Example 2: One of the most convincing IRS-themed campaigns leveraged the idea that the potential victim was owed an additional refund in an attempt to harvest a variety of personally identifying information, such as their previous years’ adjusted gross income and PIN, which would allow the threat actor to attempt to claim the victims’ tax refunds.
- Example 3: Social interest is also frequently leveraged: at the beginning of the COVID-19 pandemic there was a collective desire for information around updated health guidelines, company policies, regional mandates, and vaccine development. Because of the universal relevance, threat actors of every sophistication level pivoted to make use of COVID-19 related content. In 2020, a high-volume campaign spoofing the World Health Organization (WHO) contained a URL which led to a fake WHO authentication page designed to harvest user credentials.
The driving force behind the widespread use of social engineering is its effectiveness.
Despite defenders’ best efforts, cybercriminals continue to be successful at exploiting the human element for financial gain. This is unlikely to change any time soon. The most sophisticated criminal organizations have evolved to imitate legitimate businesses and have scaled to become more resilient, while also achieving greater profits. Until a situation where the path of least resistance to monetization is not a person, threat actors will continue to capitalize by preying on human behaviors, instincts, and emotions.
What can we do to make threat actors less successful?
All evidence points to the end-user as the weakest point in a modern layered defense, so businesses must address the weakest point in their system.
As a result of increased threat, many organizations have implemented security awareness and training programs. The most impactful course of action for any given organization is to shift the culture toward a posture where identification of incoming threats is understood as both relevant and necessary – everyday. This means encouraging familiarization with the wide array of content that threat actors may leverage, and establishing consistent flagging of content which is potentially malicious.
Organizations must ingrain in their employees the idea that malicious activity is inevitable. As this idea becomes more widely accepted and reporting avenues for threats become more well-established, threat actors should have a progressively more difficult task in exploiting the human element of your business.