Cybercriminals continue to defraud, extort, and ransom companies for billions of dollars annually. Businesses are at constant defense against threat actors and cyber criminals, as their strategies and techniques continue to evolve over time. Ultimately, the cyber attack strategies which are successful will continue to be utilized and refined, and the techniques that aren’t effective are abandoned. As new defensive capabilities are developed and enforced, crafty and technically skilled threat actors find new ways to defeat them. With the result that threat actors constantly trial new exploitative methods, while improving those which have already been proven to perform.
As a result, threat actors continue to develop a wide array of techniques that exploit human behaviours. The most effective methods prey on natural human tendencies and undermine instincts which raise an alarm that “something isn’t right.” Often this means presenting the intended victim with content they may already be familiar with in their day-to-day job (invoices, receipts, documents, and spreadsheets). This content appears routine and therefore raises no alarm. A threat actor might impersonate a trusted partner or an authority figure to further enforce their phony contents legitimacy.
Effective social engineering is about forging feelings within a user that drive them into engage with malicious content. Creating feelings of urgency and trustworthiness are both effective motivators. By sending benign emails with the intent to lure the user into a false sense of security, threat actors lay the groundwork for a relationship to be more easily exploitable.
Users may be more inclined to interact with content if it appears to originate from a source they recognize and trust. However, threat actors regularly abuse legitimate services such as cloud storage providers, like Google Drive or Dropbox, to host and distribute malware as well as credential harvesting portals.
It is not unusual for people to think email-based threats happen only through their computer. Recently researchers have identified an increase in attacks perpetuated by threat actors leveraging a robust ecosystem of call center-based email threats. The threats are unique in that they require a lot of human interaction. The emails themselves don’t contain malicious links or attachments, instead individuals must proactively call a fake customer service number in the email to engage with the threat actor.
There are two types of call center threat activity routinely observed:
As a result of increased threat, many organizations have implemented security awareness and training programs. The most impactful course of action for any given organization is to shift the culture toward a posture where identification of incoming threats is understood as both relevant and necessary – everyday. This means encouraging familiarization with the wide array of content that threat actors may leverage, and establishing consistent flagging of content which is potentially malicious.
Organizations must ingrain in their employees the idea that malicious activity is inevitable. As this idea becomes more widely accepted and reporting avenues for threats become more well-established, threat actors should have a progressively more difficult task in exploiting the human element of your business.