Cybercrime continues to be a growing threat and attack methods constantly evolve with each passing day. At the core of almost every successful cyberattack, one thing remains constant: a victim is persuaded in performing the desired action. Whether it’s clicking on a link, opening an attachment, or complying with a request, crafty cyberattackers resort to clever social engineering tactics that exploit human curiosity, desire, anxiety, eagerness, and urgency. Most attacks rely on some form of social engineering for execution. Let’s look at the top 5 social engineering trends to watch out for in 2021.
By Stu Sjouwerman, CEO of KnowBe4
1. Consent phishing on the rise
Post Covid-19, more and more businesses are moving their workloads to the cloud, and attackers are coming up with ingenious ways to hijack data stored in the cloud. So-called ‘consent phishing’ is one such variant of social engineering that involves the use of malicious apps that seek permission from users (instead of asking them their password) and provide legitimate access to cloud services and applications. Such apps don’t require the code to be executed on the user’s machine so they can easily evade endpoint security.
Authorization technology such as OAuth 2.0 is currently being used by many leading companies like Microsoft, Google, and Facebook. The attack on SANS Institute is one such recent example where a malicious Office 365 add-on caused an employee’s email account to be automatically forwarded to a cybercriminal’s email address. This subsequently led to a breach of 28,000 personally identifiable records.
2. Business Email Compromise gets costlier
The FBI considers business email compromise (BEC) a.k.a. email account compromise, as one of the most damaging online financial crimes. This is another social engineering attack where cybercriminals impersonate a trusted business contact. By emulating as a trusted entity, cybercriminals convince targets to pay invoices, transfer funds, or give access to data or intellectual property. Currently, the average cost of a BEC attack is estimated at $80,0000 and is estimated to rise every year. In 2019, a Lithuanian attacker posing as a hardware vendor conned Google and Facebook into sending $123 million to his bank accounts. According to Gartner, BEC attacks will continue to double every year through 2023 at a staggering cost of $5 billion to its victims.
3. Deepfakes create deeper challenges
While social media enthusiasts use deepfake videos as a form of entertainment, hackers and cybercriminals see this as an opportunity to manipulate information, destroy credibility and impersonate trusted sources. While the real impact of deepfakes has yet to be measured, the technology is so powerful that it can be used to social engineer bogus messages to scam businesses. Nation-state attackers can create fake viral videos of politicians, spread disinformation, manipulate sentiments, spark outrage and hatred and even topple governments. Experts recently ranked deepfake technology as the most worrying use of artificial intelligence that could have serious implications in cybercrime and terrorism.
4. Nation-state attackers with social engineering in their arsenal
Data is the new oil and that’s why rogue nations are consistently upping their ante in cyberwarfare. Whether it’s stealing Covid-19 research or reconnaissance on high-value targets, state-sponsored attacks are growing fast. Between July 2019 and June 2020, Microsoft reportedly sent 13,000 notifications warning account holders of state-sponsored attacks. Google’s threat analysis group recently identified hackers from North Korea pretending to be cybersecurity bloggers and targeting security researchers on Linkedin and Twitter. In 2020, Twitter employees were subject to a co-ordinated social engineering attack that allowed state-sponsored attackers to take control of high-profile accounts and tweet on their behalf. It is estimated that almost 12% of all attacks on Industrial Control Systems (ICS) emerge from nation-state attackers.
5. Expanding Phishing-as-a-Service market
From ransomware attacks to malware infections stemming from people clicking on bogus URLs, fake websites, and malicious attachments, phishing is one of the most common and most potent forms of social engineering attacks. The growth of Phishing-as-a-Service has significantly lowered the bar for anyone looking to enter cybercrime. Similar to the Software-as-a-Service (SaaS) model where consumers access cloud-based applications for a monthly or annual subscription, phishing toolkits can be rented from organized crime syndicates and established hackers for as low as $50 a month. In fact, phishing kit sales grew by 120% in 2019 and the average price of one of these kits more than doubled because of high demand. The start of 2021 has seen the emergence of a new cybercrime tool, dubbed LogoKit, that can build phishing pages in real-time and has already been detected on more than 700 domains.
User awareness is no longer optional – it’s a strategic imperative
It’s pretty clear that attackers are crafting social engineering attacks that are becoming more convincing and more successful with each passing day. Now more than ever, it is of significant importance for users to keep their guard up at all times and trust nothing at face value. Studies have shown that the probability of a social engineering attack reduces significantly if users undergo security awareness training and develop muscle memory in identifying red flags and security anomalies. The social engineering minefield is vast and the most effective means for any business to achieve cyber resilience is through building and maintaining a culture of cybersecurity.
About the Author
Stu Sjouwerman is the founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 35,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. Stu is the author of four books, his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at [email protected].
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.