New report reveals threat actors’ top social engineering tactics and campaigns

Cybersecurity researchers at Proofpoint have released ‘The 2022 Social Engineering Report‘, which analyses key trends and techniques of socially engineered cyberthreats observed over the past year.

Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector. From financially motivated cybercrime, to business email compromise fraud, to advanced persistent threat actors, Proofpoint has observed countless tactics, techniques, and procedures relying on humans’ fundamental propensity to open and respond to emails.

As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. And that means leveraging behaviors that may be antithetical to how people expect threat actors to behave. With half of UAE chief information security officers considering human error to be their organisation’s biggest cyber vulnerability, security awareness education across the organisation should be a priority.

The latest social engineering report highlights some common misconceptions people may have about how criminal or state actors engage with them, including: threat actors may build trust with intended victims by holding extended conversations; they expand abuse of effective tactics such as using trusted companies’ services; leverage orthogonal technologies, such as the telephone, in their attack chain; know of and make use of existing conversation threads between colleagues; and regularly leverage topical, timely, and socially relevant themes.

Sherrod DeGrippo, vice president, Threat Research and Detection, Proofpoint, said: “Despite defenders’ best efforts, cybercriminals continue to defraud, extort, and ransom companies for billions of dollars annually. The struggle with threat actors evolves constantly, as they change tactics to earn clicks from end users. Security-focused decision makers have prioritised bolstering defences around physical and cloud-based infrastructure which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviors and interests.”

The report looks at what services are frequently abused, such as Google Drive or Discord; how Proofpoint sees millions of messages directing people to make phone calls as part of the attack chain; and why techniques like thread hijacking can be so effective.

The driving force behind the widespread use of social engineering is the fact that it is effective – despite defenders’ best efforts, cybercriminals continue to be successful at exploiting the human element to recognize financial gain. This is unlikely to change any time soon. The most sophisticated criminal organisations have evolved to mirror legitimate businesses and as a result have scaled to become more resilient while also recognizing greater profits than ever before. Until some factor creates a situation where the path of least resistance to monetisation is not a person, threat actors will continue to capitalise by preying on human behaviours, instincts, and emotions.

Organisations must ingrain in their users the idea that malicious activity is regular, even inevitable. As this becomes more widely accepted and reporting/clearing pipelines for threats become more well-established within workflows, threat actors should have a progressively more difficult task in exploiting the human element.

Read: Here’s how to build a cyber resilient organisation