Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector. From financially motivated cybercrime, to business email compromise (BEC) fraud, to advanced persistent threat (APT) actors, Proofpoint has observed countless tactics, techniques, and procedures relying on humans’ fundamental propensity to open and respond to emails.
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. And that means leveraging behaviours that may be antithetical to how people expect threat actors to behave. In our latest social engineering report, Proofpoint researchers analyse key trends and behaviours in social engineering throughout 2021 that highlight some common misconceptions people may have about how criminal or state actors engage with them, including:
- Threat actors may build trust with intended victims by holding extended conversations
- Threat actors expand abuse of effective tactics such as using trusted companies’ services
- Threat actors leverage orthogonal technologies, such as the telephone, in their attack chain
- Threat actors know of and make use of existing conversation threads between colleagues
- Threat actors regularly leverage topical, timely, and socially relevant themes
The 2022 Social Engineering report looks at what services are frequently abused, such as Google Drive or Discord; how Proofpoint sees millions of messages directing people to make phone calls as part of the attack chain; and why techniques like thread hijacking can be so effective.
The driving force behind the widespread use of social engineering is the fact that it is effective -- despite defenders’ best efforts, cybercriminals continue to be successful at exploiting the human element to recognise financial gain. This is unlikely to change any time soon. The most sophisticated criminal organisations have evolved to mirror legitimate businesses and as a result have scaled to become more resilient while also recognising greater profits than ever before. Until some factor creates a situation where the path of least resistance to monetisation is not a person, threat actors will continue to capitalise by preying on human behaviours, instincts, and emotions.
Organisations must ingrain in their users the idea that malicious activity is regular, even inevitable. As this becomes more widely accepted and reporting/clearing pipelines for threats become more well-established within workflows, threat actors should have a progressively more difficult task in exploiting the human element.