Social engineering is not a new concept; in fact, it was said to have originated in 1184 BC with the legendary tale of the Trojan Horse. But since the evolution of technology, we've come a long way from hiding in wooden horses…
Even as far back as the 1960s, phone phreaks we're having fun as the originators of the first landline pranksters, hacking into the phone systems just for fun. Today, modern-day social engineers take to the computer and the World Wide Web to launch large-scale cyberattacks on multi-million dollar enterprises and single individuals alike.
Over three decades ago, Kevin Mitnick led the movement to popularize digital social engineering at its rise— and is now one of the leading experts on social engineering. But today’s digital threat landscape is shifting the future of social engineering as we once knew it.
Here are three ways social engineering attack tactics are rapidly changing and some things to look out for as the practice continually evolves:
Before the rise of social media, social engineers had to jump through more hoops to locate free open-source intelligence (OSINT) to create clever narratives to deceive their victims. From scouring phone books and instructional catalogs to calling into businesses to get names of those within the company structure (AKA, voice phishing or vhishing), social engineers had to do a lot of preliminary research before actually launching their attack.
Today, public information about individuals and businesses alike is accessible to anyone with an internet connection. From social media platforms to online public records and digital phone books, information is much more readily available than it once was.
Whether it be the email that is connected to user profiles which can provide access to more intimate data or the simple act of “checking in” to various locations via social platforms that convey when individuals are not home to commence home burglaries, the popularity of social media has shifted not only the abundance of freely sharing information but the accessibility of that information to social engineers. Bad actors also use networking platforms like LinkedIn to discover the hierarchy within a company’s hiring structure to target recently hired employees— impersonating managerial staff to get employees to grant them access to the corporate network.
WHAT YOU CAN DO TO PREPARE: To protect yourself from this evolving social engineering tactic, be sure to visit the privacy settings on both your personal and business social media accounts.
Famous “new age” examples of social media social engineering attacks are more rampant in the media than you might think. The recent 2020 Twitter Bitcoin scam, for instance, proves that all social engineers need is a little open-source intelligence to compromise the accounts of leaders, celebrities, and major brands like former U.S. President Barack Obama, Elon Musk, and Apple.
In this case, all the culprit needed was some inside information on Twitter’s employees to make their way through the social media network’s internal systems and gain administrative access to high-profile usernames and passwords. After that, the false tweet requests for donations gained the cybercriminal over $100K in Bitcoin.
Even ten years ago, it was hard to impersonate someone’s voice and appearance online. Today, sophisticated technology makes it not only possible but in some cases, fairly convincing. That's why the FBI has issued an advisory warning about a foreboding increase in “deepfakes.”
Our partners at KnowBe4 explain it quite well, “Deepfakes are images, videos, audio, or text created via (artificial intelligence) AI to produce extremely convincing imitations of real people.” They're named for the deep learning artificial intelligence algorithms used to make them. All a bad actor needs to do is insert a few video and audio clips of the real person into software and artificial intelligence can screen and detect commonalities in movement and speech to replicate the example.
AI technology makes it possible to produce videos that look like a real person, opening a world of possibilities for cybercriminals to manipulate you online and across any device. From sending a voice memo that sounds like your boss asking you to transfer funds to a video recording of an IT personnel asking you to reset your password, the possibilities for future digital manipulation are becoming more and more sophisticated.
According to the FBI, as of March 2021, “Malicious actors almost certainly will leverage synthetic content for cyber and foreign influence operations in the next 12-18 months.”
New-age social engineering schemes are costing major organizations thousands of dollars in damage and raising concerns over the effectiveness of modern-day multi-factor authentication (MFA) methods. Suddenly, voice or face recognition technology is at risk of compromise— and other forms of verification are necessary.
WHAT YOU CAN DO TO PREPARE: To better protect your organization, be sure to use one of these types of MFA instead.
Bad actors are using artificial intelligence programs to change the tone of their voice to mimic trusted figures over the phone. One U.K.-based energy firm's CEO fell for the tactful ruse, thinking he was talking to the chief executive of the firm’s German parent company, and transferred a large sum of money to the social engineer’s account. This new cunning technology is demanding a need for superior voice verification in the future.
While deepfakes can be videos, it takes a longer time for artificial intelligence to produce believable video spoofs of people than audio clips alone. Because the AI requires a batch of images and videos of the person it’s trying to imitate and much refinement, video deepfakes are not currently being used by modern-day social engineers— but there’s no telling how the technology will evolve in just a few short years.
In addition to using social media to find open-source information to use in cyberattacks, social engineers are also targeting your social accounts to gain access to other platforms. With more and more people allowing sign-ups and sign-ins through their Facebook login, for instance, users are giving bad actors one thing to hack to gain access to multiple web applications.
Inherently, web applications are more vulnerable than we think— with many developers not conducting thorough penetration tests often or at all. Cybercriminals may crack your password on an application and use it to get into all your accounts if you’re reusing or sharing access to login credentials. Pair this threat with the latest data breach scam, SIM swapping, and even your phone number isn’t a safe form of verification anymore.
WHAT YOU CAN DO TO PREPARE: Now more than ever, having multiple MFA methods is non-negotiable for businesses and personal account holders alike.
Social engineers don’t attack technical barriers. Instead, they target the people within your organization, using deceptive manipulation tactics to trick your team into granting them access to protected systems.
One of the most effective ways to protect your organization from clever social engineering breaches is to enroll them in proper security awareness training— and follow it up with social engineering testing services.
Learn more about the origins of social engineering and what you can do to educate your team on its dangers by reading and sharing our History of Social Engineering resource.