With today’s available technology, threat actors have become masterminds at exploiting vulnerabilities to steal private data, and sometimes, even gain system control of organizations. Not surprisingly, 98% of cyber attacks involve social engineering tactics.
But what is the definition of social engineering? Dictionary.com defines it as “a technique that uses psychological manipulation, fraud, or dishonesty” to get a victim (usually an employee) to disclose sensitive information or perform an action that would allow the social engineer to harm the targeted organization.
However, social engineering is an umbrella term that covers several ways cybercriminals use the human element of your business to launch an attack. Below, we’ll discuss the social engineering techniques to look out for in 2022, so you can take the proper steps to protect yourself, your employees, and your business.
Most Impersonated Companies
Typically, social engineering follows a pattern of discovery and investigation, deception, a targeted attack, and a quick retreat. After doing their homework, threat actors often deceive employees by impersonating a company or brand by using an authentic-looking email account or messenger ID to interact with their target.
We are seeing the continuous impersonation of well-known, enterprise companies including Google, Amazon, and WhatsApp for email-based threats including:
- Phishing
- Spear Phishing
- Whaling
These malicious emails that mimic trustworthy brands have been around for years and are here to stay. In addition to using well-known brands to trick employees, threat actors are employing newer, lesser-known tactics to get the upper hand this year.
Social Engineering Techniques and Types in 2022
Pretexting
Often used for phishing and other types of social engineering attacks, pretexting is when a social engineer uses a convincing story or purpose for getting what they need from a target. For example, a threat actor may pose as the CEO or administrator performing an evaluation and request an employee’s password from the employee.
This year, threat actors have taken over more than a dozen verified Twitter accounts to post malicious links claiming to be Moonbirds non-fungible token (NFT) releases. A Twitter user would believe that the link was real since it came from a “real” Twitter account, and proceed to make a payment directly to the threat actor.
BEC
Business Email Compromise (BEC) scams target companies who conduct wire transfers. The attacker poses as a colleague or boss in an SMS phishing technique. The FBI defines 5 major types of BEC scams:
- CEO fraud
- Account compromise
- False invoice scheme
- Attorney impersonation
- Data theft
According to The Record, members of the BEC cybercrime group known as SilverTerrier were arrested during the earlier months of 2022. They had launched several BEC attacks targeting employees within multiple companies.
Unfortunately, there are still plenty of other BEC-specific groups out there who have been actively scamming employees into gaining access to the wire transfer information of the organization.
Honeytraps
This romance scam has been increasing in popularity among social engineers because of the increased use of dating apps and social media for connecting with others. The attacker creates a faking profile with stolen or altered photos.
After building a relationship with their target, they will ask for gifts or money. They may even gain access to their victim's work log-in information through this false relationship.
Unfortunately, this happened to several men including two retired government employees in Himachal Pradesh. The threat actors lured these men with phone calls and video chats with hired women. The men were then blackmailed with altered clips of the videos. This honeytrap was especially vicious, as the Himachal Pradesh Police received 55 complaints for January and February of this year alone.
Watering Hole Attacks
With a watering hole attack, the goal is to gain access to the victim's computer and network by infecting a website the victim frequently visits. This is usually in the form of malicious javascript code that is injected when the user interacts with the website. Sometimes, users are directed to a fake version of the site where they are asked to enter their information, which goes directly into the hands of the threat actor.
<<Watering hole infographic if available>>>
Perhaps due to the increased use of watering hole attacks like the one that infected computers of users in Hong Kong with DazzleSpy, Forbes lists watering hole attacks as one of the top ten attack types to look out for this year. This could be a real threat to organizations that have employees who work from home using their less secure home computers and network.
Protect Your Organization From All Types of Social Engineering
With the number of new social engineering techniques appearing, it’s crucial to make sure your employees are equipped with cybersecurity awareness training so they can recognize threats and avoid rolling out the red carpet for social engineers to gain unauthorized access to your organization's systems and networks.
To find out about the history of social engineering, how to avoid becoming a victim, and what you can do to turn vulnerable, untrained employees into your greatest cybersecurity assets, explore our social engineering ebook today.