Social Engineering Trends in Cybersecurity
Cyberthreats continue to be a rising security issue, with different attack vectors popping up as each day passes. Most cybercriminals rely on social engineering tactics for execution because it preys on human desire, curiosity, fear, and urgency.
According to Jurgen Stock, Interpol Secretary-General:
“Cybercriminals are developing and enhancing their attacks at an upsetting rate, exploiting the uncertainty and fear caused by shaky economic and social circumstances.”
With that, cybersecurity professionals need to adapt to these evolving social engineering trends to protect their infrastructure and systems.
During the COVID-19 pandemic, most organizations experienced a rise in phishing attacks. Some cybercriminals even pose as World Health Organization agents to lure people into divulging sensitive information.
In 2020, phishing attacks rose 220% at the height of the COVID-19 pandemic. According to CBS News, 36% of successful corporate attacks involved phishing, indicating an 11% rise over the past year.
Let’s take a closer look at top cybersecurity trends for 2022.
Deep Fakes are a Deep-Seated Concern
The evolution of modern technology has brought about various innovations, and one, in particular, is causing an uproar in the cyberworld: Deep Fakes. It’s one of the top trends in cybersecurity 2022. Deepfake uses AI technology to create fake videos, images, or audio recordings of real people.
Deepfake is highly convincing, and its advancement can make it difficult to distinguish between fake and real content. While deepfake is still a new trend in artificial intelligence (AI), both individuals and organizations should be careful as it can play a vital role in emerging cybercrime and fraud trends.
Attackers can use deepfake tech to create fake videos of top government officials, spread misinformation, encourage hatred, and manipulate sentiments. In 2020, the cost of a deepfake attack was estimated to be around $250 million, while the technology is still in its infancy.
There’s no denying that as deepfake tech evolves, cybercriminals will find advanced ways to use it against individuals and organizations.
Phishing-as-a-Service (PaaS) Ups the Ante
From clicking malicious links to downloading email attachments, phishing is one of the most widely used social engineering tactics. As cybersecurity advances, attackers devise more sophisticated ways to execute their phishing attacks.
Phishing-as-a-Service is among the new cybersecurity industry trends experienced social engineering attackers use to compromise organizations’ networks. Cybercriminals can now rent or buy phishing kits or tools to steal credentials and other confidential data.
Cyberactors can get phishing kits for as low as $20, while top-end solutions are worth around $200. Amassing popularity, the sale of phishing kits became more expensive, around $120 in 2019.
In October 2021, Microsoft published an investigation into the BulletProofLink PaaS that exploited over 300,000 sub-domains in a single campaign.
2021 saw the uncovering of a new phishing kit, known as LogoKit, which automatically pulls the victim’s logo onto the malicious login page. This new kit was detected on at least 700 domains, which mimics and targets services, ranging from Adobe Document Cloud and SharePoint to Office 365 OneDrive, and many others.
Government-Sponsored Social Engineering Continues
Digital infrastructure is an integral part of a nation’s daily operations, so rogue nations are raising the stakes in cyberwarfare. This type of attack promotes a nation’s interest both home and abroad. The attack could range from crashing a state’s website to sabotaging the financial system of a country.
Microsoft reportedly sent 13,000 notifications warning account holders of government-sponsored attacks between July 2019 and June 2020. This was the same tactic reportedly used by Russian hackers to hack and leak emails from the Democratic National Convention to destroy former American presidential candidate; Hillary Clinton.
Government-backed hacking is also used in modern warfare. In addition to the real-life battles between armies, cyberspace battles between nations are also common.
Phishing Holds its Ground
Even with the emergence of new threats, phishing continues to be one of the most-used tactics by attackers to compromise systems. The COVID-19 pandemic resulted in an increase in phishing attacks for many reasons. These include the decrease of alertness in people working from home, exploiting virus fears, and vaccine-related scams. There are specific types of phishing we predict will become particularly potent in 2022.
Consent phishing is a social engineering technique that uses malicious apps to seek users’ permission to access organization network resources. These malicious apps don’t need to run a code on the user’s device, so it’s easy to bypass endpoint security.
The attack on SANS Institute in August 2020 is an excellent example of consent phishing. It resulted in the leakage of around 28,000 Personally Identifiable Information (PII) records. A malicious Office 365 add-on caused a staff email account to automatically forward emails to an attacker’s email address.
Another phishing trend that organizations need to watch out for in 2022 is angler phishing. It involves contacting people on social media while posing as a company’s customer service agent. The fact that people seek help on social media makes this attack effective in luring users to divulge their credentials.
With social media use on the rise, organizations should expect an increase in angler phishing attacks in 2022. Cyberattackers employ these tactics due to their effectiveness. They create fake accounts of a company’s customer support then wait for customers to ask for help.
Higher Education Institutions Secure Their Infrastructure
Higher education has been and will continue to be an appealing target to cybercriminals in 2022. Cybersecurity trends in higher education include email security protocol adoption. More and more institutions realize the importance of SPF, DKIM, and DMARC in securing a large amount of Personal Identifiable Information (PII), research information, and medical records they store and work with.
According to Microsoft Security Intelligence, the educational sector experienced more malware encounters than any other industry in the past 30 days alone. A 2021 survey carried out by Campus Technology claims that institutions that suffered cyberattacks spent an average of $366,000 for recovery. The survey also claimed that a third of these institutions spent a month or more to identify, deal with, and recover from the attack.
Attackers Target Managed Service Providers (MSPs)
MSPs always have access to their customers’ network and systems. In this case, MSPs require the use of Remote Monitoring and Management (RMM) tools to access, manage, and control their customers’ networks remotely. Attackers can exploit these RMM tools for malicious remote access from a compromised MSP environment.
MSPs have a lot of clients from various industries, and targeting them is more valuable for hackers. Attackers only need to target one MSP, but can reap the benefit of accessing information and digital assets of many business entities. For instance, if an MSP is held to ransom, the attacker can demand a huge payment from the MSP or small payments from each affected customer.
Managed service providers must have potent security systems to protect client data. For example, if the MSP fails to protect their infrastructure from phishing and spoofing via email security protocols (SPF, DKIM, and DMARC), the clients might experience phishing and spoofing attacks, spam flows, ransomware, and other dire outcomes.
Business Email Compromise (BEC) Gets Expensive
According to the Federal Bureau of Investigation (FBI), Business Email Compromise is one of the most financially damaging online crimes. This attack leverages the fact that an organization depends on email to conduct business. Attackers impersonate legitimate business contacts to lure targets into transferring funds or granting access to sensitive company resources.
A 2021 Ponemon study reported that the average yearly cost of BEC phishing is $5.56 million. If it involves business leaders, the potential cost is estimated to be over $150 million.
Even if the risk doesn’t get top-level executive attention, the average total amount paid to BEC cybercriminals yearly is around $1.17 million. According to Gartner, BEC attacks will continue to double yearly through 2023, with a shocking average cost of $5 million to its victims.
Cryptocurrency and Social Engineering Go Hand in Hand
The cryptocurrency world has experienced a boom since the introduction of Bitcoin in 2008. Now, 1 BTC is valued at over $41,000 (it also certainly grew while editing this article). The excitement that cryptocurrency markets can generate massive profits has attracted newbies to the space in an extremely short period.
Even those who don’t understand how the market works end up investing without in-depth research. Social engineering takes advantage of people’s fear, half-knowledge, and greed to make quick money. This eventually leads aspiring crypto investors to chase fake promises through airdrops and giveaways. In 2021, cybercriminals took away $14 billion in cryptocurrency, and 2022 is going to see a growing trend in this sphere too.
As technology advances, attackers leverage the latest and greatest trends to make their social engineering tactics more convincing. Organizations must stay up-to-date with digital and social engineering protection trends so they can employ the best security practices to counter new attack types and methods.
It’s imperative to educate your employees on the social engineering tactics used by attackers to compromise network systems. Install sophisticated antivirus solutions on your networks, employ the latest email security protocols, and keep them updated at all times.