Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector. From financially motivated cybercrime, to business email compromise (BEC) fraud, to advanced persistent threat (APT) actors, Proofpoint has observed countless tactics, techniques, and procedures relying on humans’ fundamental propensity to open and respond to emails.
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. And that means leveraging behaviors that may be antithetical to how people expect threat actors to behave. In our latest social engineering report, Proofpoint researchers analyze key trends and behaviors in social engineering throughout 2021 that highlight some common misconceptions people may have about how criminal or state actors engage with them, including:
- Threat actors may build trust with intended victims by holding extended conversations
- Threat actors expand abuse of effective tactics such as using trusted companies’ services
- Threat actors leverage orthogonal technologies, such as the telephone, in their attack chain
- Threat actors know of and make use of existing conversation threads between colleagues
- Threat actors regularly leverage topical, timely, and socially relevant themes
The 2022 Social Engineering report looks at what services are frequently abused, such as Google Drive or Discord; how Proofpoint sees millions of messages directing people to make phone calls as part of the attack chain; and why techniques like thread hijacking can be so effective.
The driving force behind the widespread use of social engineering is the fact that it is effective -- despite defenders’ best efforts, cybercriminals continue to be successful at exploiting the human element to recognize financial gain. This is unlikely to change any time soon. The most sophisticated criminal organizations have evolved to mirror legitimate businesses and as a result have scaled to become more resilient while also recognizing greater profits than ever before. Until some factor creates a situation where the path of least resistance to monetization is not a person, threat actors will continue to capitalize by preying on human behaviors, instincts, and emotions.
Organizations must ingrain in their users the idea that malicious activity is regular, even inevitable. As this becomes more widely accepted and reporting/clearing pipelines for threats become more well-established within workflows, threat actors should have a progressively more difficult task in exploiting the human element.