Cyber Criminals Refining Social Engineering Tactics

social engineering tactics

Cyber Criminals Refining Social Engineering Tactics

Attackers are improving their social engineering strategies by accounting for new developments in technology. Researchers at FireEye analyzed 1.3 billion phishing emails and identified three major trends in Q1 2019.

First social engineering tactic that cyber crimminals are increasingly using impersonation in their phishing attacks. Impersonation attacks in 2019 have increased 17% over Q4 2018, primarily imitating well-known brands. Attempts to spoof Microsoft accounted for nearly a third of these attacks.

More targeted CEO impersonation attacks are also on the rise, and organizations don’t understand the level of sophistication that these attacks use, such as targeting new users and departments within organizations. The danger is that these new users may not be prepared or have the necessary knowledge to identify an attack.

A second social engineering trend is the increased use of HTTPS for phishing sites, which jumped by 26% in Q1 2019. These certificates are free and easy to obtain for any website. Since most browsers automatically flag non-encrypted connections as insecure, an SSL certificate is becoming an essential component for any site that wants its users to feel safe. This trend, coupled with the widespread misconception that an HTTPS connection alone is a sign of legitimacy, means that the use of HTTPS will continue to become a standard feature in phishing campaigns.

Finally, attackers are turning to cloud-based attacks using trusted services such as Dropbox, Google Drive, and OneDrive. By hosting malicious files on these services, attackers can send  social engineered links that don’t look suspicious to users and that can get through email filters.

Most people assume that they’ll be able to spot a scam when they see one, so scam protection is not something they factor into their thinking. Employees who are expecting to be targeted by social engineering attacks will be far more vigilant as they carry out routine activities. Old-school awareness training does not hack it anymore. Your email filters have an average failure rate of 7-10%. Organizations need a secure human firewall as their last line of defense. Security awareness training can give your employees this increased alertness so that users can identify new social engineering attacks.