According to Microsoft Digital Defense Report 2023 data, phishing attacks were the third most common threat vector last year, accounting for 25% of all successful attack notifications.
Part of what makes phishing attacks such a popular attack method is their use of social engineering to maximize success. Today, 90% of phishing attacks use social engineering tactics to manipulate victims into revealing sensitive information, clicking on malicious links, or opening malicious files. Oftentimes, these attacks will seek to influence victims by creating a false sense of urgency, pushing victims into a heightened emotional state, or capitalizing on existing habits or routines.
As organizations seek to defend against phishing and other common cyber threats, they will need to understand how attackers manipulate human behavior in order to reach their desired outcome.
How does social engineering work?
Generally speaking, social engineering attacks are a long con. These types of attacks can take months of planning and labor-intensive research as adversaries seek to build a strong foundation of trust with their victims. Once this trust has been established, social engineers can then manipulate victims into taking certain actions that would otherwise be out of character, such as clicking on a malicious email link. Oftentimes, attackers will manipulate certain human behavior levers like urgency, emotion, and habit to convince their target to behave a certain way.
Social engineering often starts with investigation. Adversaries will identify their target and gather background information such as potential points of entry or the companyâs current security protocols. From there, the engineers will focus on establishing trust with the target. They often try to spin a story, hook the target, and take control of the interaction to steer it in a way that benefits the engineer.
If the attacker knows their victim, they will be able to predict how that victim might respond to a time-sensitive request or a seemingly routine email from a service they already use.
For example, in early 2022, threat group Octo Tempest launched a series of wide-ranging campaigns that prominently featured adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. They initially targeted mobile telecommunications and business process outsourcing organizations to initiate SIM swaps but later expanded to target cable telecommunications, email, and technology organizations. The threat group commonly launches social engineering attacks by researching the organization and identifying targets to effectively impersonate victims, using personally identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo Tempest has also been observed impersonating newly hired employees in an attempt to blend into normal on-hire processes.
Social engineers often seek to gain their targetâs information over time. If the engineer can convince their target to willingly hand over seemingly innocent insights over a period of weeks or months, the engineer can then leverage this data to gain access to even more confidential information. Once they have what they need, the engineer will then disengage and bring the interaction to a natural endâsometimes without raising any suspicion for their target!
What can organizations do to protect against social engineering fraud?
While social engineering tactics are present across a wide range of attacks, they are especially prevalent in business email compromise (BEC). In 2022, the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center reported over $2.7 billion in adjusted losses due to BEC.
Company executives, senior leadership, finance managers, and human resources staff are frequent targets for BEC due to their access to sensitive information like Social Security numbers, tax statements, or other personally identifiable information. However, new employees are also at risk, as they may be more susceptible to verifying unfamiliar email requests. Some of the most common BEC attack types include direct email compromise, vendor email compromise, false invoice scams, and attorney impersonation.
So, what should companies do in response?
- Instruct users to keep their personal accounts separate and not blend them with work emails or work-related tasks. When employees use their work email for personal accounts, threat actors can take advantage by impersonating these programs and reaching out to gain access to an employeeâs corporate information.
- Enforce the use of MFA across your enterprise. Social engineers typically seek information like login credentials. By enabling MFA, even if an attacker gets your username and password, they still wonât be able to gain access to your accounts and personal information.
- Caution users against opening emails or attachments from suspicious sources. If a coworker or contractor sends a link that must be clicked urgently, employees should confirm directly with the source if they actually sent that message.
- Encourage employees not to overshare personal information or life events online. Social engineers need their targets to trust them for their scams to work. If they can find personal details from employeeâs social media profiles, they can use those details to help make their scams seem more legitimate.
- Secure company computers and devices with antivirus software, firewalls, and email filters. In case a threat does make its way to a company device, youâll have protection in place to help keep your information safe.
Social engineering is highly adaptable, and threat actors are constantly looking for new ways to manipulate their victims. However, by tracking the threat intelligence and monitoring current attack vectors, businesses can harden defenses and prevent social engineers from using the same methods to compromise future victims.
To learn more about social engineering tactics and other threat intelligence insights, visit Microsoft Security Insider.