Just when the public is becoming more cyber aware, malicious actors are getting more patient, socially-inclined and sophisticated in their approach
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods.
Scams ranging from false advertisements (where victims are asked to download a mobile app in order to enjoy benefits) to business email/SMS comprise (where scammers impersonate business partners or employees to get victims to help with urgent payments) are now growing in sophistication, especially via social media communication platforms.
Other new tricks up the malicious actors’ sleeves are trending: Threat actors are:
- spending time building trust with intended victims by holding extended conversations
- expanding abuse of trusted services and brands, such as Google and Discord (Drive (via files containing obfuscated Visual Basic Scripts) to lure victims
- leveraging technologies outside of computing devices in their attack chain: for example, leading victims to make verbal phone calls (to fake call centers or other impersonations)
- knowing of and make use of existing conversation threads between colleagues
- regularly leveraging topical, timely, and socially relevant themes, such as Squid Game lures
The general rule of thumb is not to assume that legitimate online services are safe; that scammers shy away from in-depth contact with victims or know their personal or work-based chat histories, and that phone calls are less risky touch points with scammers.
According to Sherrod DeGrippo, Vice President of Threat Research and Detection, Proofpoint, which shared the qualitative research insights, security-focused decision makers have prioritized bolstering defenses around physical and cloud-based infrastructure, which has led to human beings becoming the most relied-upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behavior trends and interests.
“In this new report, Proofpoint researchers analyze frequently used social engineering techniques and look to debunk faulty assumptions made by organizations and security teams, which should be taken into account to better protect their employees against cybercrime,” DeGrippo said.