Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2023

We previously examined phishing attacks from the eyes of an attacker in Think Like A Criminal: How To Write A Phishing Email to help you understand and protect against this email scam that is to blame for over 90% of all cyberattacks against employees.

98% of all cyber attacks rely on social engineering, making it crucial that organizations of all sizes have the proper information on the topic and advice in order to protect against social engineering attacks to safeguard your users and key business assets. This article will discuss social engineering techniques that attackers employ to manipulate psychology in 2023.

What Is Social Engineering & How Is It a Threat to My Business?

Social engineering was ranked #1 as the top attack in 2022 and refers to the use of deception to manipulate individuals into sharing confidential or personal information that can be used for fraudulent or malicious purposes. Criminals have been leveraging social engineering techniques for centuries; however, in recent years, the magnitude of this threat has increased exponentially. Threat actors can now obtain extensive information on targets by searching the Internet - relying heavily on widely-used social media platforms for their research.

Attack campaigns often prey on people’s inherent desire to help or leverage trust relationships built with a superior, colleague, partner or organization.

Like other cyber threats, social engineering attacks generally follow a standard lifecycle methodology that can be broken down into four clearly-defined steps:

1. Information Gathering: Threat actors identify a target, employ Open Source Intelligence Techniques (OSINT) to gather as much information on the target as possible and select the attack method(s) they will use.

2. Establish Relationship: Cybercriminals engage with the victim through targeted communications such as social media messages or spear phishing emails.

3. Exploitation: Attackers use the information and the relationship they’ve built with the target to gain a ‘foothold’ (i.e. giving away sensitive information).

4. Attack Execution: Threat actors perform the attack - carefully erasing any digital footprints (such as malware) in order to remain undetected.

9 Social Engineering Attacks Expected in 2023

Social engineering scams are highly successful because they exploit human nature, 9 types of social engineering attacks most likely to wreak havoc cybersecurity in 2023 include:

Phishing: A Favorite Lure Among Social Engineers 

Phishing is the most common type of social engineering attack used to gain access to account credentials, sensitive data, confidential business information, and funds. Phishing has dominated the email threat landscape for decades; however, with the recent increase in remote workers and the proliferation of popular cloud platforms like Microsoft 365 and Google Workspace, there has been a resurgence in phishing attacks. Unlike past phishing campaigns, modern phishing attacks are sophisticated, evasive, and rely heavily on social engineering to appear legitimate. These malicious scams carry serious consequences for businesses including data theft, financial loss, reputation damage, significant downtime, and, in many cases, permanent shutdown.

Brand Impersonation

Social engineering attacks may also impersonate well-known brands. These attacks are deployed via email, text, and voice messages, and take advantage of the fact that most people receive messages from major brands on a regular basis, eliminating suspicion when one extra message arrives.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a social engineering attack involving impersonating a trusted business contact to convince the target to pay a fake invoice, transfer funds, or disclose sensitive company information. BEC scams target executives and leaders, finance employees, HR managers as well as newly hired employees who lack experience. This makes it difficult for them to verify the sender’s legitimacy.

Tailgating

Tailgating is a type of social engineering attack that involves an unauthorized person gaining physical access to an off-limits location, such as a password-protected area, where they might steal sensitive information, damage property, compromise user credentials or even install malware on computers.

Baiting Attacks

Baiting attacks involve storage devices being sent to employees or left somewhere for them to find to connect them to their machines to see what’s stored on them. Once an employee takes the bait and opens the fake content, which is typically designed to appear completely legitimate to avoid triggering suspicion, their machine becomes infected with malware.

Pretexting Attacks

Pretexting abuses the trust between the victim and someone the victim knows. Pretexting attacks tend to have a higher chance of success than attacks coming from unknown senders or callers because they are considerably harder for anti-spam filters to detect.

Shoulder-Surfing Attacks

Hybrid work environments have made shoulder-surfing attacks more relevant and dangerous. The goal is to catch a password being entered or some sensitive information being displayed on the screen. Shoulder-surfing attacks are also used to steal PIN numbers of ATM users. An attacker performing this technique waits in a public place, ready to position themselves behind an individual who is working remotely on their laptop or some other electronic device.

Quid Pro Quo

Quid pro quo social engineering attacks promise a financial reward to convince an employee to switch sides and perform a malicious action requested by the attacker and can target not only current employees but also former ones, because many organizations don’t immediately delete or disable former employees’ accounts when they terminate their employment. 

Watering Hole Attacks

As employees regularly visit certain websites to perform essential work-related tasks, a watering hole attack happens when an attacker infects a website to steal sensitive information or distribute malware. Attacks like these are difficult to defend against since their victims can’t directly influence the security of the infected website.

How Can I Defend Against Social Engineering Attacks?

The majority of social engineering attacks are so targeted and deceptive that it has become difficult to blame a user for falling for a scam. After all, even the most security-conscious individuals can be tricked by social engineering. Thus, defending against social engineering attacks requires a comprehensive, fully-managed email security solution  capable of anticipating and blocking advanced and emerging threats in real-time and preventing all malicious mail from being delivered, creating a safeguarded environment around the user.

Additionally, users and organizations should use strong passwords for all accounts and be aware of the information they make publicly available online. We suggest checking websites for personal information that may be publicly available (like addresses, phone numbers, etc.), and requesting that it be removed. Websites like Have I Been Pwned, which notify users when their information is discovered online, can be helpful in monitoring the availability of your personal information on the Internet. 

Keep Learning About Social Engineering

People are not computers - but they can still be hacked through the use of social engineering tactics. Combating modern email threats that leverage social engineering techniques requires a fully-managed, all-in-one email security solution that safeguards the inbox against all fraudulent mail that could potentially lead to compromise.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.