Social Engineering isn’t a new field of engineering. It’s a common thread in nearly all cyber attacks and something all employees – and everyone in general – need to be aware of. Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Basically that means a “victim” is convinced to do something or give up some critical piece of information that a cyber criminal can use against them. This includes convincing someone to click on a link, open an email attachment or provide requested information. The “tricks” rely on appealing to the person’s curiosity, greed, fears, sense of urgency or even compassion.
How many times have we warned children not to trust a stranger who asks them to “help find their lost puppy” or tells them “your mom wanted me to come pick you up” before putting them in their car and kidnapping them?
It’s the same in the cyber world…but more prevalent especially when the risk of capture is so low but the reward so high.
These tactics are becoming more sophisticated especially in the days of COVID-19 when more of us are working from home or are more vulnerable to scams involving stimulus checks and other financial rescue.
The top social engineering trends that you should watch out for in 2021 include:
- Consent Phishing involves malicious apps that ask a user for permission to provide access to cloud services and other applications from which the criminal can then access other information in the cloud.
- Business Email Compromise (BEC) is a major money-maker for criminals. The criminal, posing as a reliable colleague, sends an email or other communication to the subject instructing them to send funds to a bank account that is controlled by the criminal. The victim assumes it is a legitimate account and transaction believing it is by direction of an authorized co-worker. The average cost of this type of attack is $80,000 – and is going up every year.
- “Deepfakes” is a fairly new term that will become more prevalent with the maturity of artificial intelligence. A deepfake is a video produced by using artificial intelligence to merge, replace or superimpose content onto another video making a fake and often controversial appearing video of a celebrity or politician. Then someone sees the “video” and is curious to know more about the outrageous content. They click on it and the phishing attack is in motion.
- Nation-state actors are still, and always will be, a prime adversary in cyber crime. As more people are interacting online, nation-state actors pose as cyber security bloggers and target researchers on LinkedIn. From the theft of COVID-19 research to control of critical infrastructure control systems, nation-state attacks continue to grow.
- Phishing has continued to grow as an attack vector as users click on malicious links or attachments. It has become so profitable that phishing-as-a-service is now a booming business. Hackers don’t even have to create their own phishing campaigns. They can simply outsource it.
All of these types of social engineering trends point to one solution. EDUCATION! The more security awareness training that employees and other users have, the better prepared they are to avoid these traps and protect their information and your company.