Currently Popular Social Engineering Tactics
Criminals are exploiting new technology to launch updated versions of old attacks, according to Derek Slater at CSO. George Gerchow, CSO at Sumo Logic, told Slater that threat actors are sending spear phishing emails that impersonate real employees within the organization.
“It’s not easy to defend what you can’t see, and you are only as strong as the weakest link,” said Gerchow. “For example, there have been a plethora of targeted emails coming in that look like they are from your trusted partners but are in fact bad actors posing as employees you may know within your network.”
Gerchow added that attackers are putting more effort into making their social engineering techniques extremely convincing.
“Now we see these long, sophisticated attempts to build trust or relationships with some of our outbound-facing teams whose entire job is to help,” Gerchow said. “The bad actors have even posed as suppliers using our product with free accounts and have gone through use cases and scenarios to engage expertise within our company.”
Oz Alashe, CEO of CybSafe, told CSO that some attackers exploited the pandemic by sending malicious versions of remote work and collaboration tools.
“The threat actors send over a Visual Studio Project containing malicious code,” Alashe said. “The user self-runs the program, and their device is infected pretty quickly. This attack essentially exploits the desire or need to assist or help others with passion projects”
Privacy expert Rebecca Herold told CSO that text message scams are also growing more widespread.
“We are becoming a society where a large portion of the population prefer communicating via text messages as opposed to phone,” Herold said. “People are now extremely used to communicating very confidential types of information via text.”
Gerchow concluded that training is an essential component of a comprehensive security posture.
“Training, awareness, self-reporting, and transparency will be the only way to scale security around these attacks,” Gerchow said. “Security needs to be approachable and of course, log everything.”
New-school security awareness training can create a culture of security within your organization and enable your employees to thwart social engineering attacks.