Global Threat Landscape Report
Global Threat Landscape Report Fortinet

The news is regularly filled with stories of companies that have been victims of cyberattacks, whether ransomware, data theft or denial of service. And nearly all of these attacks have a common origin: social engineering.

The information used to gain the trust of a potential victim is often purchased on the Dark Web—specialized criminal networks on the internet that require specialized software, configurations, or authorization to access. These online criminal forums and shopping sites sell credit card information, medical records, social security numbers, and other personally identifiable information (PII) that were stolen from organizations that did not properly secure the digital information of their customers or client.

Such information is readily available. And their motivation isn’t trivial. In 2020, data breaches cost organizations, on average, $3.86 million apiece.

Profile of a social engineering attack

Social engineering attacks offer a high-impact, low-cost method to commit cybercrime. Cybercriminals use this strategy because they operate with goals similar to legal businesses – they want to maximize profit while reducing operational costs. And thanks to the growing number of “as-a-Service” criminal software available on the Dark Web (where unskilled criminals simply rent attack software from skilled hackers in exchange for a percentage of any profits gained), social engineering is perfect at helping them meet their objectives.

Most successful social engineering attacks prey on people’s emotions. As a result, they often revolve around events with a lot of emotional baggage, ranging from major sporting events to tax season to the current pandemic. When overwhelmed with feelings such as fear, anxiety, empathy, or even enthusiasm, people often make rash decisions.

At the start of the pandemic, for example, cybercriminals used these emotions to launch a series of highly successful phishing attacks by pretending to offer critical information from trusted sources like the World Health Organization (WHO) or Centers for Disease Control (CDC), such as vaccines, medical supplies or how to remain safe. Cybercriminals have also attempted this by impersonating companies—such as banks, stores, government agencies, and even the end user’s place of employment—claiming to provide critical information about doing business COVID-19 that impacted them personally.

2020 was a banner year for cybercriminals, and so far, 2021 has a good chance of repeating that damage. Already we are seeing scams involving return to work for example. And part of their success has been the ability of cybercriminals to switch up their tactics to be timely. For example, since so many organizations began educating end-users against opening email attachments, many cybercriminals have switched to web-based attacks. A recent FortiGuard Labs Global Threat Landscape Report found that variants of web-based phishing lures and scams sat firmly atop the list of criminal methodologies, only dropping out of the Top Five in June, where the focus briefly switched back to email.

What cybercriminals do when social engineering doesn’t work

Of course, social engineering is not the only tool in the cybercriminal’s toolkit. Attack techniques continue to evolve and become more sophisticated, giving cybercriminals a vast toolkit to use to exploit users. Here are some additional techniques to look out for, some of which are not password-related:

  • Bluetooth skimmers: The new generation of credit card skimmers are Bluetooth-enabled and readily available on the Dark Web. Attackers only need to install these skimmers on machines and just drive by the gas station or other location they’ve set them up, turn on their laptop or use a smartphone, download the information and drive away. They don’t have to touch anything or risk getting caught.
  • Smishing and vishing: Forms of phishing that target phones or mobile devices are also on the rise. Online shoppers may receive fraudulent text messages that appear to come from retailers, but they contain malicious links. Vishing uses phone calls to solicit PII, and smishing attempts this via text.
  • Key logging: By installing key logging software on a victim’s machine, usually resulting from an email phishing attack, a cyber adversary can capture usernames and passwords from various accounts.
  • Traffic interception: Criminals use software to monitor and capture network traffic that contains password information. This is especially effective if the traffic is unencrypted or uses weak encryption algorithms.
  • Man-in-the-middle: By impersonating a WiFi access point, setting up a legitimate-looking website, or distributing a fake application, an adversary can insert themselves between their victim and their intended website or application. These strategies allow the attacker to either monitor traffic between a user and a legitimate account, or capture their username and password when they attempt to access an account through a fake website or application mimicking a legitimate service, such as a bank.

Essential countermeasures

Create a strong password: The trick is to develop passwords that are difficult to forget and difficult to guess—even when someone has managed to gain access to intimate details of your life, like your mother’s maiden name, the street you grew up on, or the name of your first dog. When choosing a password, avoid using any of the following, easy to guess information: birthdays, phone numbers, company information, movie titles, sports teams, pet names, colleges and college mascots, and the simple obfuscation of a common word (“P@$$w0rd”)

Use multi-factor authentication (MFA): Multi-factor authentication adds an additional step to the authentication process, such as through a physical or mobile application-based token. This ensures that even if a password has been compromised, bad actors are still unable to log in.

Leverage cybersecurity training and education: As cyber threats evolve and bad actors develop new techniques to target individuals, users must remain cyber aware and stay up to date on the state of the threat landscape. There are numerous training courses that can be implemented by organizations and individuals at little cost to stay safe and secure. Some are even free.

A layered defense strategy is best that focuses on “zero trust”

A single line of defense is no longer effective at keeping advanced cyberattacks at bay. To truly ensure a strong security posture, multiple tactics are required. A combination of training, employing complex, multi-factor passwords and the use of email security tools designed to spot and disable malicious email attachments and web links is a good start. Advanced endpoint security tools, including Endpoint Detection and Response (EDR) systems are also advised as they can detect and stop malware even after it has managed to be installed on your system. These and similar strategies designed to see and stop attacks along every step in an attack chain are your best bet for protecting yourself and your organization from today’s cyber threats.

About the author

As chief of security insights and global threat alliances at FortiGuard Labs, Derek Manky formulates security strategy with more than 15 years of cybersecurity experience. His ultimate goal is to make a positive impact toward the global war on cybercrime. Manky provides thought leadership to the industry and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cybersecurity. He is actively involved with several global threat intelligence initiatives, including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST, all in an effort to shape the future of actionable threat intelligence and proactive security strategy.

Coronavirus