Social engineering attacks getting smarter 

by Kalpana Sudharsan, Senior Director – Quality, Zuci Systems

Social engineering attacks are on the rise and they are  becoming more sophisticated. With the constantly evolving  IT landscape, organizations need to be aware of the latest  trends in order to adequately protect their IT infrastructure. 

One of the latest trends is the use of AI and machine learning  to automate attacks. This is a major concern for organizations  because it allows attackers to bypass traditional security  measures. Another trend is the use of phishing attacks to  target specific individuals within an organization. Attackers  are using more personalized messages and threats in order to  trick people into giving up sensitive information. 

Organizations need to be aware of these trends and  implement proper cybersecurity measures to protect their  data and systems. Unlike other cyberattacks that are  tech-based penetration, social engineering mainly relies  on psychological manipulation to get victims to commit  security mistakes. For example, an attacker can befriend  one of the employees and trick them into clicking on  fishy links or resetting their password. This is still a  super traditional way of social engineering. Over time,  these attacks are getting smarter and trickier to  anticipate. 

According to Purplesec’s 2021 report, 98% of  cyberattacks rely on social engineering. These attacks  can be in all forms, including SMS, emails, direct  messages on social media, and even phone calls. In  today’s world, social engineering attacks have taken a  whole new avatar, or avatars if I may. Here are a few of  them: 

Permitted phishing 

Permitted phishing or consented phishing is on the rise.  As organisations are racing towards cloud adoption,  hackers are coming up with newer ideas to penetrate  their security systems to enter the cloud and steal  sensitive information. One of their ways is to plan fishy  mobile apps and seek permissions from users that give  them legal access to cloud services and applications.  However, these forms can be stopped in advance by  strengthening the cloud system and ensuring endpoint  security.  

Business Email Compromise (BEC) on the rise 

This is a highly damaging attack that has even grappled  tech giants like Facebook and Google. Here, cyber  attackers impersonate a trusted business contact. They  could disguise themselves as vendors, employees, or  third-party officials and target organisations to pay 

invoices, transfer funds and even give access to data or  intellectual property. A Gartner study stated that BEC  attacks will continue to double every year through 2023  at a staggering total cost of USD 5 billion to its victims. 

Deepfakes 

While the advent of social media grew its user base with  game-changing features, we also saw social media  influencers using deepfake videos as a form of  entertainment. However, this AI-driven feature could  turn extremely harmful as cybercriminals leverage these  features to threaten victims with their fake videos and  destroy their credibility or compel them to commit  fraudulent acts that can benefit the attacker. To give  context, attackers can use Deepfakes as an imposter in  digital identity verification. There have been instances  where hackers used Deepfakes to steal  cryptocurrencies since the system requires several  digital photographs of currency owners in their account  recovery process. 

Targeted phishing  

Targeted advertising has become an everyday part of life  where brands are using customer data to find potential  customers and directly reach out to them with lucrative  offers or deals. Data of credentials are dumped on dark 

web in enormous numbers and can be leveraged to  personalise attacks on individuals. The credential could  involve health records, government records, criminal  records, and also educational records among others.  This kind of data dump is a goldmine for criminal-minded  attackers to design campaigns that specifically target  individuals and appear to be authentic and realistic. Such  planned attacks could prove highly detrimental resulting  in financial, career, or even credibility loss.  

The fact that such extreme attacks are on the rise, does  not mean that organisations cannot fight them. With  rising tech adoption, it is crucial for companies to realise  the threats that such agile and ease-giving technologies  possess. Companies have to keep up with evolving  attacks to survive them and make it out alive. The adage  ‘prevention better than cure’ can never be truer for  companies that seek to leverage the best of the  technologies while also laying the grounds for an  impregnable security system.