Social engineering attack trends are often cyclical, typically coming and going with regularity. For Nader Henein, research vice president at Gartner, a significant trend is that social engineering has become a standard element of larger attack toolboxes, being deployed in combination with other tools against organizations and individuals in a professional and repeatable approach. “Much of these capabilities, be it phishing or the use of deepfakes to convince or coerce targets, are being delivered in combination as-a-service, with service level agreements and support.” As a result, social engineering awareness and subsequent testing is increasingly required and present within security training at most organizations, he adds.
Jack Chapman, vice president of threat intelligence at Egress, points to a recent rise in “missed messaging” social engineering attacks. “This involves spoofing the account of a senior employee; the attacker will send a more junior colleague an email requesting that they send over a piece of completed work, such as a report,” he tells CSO.
To create additional pressure, the attacker will mention that the report was first requested in a fictional previous email, leading the recipient to believe that they’ve missed an email and haven’t completed an important task. “This is a highly effective way of generating urgency to respond, particularly in a remote work environment,” says Chapman. Furthermore, attackers are increasingly exploiting flattery to encourage recipients to click their malicious links. “A surprising trend we’ve seen is hackers sending birthday cards. Attackers can use OSINT to find out when their victim’s birthday is and send a link to ‘view a birthday e-card’ that is actually a weaponized phishing link. Often, the recipient doesn’t suspect a phishing attack because they’re too busy being flattered to have received a card on their birthday.”
According to Neosec CISO Renan Feldman, most social engineering attacks today leverage exposed APIs. “Most attackers are seeking access to those APIs rather than access to a device or a network, because in today’s world the business runs on application platforms. Moreover, breaching an API is much easier than penetrating an enterprise network and moving laterally to take over most or all key assets in it. Thus, over the next couple of years, it’s likely we will see a rise in single extortion via APIs. With more and more business data moving to APIs, organizations are tightening their anti-ransomware controls.”
Social engineering resources
A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.
Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download. The toolkit helps automate penetration testing via social engineering, including spear phishing attacks, creation of legitimate-looking websites, USB drive-based attacks, and more.
Another good resource is The Social Engineering Framework.
Currently, the best defense against social engineering attacks is user education and layers of technological defenses to better detect and respond to attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers.