It\u2019s been a boom time for social engineering. Pandemic panic, desperation as income concerns grew, and worry over health and wellness made it easier for criminals to tap into fear.Social engineering, of course, means attacking the user rather than the computing system itself, trying to extract information or incite an action that will lead to compromise. It's as old as lying, with a new name for the computing age\u2014and that's a perfect metaphor for how social engineering tactics evolve."It's generally the same tricks wrapped up in new packaging\u2014and that's exactly what we are seeing,\u201d said Perry Carpenter, chief evangelist and strategy officer at KnowBe4, a security awareness training company.As security pros know, the packaging matters, and a familiar attack may slip through defenses in an unfamiliar guise.Here are some tactics social engineering experts say are on the rise in 2021.1. Malicious QR codesQR code-related phishing fraud has popped up on the radar screen in the last year.QR codes\u2014those machine-readable, black-and-white matrix codes arranged in a square\u2014have become an increasingly popular way for companies to engage with consumers and deliver services in the midst of COVID-19. For example, many restaurants\u00a0have ditched paper menus, and instead allow patrons to scan a QR code with their smartphone. Similarly, many Girl Scouts posted QR codes for no-contact ordering and delivery of cookies this spring.But many of the websites that QR codes send people to are operated by third-party vendors. When scanned, a malicious QR code can connect phones to a malicious destination\u2014just like clicking on a bad link. Same concept; new wrapper.\u201cPeople can become conditioned to just assume that the code and website is legit,\u201d said Carpenter.The \u2018delivery\u2019 methods for this social engineering tactic vary. Oz Alashe, CEO of U.K.-based security and analytics company CybSafe, said he has heard about leaflet drops in some neighborhoods with fraudulent codes that promise "Scan this QR code to have a chance of winning an Xbox.\u201d\u201cOften the code will lead to a dodgy site which downloads malware to their phone,\u201d said Alashe.2. Browser notification hijackWeb sites have for several years asked visitors to approve \u201cnotifications\u201d from the site. What was once a useful way to engage with readers and keep them up to date is now, of course, also a social engineering tool.\u201cThese are called push notifications, and they can be weaponized,\u201d said Carpenter. \u201cThe problem is that many users blindly click 'yes' to allow these notifications.\u201d While many users have learned some level of caution with web browsers, the notifications appear more like system messages from the device itself, rather than the browser.Even for users who don\u2019t blindly say yes, scammers find ways to install their notification scripts. Tactics include disguising subscription consent as another action, like a CAPTCHA, or switching the \u201caccept\u201d and \u201cdecline\u201d buttons on subscription alerts mid-action.Once the crook has a user\u2019s (ill-gotten) consent, they start inundating them with messages\u2014and the messages are usually phishing schemes, or scam notifications that contain malware.3. Collaboration scams With this social engineering tactic, cyber criminals target professionals in collaborative fields, said Alashe, including designers, developers, and even security researchers. The lure is an invitation that asks them to collaborate on work.Recent pandemic lockdowns and expanded work-from-home increased people's comfort with remote collaboration, so this tactic fit the times well.\u201cThe threat actors send over a Visual Studio Project containing malicious code. The user self-runs the program, and their device is infected pretty quickly. This attack essentially exploits the desire or need to assist or help others with passion projects,\u201d said Alashe.Tzury Bar Yochay, co-founder and CTO of security firm Reblaze, said examples of this attack are often well-crafted, showing great attention to detail.\u201cAttackers posed as active researchers and built social proof"\u2014with apparent third parties validating their research\u2014"using a blog including articles from industry sources as \u2018guest posts,\u2019 Twitter accounts, YouTube videos, LinkedIn, Discord, and more,\u201d he said. A suspicious target may be put at ease by this seemingly wide social footprint.4. Supply chain partner impersonationGeorge Gerchow, CSO at Sumo Logic, said attacks that exploit parts of an organization\u2019s supply chain are now a big problem.\u201cIt's not easy to defend what you can't see, and you are only as strong as the weakest link,\u201d said Gerchow. \u201cFor example, there have been a plethora of targeted emails coming in that look like they are from your trusted partners but are in fact bad actors posing as employees you may know within your network.\u201dGerchow said he first observed scam gift card offers presented to Sumo Logic employees, masked as incentives or thank-yous from the company\u2019s real business partners.But the attacks have become even more detailed over time.\u201cNow we see these long, sophisticated attempts to build trust or relationships with some of our outbound-facing teams whose entire job is to help. The bad actors have even posed as suppliers using our product with free accounts and have gone through use cases and scenarios\u00a0to engage expertise within our company.\u201dBy establishing these trusted relationships, the attackers\u2019 ultimate goal is to make standard social engineering tactics more effective, eliciting help in bypassing security controls, or sending along malware that will compromise the target company\u2019s systems.The headline-making attack on SolarWinds is an example of a supply chain attack\u2014in that case, a specific version called a vendor email compromise attack (VEC). As SolarWinds officials noted, an \u201cemail account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.\u201d5. Deepfake recordingsSocial engineers are now using deepfakes\u2014startlingly realistic recordings that use artificial intelligence to simulate a specific person\u2019s appearance or voice\u2014to trick victims into divulging information or performing an action that benefits the attacker.Reblaze\u2019s Bar Yochay said audio deepfake attacks\u2014in which the attacker uses a \u201ccloned\u201d voice that is nearly indistinguishable from a real person's voice to create a scam audio recording\u2014are a growing concern. One of the earliest successful examples came in 2019, when a fake recording of a CEO\u2019s voice was used to instruct an employee to immediately transfer money to an international account.\u201cThe recording was left as a voicemail to the subordinate, who obeyed the fraudulent instructions and sent $243,000 to the attackers,\u201d said Bar Yochay.Gerchow also said he has seen criminals use deepfake recordings to manipulate staff into sending money or offering up private information\u2014only audio recordings so far, but Gerchow believes video deepfakes are just a matter of time.\u201cTraining, awareness, self-reporting, and transparency will be the only way to scale security around these attacks,\u201d said Gerchow. \u201cSecurity needs to be approachable and of course, log everything.\u201d6. Text fraudWhile text has been a conduit for social engineering scams for a while, Rebecca Herold, an IEEE privacy and security expert, says texting tactics are up in prominence.\u201cWe are becoming a society where a large portion of the population prefer communicating via text messages as opposed to phone.\u00a0 People are now extremely used to communicating very confidential types of information via text,\u201d says Herold.Because grocery and food delivery has grown in the last year, delivery-related scam texts are up. \u00a0Other common lures include texts that promise information about COVID stimulus checks that link victims back to a website that looks like the IRS site and asks for sensitive personal information, such as a birth date and social security number.Herold said she has also seen text scams in which fraudsters impersonate the U.S. Department of Health and Human Services and tell victims they must take a "mandatory online COVID test" using a provided link.\u201cThen, like other scams, their personal information is taken and malware is often loaded onto their computing device,\u201d said Herold.As with QR codes, victims simply have not developed the level of awareness and caution needed.7. Typosquatting or lookalike domainsCarpenter said typosquatting\u2014or lookalike domains\u2014are often served up in a business email compromise (BEC) attack. Fraudsters impersonate legitimate domains in order to fool victims into thinking they are in a safe location.They do this with many tricks, including misspelling the domain (think Gooogle instead of Google) or adding a different top-level domain (.uk instead of .co.uk). Unlike the often sloppy versions from earlier days, today these sites may feature sophisticated designs, carefully detailed mimicry of legitimate sites, and sophisticated functionality.\u201cSocial engineering victims are usually tricked into either feeling psychological safety by their choice or into seeking psychological\u00a0safety in a way that will play into an attacker's hands,\u201d said Carpenter.Criminals set these sites not only to deliver malware, but also to capture credit card information or other sensitive data through fake login fields or other fake forms.