Social engineering is involved in the vast majority of cyberattacks, but a new report from Proofpoint has revealed five common social engineering assumptions that are not only wrong but are repeatedly subverted by malicious actors in their attacks.Commenting on the report\u2019s findings, Sherrod DeGrippo, Proofpoint\u2019s vice president threat research and detection, stated that the vendor has attempted to debunk faulty assumptions made by organizations and security teams so they can better protect employees against cybercrime. \u201cDespite defenders\u2019 best efforts, cybercriminals continue to defraud, extort and ransom companies for billions of dollars annually. Security-focused decision makers have prioritized bolstering defenses around physical and cloud-based infrastructure, which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviors and interests.\u201dIndeed, cybercriminals will go to creative and occasionally unusual lengths to carry out social engineering campaigns, making it more difficult for users to avoid falling victim to them.Here are five social engineering misconceptions exacerbating attacks, as presented by Proofpoint.1. Threat actors don\u2019t have conversations with targetsThe notion that attackers do not invest time and effort conversing with victims to build rapport is flawed, according to the report. Proofpoint researchers observed multiple threat actors sending benign emails to kickstart conversations last year. \u201cEffective social engineering is about generating feelings within a user that mentally drive them into engaging with content. By sending benign emails with the intent to lure the user into a false sense of security, threat actors lay the groundwork for a relationship to be more easily exploitable,\u201d the report read.Proofpoint observed multiple business email compromise (BEC), malware distribution, and nation state-aligned advanced persistent threat (APT) campaigns using benign conversations to launch attacks, the latter including activity by threat actors TA453, TA406 and TA499.2. Legitimate services are safe from social engineering abuseUsers may be more inclined to interact with content if it appears to originate from a source they recognize and trust, but threat actors regularly abuse legitimate services such as cloud storage providers and content distribution networks to host and distribute malware as well as credential harvesting portals, according to Proofpoint. \u201cThreat actors may prefer distributing malware via legitimate services due to their likelihood of bypassing security protections in email compared to malicious documents. Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business relevant,\u201d the report read. Proofpoint\u2019s campaign-level analysis identified OneDrive as the most frequently abused service by top-tier e-crime actors, followed by Google Drive, Dropbox, Discord, Firebase and SendGrid.3. Attackers only use computers, not telephonesThere\u2019s a tendency to assume that social engineering attacks are limited to email, but Proofpoint detected an increase in attacks perpetuated by threat actors leveraging a robust ecosystem of call center-based email threats involving human interaction over the telephone. \u201cThe emails themselves don\u2019t contain malicious links or attachments, and individuals must proactively call a fake customer service number in the email to engage with the threat actor. Proofpoint observes over 250,000 of these threat types each day.\u201dThe report identified two types of call center threat activity \u2013 one using free, legitimate remote assistance software to steal money, and another using malware disguised as a document to compromise a computer (frequently associated with BazaLoader malware, often referred to as BazaCall). \u201cBoth attack types are what Proofpoint considers telephone-oriented attack delivery (TOAD),\u201d it added. Victims can lose tens of thousands of dollars to these types of threats, with Proofpoint citing one example of an individual losing almost $50,000 to an attack from a threat actor purporting to be a Norton LifeLock representative.4. Replying to existing email conversations is safeThe sense of trust and security surrounding existing email conversations is being exploited by fraudsters via thread or conversation hijacking, Proofpoint stated. \u201cAn actor using this method preys on the person\u2019s trust in the existing email conversation. Typically, a recipient is expecting a reply from the sender, and is therefore more inclined to interact with the injected content,\u201d it wrote.To successfully hijack an existing conversation, threat actors need to obtain access to legitimate users\u2019 inboxes, which can be obtained in various ways including phishing, malware attacks, credential lists available on hacking forums, or password spraying techniques. Threat actors can also hijack entire email servers or mailboxes and automatically send replies from threat actor-controlled botnets. \u201cIn 2021, Proofpoint observed over 500 campaigns using thread hijacking, associated with 16 different malware families. Major threat actors including TA571, TA577, TA575 and TA542 regularly use thread hijacking in campaigns.\u201d5. Fraudsters only use business-related content as luresWhile malicious actors will often target business workers, the assumption that they rely on business-related content as lures is incorrect, Proofpoint said. In fact, threat actors have been significantly capitalizing on current events, news and popular culture to get people to engage with malicious content. The report cited several campaigns from last year that took this approach, including:BazaLoader attacks leveraging Valentine\u2019s Day themes such as flowers and lingerieTA575 distributing the Dridex banking trojan using themes from Netflix show Squid Game targeting users in the U.S.Internal Revenue Service (IRS)-themed campaigns leveraging the idea that the potential victim was owed an additional refund to harvest a variety of personally identifying information (PII)An average of more than six million COVID-19-related threats per day throughout 2021Business must train employees on social engineering tactics, debunk misconceptionsGiven both the creativity of social engineering tactics and misconceptions around the methods fraudsters employ, organizations must engage with their workforce to raise awareness of the real threats social engineering poses and shift mindsets that may be vulnerable to exploitation. \u201cThe most impactful course of action, for any given organization, is to shift the culture toward a posture where identification of incoming threats is understood as both relevant and necessary. This means encouraging familiarization with the wide array of content threat actors may leverage and imposing few obstacles to more regular flagging of content as potentially malicious,\u201d Proofpoint\u2019s report read.For Raef Meeuwisse, cybersecurity consultant and author of How to Hack a Human: Cybersecurity for the Mind, employees need to be educated that the most convincing social engineering scams often appear just as authentic as a lot of what they interact with during genuine, day-to-day work \u2013 or potentially even more so. \u201cLapsus$ went as far as sending out real push mobile multi-factor authentication requests via the real security platform to real employees \u2013 and many of the rogue requests were approved by the recipients,\u201d he tells CSO.The best way to empower employees to spot social engineering is to make them alert to any situation that is causing sudden panic and urgency to act without delay, adding that if users experience these two symptoms together, 99.99% of the time they are in the middle of being scammed through social engineering, Meeuwisse says. \u201cAnd of course, employees should be trained to report potential social engineering activity to the incident response group, and if in doubt, to ask for their guidance.\u201dHowever, on the subject of debunking social engineering myths, Meeuwisse also advises businesses to recognize that risks do not always come from outside an organization. \u201cWhat gets forgotten about or completely sidelined are methods to report, check and monitor for people that have intentionally faked their way into a position to exploit an organization,\u201d he says. \u201cThis is a much bigger problem than many organizations think because substantial breaches caused by rogue insider actions are rarely revealed to the media, yet statistics flag rogue insiders as a big problem.\u201d If an organization does few to no background checks, has no mechanism for anonymous whistleblowing, or (in two cases he has seen) has a rogue insider in charge of vetting other rogue insiders, he says, then there is a large gap in their social engineering defenses.