Cancel Preloader
undraw_unlock_-24-mb

Rise in Social Engineering attacks as the world battles with Covid19 Pandemic

Cybercriminals have adapted and evolved in the way they carry out various attacks on information assets of respective business entities. Their techniques, tactics, procedures and methods of attack are constantly being re-invented with devastatingly increasing success rates. Social engineering seems to be the attack vector of choice for most malicious attacks that lead to a breach of data or a compromise of systems.

 

In the last year, a whopping 64% increase of breaches is attributed to being conducted with social engineering as the attack vector to gain initial access, as people continue to be the weak link. Social engineering is rather successful as it focuses on exploiting human curiosity, fear, desire, anxiety, eagerness, and urgency to help. From clicking a link, to opening an attachment, or being redirected to compromised websites where a users’ credentials could be captured, most recent attacks leverage some form of social engineering to successfully get access into your network or steal data.

 

In addition, the peculiar conditions presented by the Covid-19 pandemic which introduced dynamics that lead various organizations to adopt virtual/remote work strategies.

There has been a steady rise in cyber-attacks targeting organizations of all sizes or business industry globally. As more businesses adopt virtual/remote work strategies over the internet, emphasis will need to be made in order to effectively protect perimeter network boundaries and endpoints accessing private IT resources. (According to the IDC, 70% of successful breaches originate via legitimate endpoints). This unique opportunity for malicious actors exists due to organizations adapting to the current socio-economic landscape, thereby increasing the number of users that can be targeted by relying on less secure internet-provided services.

So you may ask ‘what then are the more prevalent social engineering attack methods seen amidst the Covid-19 pandemic’? They are;

Consent Phishing

With the sudden rise in online activity, not forgetting the mental anguish brought by the pandemic on people, the stage has been set for actors to perpetrate cybercrimes with much success. Phishing is a known social engineering technique but one trending variant is Consent Phishing that typically uses malicious applications that seek permission from users. A successful attempt would provide an actor with legitimate access to cloud services and applications. A threat actor would seek to access legitimate cloud services such as Microsoft 365 and other applications. This is more an application-based threat than leveraging an email for a conventional phishing attack. It is on the rise with more businesses moving data to the cloud. The SANS Institute attack of August 2020 may come to mind where about 28,000 personally identifiable records were breached. An employee’s email account automatically forwarded to an actor’s email address. Access was gained through a malicious Office 365 add-on. (More details on the report here: In its Data Incident 2020 – Indicators of Compromise).

Email Phishing

The use of phishing attacks leveraging emails as a vehicle to deliver malware or ransomware software is a more traditional method that has continued to yield more success unfortunately. Either credential phishing attacks or business email compromise attacks have led to well known breaches in most of 2020 and just the first half of 2021 alone. In such attacks the highlight has been a shift from previously known generic email subjects to very catchy and emotionally attractive themes surrounding the ongoing pandemic. Even the FBI and CISA in the USA have issued warnings about the trend, with the FBI considering Business Email Compromise (BEC) as one of the extremely damaging online financial crimes. According to Gartner, BECs will continue to double each year through to 2023 and predicts it will cost victims over $5 billion. In the context of email subjects, common tactics in the wake of the Covid19 pandemic used in phishing emails has been the impersonation of trusted sources providing information about the pandemic within the target’s organization. The attacker here is targeting the human nature of curiosity, fear, to gather information, often leading the victim to links that deliver malware or ransomware or redirect to malicious websites where credentials can be captured.


Phishing in all forms (Email phishing, Consent phishing, Spear phishing, Whaling, Smishing or Vishing, Angler phishing) continues to be the most potent form of social engineering attacks. User awareness is no longer optional. In fact, it is a strategic imperative and business risk that cannot be overlooked. Nothing can be trusted at face value and business stakeholders must bring all hands on deck to tackle the problem. For businesses and individuals, investing in Cyber Security Awareness Training can develop and sharpen the mind to identify any anomalies before they become business disrupting events. As organizations see the need to adapt to remote work, it is crucial that this shift is accompanied by cyber security education and the different forms of attacks that employees can be exposed to. Need to have a conversation? Contact MCI today to speak to a professional.