These Two Dangerous Social Engineering Attacks May Be Flying Under Your Radar

November 12, 2021

Protecting your business from cybercrime starts with protecting it from phishing, and in turn, social engineering. The driver behind many of today’s most dangerous cyberattacks, social engineering is powerful. It’s also growing easier for cybercriminals all the time as the world becomes more connected. Tumultuous world events are tailor-made opportunities for bad actors to launch phishing campaigns. From a fraudulent pandemic bulletin to a fake colleague’s sob story, cybercriminals will make use of any psychologically impactful factor that they can get their hands on to entice or bully their targets into taking an action that benefits the bad guys. It’s is the X factor that makes phishing so so successful for cybercriminals – and so problematic for businesses 

See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>

Every Phishing Attack Uses Social Engineering

Savvy cybercriminals will put time and effort into social engineering in order to perpetrate believable frauds that lure targets into a false sense of security. An estimated 98% of all cyberattacks rely on social engineering to get the job done. A phishing message doesn’t have to be sophisticated to use social engineering to drive the targets to action either. Cybercriminals are adept at using a variety of attention-getting lures to snag the unwary.

How do they do it? 

  • Preying on the target’s emotions by stoking fear or anxiety 
  • Exploiting natural disasters or emergencies like the global pandemic 
  • Evoking a false sense of security through nostalgia or brand reputation 
  • Creating boring, routine emails that don’t raise suspicion like a password reset request 
  • Simulating things employees deal with every day like system notifications 
  • Mimicking internally facing corporate emails that staffers will feel compelled to read 
  • Raising excitement or greed by promising the target a reward for following directions 
  • Imitating a business partner to persuade a victim to disclose proprietary information 
  • Posing as tech support to gain access to passwords 
  • Sending believable fake invoices and demanding payment from the target 

How well does social engineering work on employees? Unfortunately, it works extremely well, giving cybercriminals a lever to use in other damaging ways. An estimated 70 – 90 % of breaches are caused by social engineering. It is the g is the shining star in phishing operations, including two very specialized and extremely nasty attacks that might be flying under your radar. 

What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>

Angler Phishing 

Angler phishing is a phishing attack that is conducted through the use of social media lures, like emails telling the target that they have been added in a photo or direct messaged by a recruiter. The goal of this type of phishing attack is to harvest credentials. Perpetrators of an angler phishing attack try to entice their targets to interact with a fake or spoofed login page for a social media site. The attackers then capture the information that the victim enters on the malicious page, often snagging a valuable password. 

A creature of the social media era, angler phishing has risen to prominence in the last decade. The preferred format for a malicious message using this technique is email, but it can also be conducted through messaging. LinkedIn messages are the most effective for cybercriminals with a 47% open rate.

  • Examples of angler phishing lures include: 
  • Recruiters are looking at your profile! 
  • You appeared in new searches this week! 
  • Please add me to your LinkedIn network. 
  • A new photo of you has been tagged on Facebook. 
  • Someone sent you a direct message on Twitter. 
  • See who is looking at your profile! 
  • Join my network on LinkedIn! 

The successful cybercriminal’s next step is to use the data that they’ve captured through angler phishing to launch other cyberattacks like an account takeover (ATO) or fraud like business email compromise (BEC). Sometimes, cybercriminals use the passwords that they’ve nabbed to access their victim’s social media accounts and go snooping, gathering information on the victim’s connections to facilitate spear phishing attacks

Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>

Whaling/CEO Fraud 

Whaling is a highly specialized spear phishing attack that is crafted to serve one of two primary purposes: perfectly imitating a company executive in order to trick an employee into doing something or fooling a company executive into thinking that the message is from a trusted source. The cybercriminals’ goal in a whaling attack can also varies accordingly based on the target. If this attack is launched against a mid or low-level employee of a business, the goal is to lure an employee into performing an action like giving out a privileged credential, supplying sensitive information or transferring money to someone masquerading as a company executive. Social engineering is used in this style of whaling to make the targeted employee think that they could be in trouble for not taking the requested action – and nobody wants to displease the boss. 

Alternately, cybercriminals also perpetrate whaling attacks against executives, sometimes called CEO Fraud. Those attacks also take advantage of social engineering in a number of ways. The targeted executive may not receive much unexpected, unvetted email, raising the chance that they’ll be likely to interact with the malicious message. Executives are also often able to circumvent policies and procedures, enabling them to order things like invoice payments quickly. The bad actors’ ultimate goal is to persuade executives that they’re a trustworthy business associate who is owed money or is privy to proprietary data. 

Almost 60% of organizations say an executive has been the target of whaling attacks and in 46% of those the targeted executives fell for the bait. There’s a good reason for that: this type of phishing is extremely sophisticated, and it can be commensurately hard to spot. Highly specific lures are crafted for whaling attacks using personalized information about the target gathered from publicly available sources, harvested from social media sites and obtained from Dark Web markets and data dumps.  

Whaling lures can include: 

  • Email from the recipient’s bank, credit card company, or a similar source 
  • Invoices from contractors or freelancers 
  • Updates from a software vendor 
  • Charitable donation requests 
  • Messages from a fraternity/sorority
  • Fake political email from candidates or parties 
  • Attachments like PDF brochures or from trusted sources
  • Falsified notices from a government agency 
  • Spoofed messages from the recipient’s regular service providers, suppliers, or other vendors  

Whaling and CEO Fraud aren’t the most frequently conducted types of phishing because each operation takes extensive research and requires an extraordinarily high level of skill in crafting and delivery. That doesn’t mean this threat isn’t still extremely dangerous. Whaling grew by 131% between Q1 2020 and Q1 2021, for an estimated cost to businesses of just under $2 billion. It’s also a gateway to BEC, an attack the FBI categorizes as 64x worse than ransomware.

See how ransomware rocks businesses in The Ransomware Road to Ruin. DOWNLOAD IT NOW>>

Taking Sensible Precautions Against Phishing Now Saves Trouble Later

Stop phishing with Graphus – the most simple, automated & affordable phishing defense available. This 3-layer defensive dynamo stops messages like angler phishing and whaling attacks from reaching their targets with automated email security.

With Graphus, your incoming emails don’t just get compared to a generic safe sender list. It analyzes your company’s communication using over 50 data points, and content is just as important in its calculus and the sender and subject, unlike many conventional email security solutions. 

Plus, automated email security solutions like Graphus stop 40% more dangerous email from entering your company’s environment, making your business more secure against today’s biggest cybersecurity risks.  

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus