The Rise of Social Engineering Success: What CISOs Need to Know

While traditional email security tools may be able to prevent the overwhelming majority of spam messages, phishing attempts, and other deceptive emails from ever reaching your inbox, these aren’t the only types of threats you need to worry about.

The truth is, targeted attacks—like business email compromise, supply chain fraud, ransomware, and account takeover—have greater potential to cause disastrous consequences for your company, despite the fact that you receive far fewer of them. And because they have few traditional indicators of compromise (like a malicious attachment or suspicious link), they also have a higher likelihood of being safely delivered.

As part of a recent webinar, I sat down with one of the leading voices in cybersecurity to talk about this evolving threat landscape. Here’s what you need to know about it and which steps every business can (and should) take to reduce the risk of falling victim to these modern email attacks.

Although real-time collaboration tools like Slack and Microsoft Teams have skyrocketed in popularity over the past two years, email remains the go-to channel for asynchronous communication. And because our universal dependence on email is unlikely to end anytime soon, it will continue to be an attractive vehicle for cyberattacks.

Because they provide access to individuals at companies anywhere in the world, email attacks are highly lucrative. The recent FBI IC3 report has shown that loss from business email compromise continues to increase, costing organizations $2.4 billion last year, and our research shows that the average supply chain compromise attack costs an organization more than $180,000.

In addition, cybercriminals are successful in their account compromise attempts 12% of the time, enabling them to access and use real user accounts to run their attacks. These stats indicate the severity of the problem and showcase the fact that it isn’t going away anytime soon.

Unlike attacks of the past, modern cybercriminals don’t have to compromise their victims’ existing infrastructure to execute their attacks. Instead, they have the resources to build their own infrastructure, which is more reliable than a hijacked system and can support attacks that bypass the secure email gateway. These infrastructures can even be quickly adapted to attack certain targets.

Further, while business email compromise may appear to be less sophisticated than designing and installing malicious software, it’s often a more effective approach because the technology wasn’t developed to stop these kinds of attacks. By removing malicious attachments and suspicious links and instead relying entirely on text-based communication, it’s easier for threat actors to circumvent conventional security measures.

In essence, modern cybercriminals have learned how to hack the human, rendering the tools that look only for traditional indicators of compromise nearly obsolete.

Threat actors have started to move away from tricking targets into downloading infected attachments or clicking on malicious links. Rather, they’re focusing on triggering an emotional response—most often urgency or worry—via social engineering.

Recently, we’ve seen a resurgence of conversation hijacking, a type of attack that is less of an all-out assault and more of a slow play. Threat actors will first gain access to an employee’s credentials through a credential phishing attack and then enter their inbox and browse through their messages until they find the right opportunity to “take over” an existing conversation. Once they’ve found that opportunity, they then reply to a thread with a request for sensitive data or payment for a nonexistent invoice.

Conversation hijacking capitalizes on our innate desire to be cooperative and assume positive intent. When we receive an email from a colleague or partner asking for assistance of some kind, generally our first instinct is to be helpful, not suspicious—exactly what attackers are banking on. Consequently, understanding when an account has been compromised and then blocking these attacks before your employees can respond to them is fundamental to minimizing your organization’s risk.

What makes account takeovers particularly pernicious is that once a cybercriminal manages to get through the door, they can fly under the radar for months. Sitting in the background undetected, they can obtain untold volumes of valuable data about the company and its customers, which they can then sell or leverage for future attacks.

Or, in the case of vendor fraud, the perpetrators can take advantage of recurring payments to collect considerable sums of money. A colleague of mine shared the story of one retailer who paid millions of dollars worth of fraudulent invoices after an attacker created a fake supplier profile in the retailer’s inventory management system. For more than six months, the cybercriminals successfully received payment for fake orders until the company finally realized what was happening.

What’s worse is that in some cases, the fraudsters don’t even have to access the account, instead relying on domain spoofing or display name deception to run their scams.

Unfortunately, when it comes to mitigating attacks, the odds are stacked against the average business. A cybercriminal only has to succeed once to cause long-term damage, which is incredibly scary given the fact that large enterprises can have hundreds of millions of email accounts.

While organizations should have a layered approach to stopping these attacks, attempting to eliminate all fraudulent activity is an exercise in futility.

Any moderately-sized organization will have to endure at least one (if not multiple) attacks per day. What sets the victims apart from the companies who simply experience intrusions, however, is that the latter are actively searching for fraudulent activity. They understand that the be-all, end-all of information security isn’t only to keep the bad actors out, but to be able to respond quickly and quash any threats once they’ve been identified, should they bypass security infrastructure.

CISOs at these organizations prioritize both the prevention of successful attacks, as well as the identification and immediate remediation of intrusions. Their systems focus on responding quickly to contain the issue and minimize any losses. And they recognize that people are the last line of defense, ensuring that they understand the risk through security awareness training.

The vast majority of cybercrime today is successful because it hijacks the people behind the keyboard. The best thing you can do is to stop these attacks before they reach them, and the most effective way to do that is to use a behavioral-based approach that evaluates identity, context, and content to establish known good and block the messages that deviate from it.

Abnormal Security helps you keep your business safe by preventing high-impact targeted attacks. Check out our Gartner Peer Reviews to see why organizations worldwide trust our cloud-native email security platform to protect them from the attacks that matter most.