Looking Ahead to Social Engineering Trends of 2022

The past doesn’t paint a pretty picture yet gives us a realistic base from which to adapt and grow when it comes to the risk of cyber-attack.

A cyber crystal ball could help—along with a candid look and assessment of past trends. Cybersecurity strategies that take lessons learned from 2021 may assist organizations in developing a more comprehensive and effective approach in 2022.

We’ve learned from 2021 and the theme that’s carried into this year that it can be extremely difficult to maintain awareness of constantly evolving cyber threats. One particular aspect of cyber risk that has magnified is phishing – which now includes numerous new threat vectors and potential vulnerabilities.

As we look ahead to social engineering trends of 2022, an elevated risk continues as malicious actors find new methods to penetrate company defenses.

Is phishing social engineering?

Phishing is a form of social engineering—with a twist. It uses email or malicious websites to solicit personal information by posing as a trustworthy organization. It feeds off the psychology of persuasion to encourage further action, including providing passwords, date of birth, or bank account information. Phishing works to get enough information to trigger an attack throughout your entire organization.

Phishing attempts have abused trusted platforms and collaboration tools, including Microsoft, Adobe, Dropbox, and Zoom. In the example of Zoom, hackers obtained some 500,000 passwords of users and sold credentials online through crime forums, Dark Web supermarkets, and other outlets for monetary compensation.

2021 Lookback

Phishing, a term associated with email fraud, notably ticked up in 2021. COVID and the proliferation of remote work and relaxed cybersecurity practices seem to have ratcheted up phishing incidents. We can’t interact in person, so technology and remote connectivity are our lifelines. The shift to remote work also changed the boundaries of the traditional IT perimeter.

Attackers continued to exploit work-from-home strategies as the pandemic kept employees offsite. Cyber attackers conducted phishing attacks through email, SMS texts on personal devices, and other services used in daily business duties. Other COVID-based cyber compromise themes in 2021 included data at risk from contact tracing, vaccination information, testing, company policies, and relief or loan programs.

User Training Lax

Poor user practices and lack of cybersecurity training were also significant contributors to the uptick in malicious phishing messages. In addition, the increased use of mobile devices shifted focus from cyber protection, while hard-to-read email headers on mobile device apps and SMS made it more difficult to assess the validity of these messages.

Malicious retail attacks also opened vulnerabilities, as employees used their work devices for personal activities like shopping. Let’s not forget those delivery notifications via email and SMS, which the carrier may not adequately verify.

Last year, cybercriminals became increasingly sophisticated in their methods and, even with email protection systems in place, still managed to get their messages to the inbox of employees.

In addition to phishing, they deployed smishing (SMS text messages), vishing (voice phishing by phone), and social media (setting up fraudulent accounts) to reach employees. Wire transfer fraud was another real possibility.

2022 Predictions

This year, SMS-based phishing attacks will remain a favorite target of attackers, centering on shortened links, lack of mobile device protections and gaining sensitive data accessed from employee personal devices, including email, CRM, file storage or other regularly used resources.

Actors will continue to elevate business email compromise scams perpetrated with vishing Deep Fakes. Deep voice technology can clone someone’s speech – an elaborate scheme that attackers can ultimately use to steal funds.

In this latest type of threat, cybercriminals use artificial intelligence (AI) voice cloning to trick a person with a voice of a customer they might be familiar with – in an effort to get authorization for funds transfer or to commit other fraud.

Cyber Awareness Training

Your employees will continue to be a key defender in protecting your company. Employees need to be continually trained—and tested—on their cybersecurity prowess.

Employee education and institutional knowledge around cybersecurity are the best protection against the latest cyber threats. It should be a continuous improvement program that includes up-to-date awareness training and regular phishing simulations. Remember that quarterly or annual training is not frequent enough to keep employees educated and engaged on current risks and threats.

The Ideal Solution is Multi-Faceted

Companywide cybersecurity policies, coupled with awareness videos, posters, classroom training, phishing simulations, and threat alerts are critical components to combat cybercrime and circumvent the latest social engineering trends of 2022. In one in-house example of business email compromise, a customer was saved from sending a wire transfer of over $100,000 because their employee had just completed training and reacted in a cyber-secure posture.

The best cybersecurity solution is a multi-faceted program that draws knowledge from past incidents while continually evaluating and updating as risks change. Without this type of approach – embedded in your organization from the top down – the chances of a sophisticated cyberattack happening to you only increases.

More Resources:

Upcoming Webinar on January 27th: Cyber Crystal Ball: What 2022 Will Hold
Blog: Tackling the Emerging Vulnerability Trends of 2022
Blog: Reflect to Improve: Ransomware Trends of 2021