As cyber security threats continue to evolve, CISOs and IT professionals must stay ahead of increasingly sophisticated social engineering tactics. In this blog we take a look at some of the top social engineering threats to watch out for in 2024, with a focus on advanced AI-driven methods and traditional approaches that exploit human vulnerabilities.
Phishing remains a significant threat, but AI has made these attacks more sophisticated and effective. Multimodal Large Language Models (MLLMs) enable attackers to craft highly personalised phishing messages that are difficult to distinguish from legitimate communications. These AI-generated emails can bypass traditional security measures by mimicking the writing style and context expected by the recipient.
Advancements in AI have enabled the creation of realistic deepfake videos and audio, which can be used to impersonate executives or public figures. These tools can spread misinformation, conduct fraud, or manipulate public opinion. The increasing accessibility of AI technology means that even low-skilled attackers can utilise these methods.
Voice phishing (vishing) and SMS phishing (smishing) remain prevalent. Vishing involves attackers impersonating trusted entities over the phone to extract personal information, while smishing uses text messages to deliver malicious links. These methods exploit the trust people place in phone communications.
BEC attacks involve impersonating executives or trusted partners to trick employees into transferring money or sensitive data. These attacks often include extensive research on the target to craft convincing emails. More than a quarter of the $10.9 billion in losses reported to the FBI Internet Crime Complaint Center (IC3) was directly attributable to BEC in 2023.
Pretexting involves creating a fabricated scenario to gain the victim’s trust and manipulate them into providing information. Attackers often impersonate authority figures or trusted colleagues, making the victim feel comfortable sharing confidential information.
Baiting exploits human curiosity by offering something enticing to lure victims into a trap. This could be a free download or a physical item like a USB drive labeled with something intriguing. Once the bait is taken, the victim’s system is infected with malware (AuraSafe).
Bribery involves offering monetary or other incentives to employees in exchange for sensitive information or access to secure areas. This tactic exploits the financial vulnerabilities or dissatisfaction of employees, making it a potent threat (AuraSafe) (CommSec Cyber Security).
In quid pro quo attacks, the attacker offers a service or benefit in exchange for information. For example, an attacker might pose as an IT support person offering to fix an issue in exchange for login credentials. This method leverages the human tendency to reciprocate favours (AuraSafe).
As social engineering threats become more sophisticated, it is crucial for CISOs and IT professionals to stay vigilant and proactive. By understanding these threats and implementing robust countermeasures, organisations can better protect themselves against the ever-evolving landscape of cyber threats.
Regular training, advanced security technologies, and a culture of awareness and verification are key to mitigating the risks posed by social engineering attacks. If you’d like to secure your organisation against social engineering threats get in contact with our experts.