Ever since email first rose in popularity as a business communication tool in the early 1990s, cybercriminals have leveraged it as a vector for social engineering attacks. At first, their tactics were simple: threat actors would commonly send a single email containing a malicious link or file, where the objective was simply to encourage recipients to click.
However, as email users became more aware of phishing and how to spot these suspicious communications, cybercriminals had to evolve their techniques.
Today, social engineering attacks are far more complex, unfolding over days or even weeks, involving multiple stages, and incorporating the use of emerging technologies. But the essential premise of these attacks—to exploit human behavior—has always stayed the same.
Here's a quick rundown of how social engineering attacks have changed over years:
Phishing: Social engineering attacks via phishing have come a long way since the Nigerian Prince scams of the 1990s. Threat actors eventually saw greater success with phishing scams that impersonated more reputable entities, including banks and other professional services, asking recipients to take an immediate action, like clicking a link to pay a bill before incurring a late fee. The content of these scams weren’t very sophisticated on their own—instead, they relied on a sense of urgency, banking on recipients to act before examining the email too closely.
But as these phishing attacks became more pervasive, security teams responded by investing more heavily in security awareness training and educating employees on how to recognize the telltale signs of a phish, like impersonal emails from unfamiliar senders, spelling mistakes, grammatical errors, and suspicious URLs.
Business email compromises and vendor email compromises: Threat actors responded by stripping their emails of these hallmarks, leading to a surge in targeted spear phishing attacks over the last few years—especially business email compromise (BEC) and vendor email compromise (VEC).
These types of attacks, in which threat actors impersonate vendors or people their target knows (like an executive or member of their IT department), are far more effective than traditional phishing—notably because they are text-based and omit the traditional indicators of compromise (like malicious links) that both humans and many threat detection technologies rely on to spot attacks. BEC attacks grew more than 100% last year, and have generated significant damages with losses of more than $2.9 billion.
In many cases, cybercriminals research their targets and the entity they’re impersonating on social media platforms and company websites, making note of details they can drop into highly personalized, credible-looking emails that let them evade detection. Unlike traditional phishing, these attacks focus on simply getting targets to engage, building their trust over multiple emails before encouraging them to take action.
Romance scams: The growth of dating apps created another playground for savvy cybercriminals, giving them yet another pretext for executing long-term social engineering scams. In an investment fraud scheme known as pig butchering, threat actors methodically build a connection with their targets over days or even weeks—preying on their desire for romance or companionship—before asking them to make large cryptocurrency investments via bogus platforms with fabricated returns. Attackers then withdraw the funds, close the account, and block the victim.
QR code phishing: In recent years, we’ve also seen the rise of novel mediums—like QR codes—to help mask phishing links and malicious intent in social engineering attacks.
In QR code phishing (quishing) attacks, threat actors drop a QR code image into an email with a brief message encouraging recipients to scan the code to reset their password or confirm their login credentials. After scanning the code, victims are redirected to an authentic-looking login page, where they’ll unknowingly give attackers their credentials and access to their accounts.
This has become an attractive attack tactic because the resulting destination that the QR code sends the recipient is often difficult to detect. Unlike traditional email attacks, there’s minimal text content and no obvious malicious URL, significantly reducing the amount of signals available for traditional security tools to detect and analyze to catch an attack.
AI-generated attacks: The proliferation of Generative AI has emerged as latest trend shaping social engineering, by letting malicious actors scale their attacks to greater volumes and degrees of sophistication than ever before. Thanks to tools like ChatGPT, attackers can create emails that are personalized, translated, and perfectly written—free of telltale grammatical errors or poor spelling that most people associate with phishing emails. Even petty criminals can now create highly professional messages in seconds, breezing past traditional security checks.
Security stakeholders are feeling the pressure, with 80% confirming in a recent survey that their organizations have been exposed to AI-generated email attacks or strongly suspect they have been.
Practical steps security teams can take
Social engineering has evolved in a variety of ways over the span of years, and cybercriminals will only continue adapting to circumvent whatever security technologies stand in their way. But despite shifting tactics, the fundamental strategy behind these attacks remains the same: hack the human.
Human behavior continues on as the root vulnerability, and those who narrow their defenses on detecting malicious content are missing the forest for the trees. Cybercriminals have gotten too good at disguising messages as authentic—instead, it’s the intent behind the content that matters.
Protecting the human vulnerability will require a shift in the way we think about security—from static and rule-based approaches that quickly become irrelevant as soon as attackers jump to the next attack trend, to adaptive approaches based on human behavior that can keep up with, and ahead of, what cybercriminals do next. By analyzing the expected human response to a suspicious message—rather than the contents of a message—security teams are in a better position to stop social engineering no matter what tactics are used today or in the future.
It will also require the industry to rethink awareness training. Because attackers can personalize each attack, the days of “one-size-fits-all” education—while sufficient for compliance—is ineffective at reducing the impact of social engineering attacks.
Humans respond better to just-in-time, bite-sized, and specific awareness. Giving users detailed information tailored to the specific attacks hitting their inboxes, along with an interactive forum for further discussion around how the attack happened and how to ensure protection in the future promises to even the playing field.
Mike Britton, chief information security officer, Abnormal Security
