The landscape of cyber threats continues to evolve with increased complexity and sophistication. This presents unparalleled challenges for organizations, as well as individuals worldwide. Today’s cyber adversaries employ complex techniques that combine social engineering along with advanced persistent threats. These attacks often involve meticulous planning and execution. This increased complexity makes the attacks more difficult to detect, thus demanding a more proactive and strategic approach to cybersecurity. In many of these attacks, we see a multifaceted social engineering approach. The attackers are combining vishing, phishing, and smishing. Here at SECOM, we call these hybrid social engineering attacks. How are they executed? And why are they effective?
Hybrid Social Engineering
There are many ways an attacker could utilize hybrid social engineering. For example, an attacker could send fake invoices, or some other form of attachment, loaded with malware. The malware allows the attacker to steal access credentials, enough sensitive information to conduct a perimeter break-in, or transfer funds out of the organization. Shortly after sending the email, the attacker follows up with a phone call, to ensure that the target downloads the attachment or opens the invoice. These attacks can also be very effective when the vishing takes place first to establish trust and then sending the phish. At times, the vishing and phishing can be done simultaneously while the target is on the phone. As the attacker builds rapport with the target, they will send the phish and prompt the target to take the desired action.
Another common vector for hybrid social engineering is sending phishing emails containing phone numbers for the targets to call. For example, the attacker could send a realistic looking email impersonating the company’s IT department asking the employees to call regarding an “open ticket.” Once an employee calls, the attacker responds as the “IT Helpdesk” and elicit sensitive information, such as their one-time passcode, employee ID, password, etc.
The previous examples are just a few of the hybrid social engineering attacks on the rise. According to phishlabs.com, “most recently, hybrid vishing reports totaled nearly 40% of all response-based phish. In 2024, Fortra experts anticipate this tactic will only grow.”
The Social Engineering Component
The social engineering component is what fuels these attacks. Social engineering can be defined as “Any act that influences a person to take an action that may or may not be in their best interest”. During a social engineering attack, malicious actors elicit human emotions such as fear, curiosity, urgency, greed, or helpfulness, to momentarily suspend critical thinking and get their victim to perform an action they normally would not. Often, the caller impersonates an authority figure and requests immediate action. This results in a high-pressure situation in which staff feel obligated to comply with this “important” request.
A social engineering attack against an organization with uneducated and untrained employees can be devastating. By using a combination of phishing, vishing and smishing, social engineers take advantage of existing vulnerabilities. These attacks are carefully orchestrated, targeting different employees until they gather enough pieces of information to complete an organization’s puzzle.
The most effective way to combat these types of attacks is to develop awareness and training programs, and proactively test susceptibility to attacks. Employees who are aware of social engineering attack vectors and understand the value of the information they hold can serve as an organization’s first line of defense against social engineering attacks.
Test. Educate. Protect.
You may be asking yourself “what can I do to protect against such advanced targeted attacks?” Sadly, there is no tech nor AI that can stop this. The best defense is a real world, authentic, realistic, training environment that allows your population to experience these attacks safely and learn how to report them.
Here at SECOM, we have designed our simulated hybrid social engineering programs to use empathy based training focused on reporting to help your employees learn and solidify these lessons into their daily practices. To find out more, check out the managed services we offer.
Written by
Rosa Rowles
Human Risk Analyst
Social-Engineer, LLC