Social Engineering Trends and Insights for Q4: What to Expect in the Fourth Quarter

As the year progresses, so do the social engineering scams. We know these scams are on the rise, but what exactly are they, and how do we protect our companies from them? Let’s look at 2 common social engineering scams we expect to see in the fourth quarter of 2024 and discuss ways to stay secure so we can be prepared.

Business Email Compromise Scams

The FBI states that business email compromise (BEC) scams are “one of the most financially damaging online crimes.” In a BEC scam, malicious actors will send an email purporting to be from a known source, which makes it appear like a legitimate request. The FBI provides the following examples:

 A vendor your company regularly deals with sends an invoice with an updated mailing address.

• A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
• A home buyer receives a message from his title company with instructions on how to wire his down payment.

What are the ways we can protect ourselves from these scams? The FBI provides the following tips:

• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling, in any correspondence.
• Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
• Verify payment and purchase requests in person, if possible, or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the requests.

Vishing and AI Scams

If you have been on the internet in past months, no doubt you have noticed that AI gets mentioned nearly everywhere. One thing is sure, AI is here, and it is here to stay. AI has even been used in connection with vishing (or voice phishing) scams. Criminals are leveraging generative AI to clone voices and use them in vishing attacks. Reports of attackers posing as family members in need of money have been flooding in. In one instance, an attacker called someone impersonating their granddaughter. The individual being targeted was so convinced that this was their granddaughter that they gave the attacker their money. Unfortunately, we can expect to see cases like this increase in quantity. Additionally, these same techniques can be used to impersonate your company CEO, manager, or other employees with privileged access.

What about vishing without the use of AI, though? Is it a threat? We saw this demonstrated in a real-world example with the MGM Resorts cyberattack. This attack, costing MGM over $100,000,000, started with a vishing call to the organization’s help desk. Using information scraped from social media, the attacker posed as an MGM Resorts employee. This attacker was eventually able to leverage this information to gain administrator rights and deploy ransomware. This clearly shows the danger of vishing, even without the support of AI.

• Written by
  Shelby Dacko
  Human Risk Analyst