Industry Trends

Navigating the Threat Landscape As Social Engineering Lures Change

By Derek Manky and Aamir Lakhani | June 14, 2021

FortiGuard Labs Perspectives

The cyber threat landscape during the pandemic was one of the busiest eras for cybercriminals. The sudden shift to telework caught many off-guard and left their networks at risk to preying threat actors. COVID-19 social engineering lures during this period included an influx of phishing and spear phishing attacks, aimed to exploit the fears and concerns around the COVID-19 virus. Now, as we once again shift work models in many countries, it is paramount to reconsider how these threats will affect the transition and how organizations can secure their networks. 

FortiGuard Labs' Derek Manky and Aamir Lakhani share their perspective on how COVID-19 social engineering lures have progressed through the pandemic, the mindsets of cybercriminals, and what organizations need to do to secure hybrid work. 

How have COVID-19 social engineering lures changed compared to the beginning of the pandemic? 

Derek - As we are well over 14 months into the pandemic, I expected cybercriminals to have become exhausted of the same COVID-19 social engineering lures they’ve been using since the height of the pandemic. However, I recently went through our data and we’ve actually seen a constant wave of COVID-19 attacks, mostly email-based. It’s very consistent as well, with weekdays having the highest volume of attacks and dipping on the weekends. We’re seeing the same volume of COVID-19 social engineering lures as we were last January. The difference now is the theme. They started these lures during the initial lockdowns and the shift into work from home. Now, things are more focused on reopenings and vaccine lures, often done through impersonations of corporate IT security—among other tactics—which can lead to spear phishing attacks too. 

Aamir - I also had the same expectation of seeing COVID-19 social engineering lures slowly diminish in volume, but the consistency makes sense when you consider how successful some of these attacks can be. Cybercriminals are simply adjusting the theme of their lures, turning them into more front of mind topics and leveraging new weak points. The dangerous part of this is that people are not treating these attacks as seriously as they should. For example, as people begin to return to work, phishing emails from attackers impersonating corporate IT professionals are beginning to rise. These emails will follow the regular corporate safety guidelines, telling employees to watch out for suspicious emails, and include a link that is actually malicious. Every corporate IT organization has security top of mind right now, but it’s also important to consider how we are going to get employees back into the mindset of corporate security as they return to the office. 

How have cybercriminals changed their tactics as more organizations shift to hybrid work models? 

Aamir - As vaccines are rolling out and the world is returning to a sense of "normalcy," COVID-19 is still front of mind for many people. It’s in the news every day and many areas are still distributing vaccines, so it makes sense why their social engineering lures have not changed in volume. It’s still a perfect topic for cybercriminals to leverage, because it’s an opportunity they’ve never had before and, especially at the beginning of the pandemic, people are vulnerable to those attacks. Cybercriminals have adjusted the themes of their attacks, but what’s also interesting is some of the other tactics they are using to take advantage of the return to work situation. The ransom-as-a-service model is surprisingly also on the rise, where cybercriminals essentially take on the mindset of a defender and ransom their consulting services and reveal to organizations how they gained access to their networks. It is a proven model that makes money for the ransomware operators and their affiliates. In some cases, campaigns will make millions of (US) dollars. This is a really interesting shift in their mentality, as we are always trying to get into the minds of an attacker, yet they are now using the defender mindset to their advantage. 

Derek - The way cybercriminals adjust their tactics is very telling of the way they see the threat landscape. While we’ve operated on the premise of researching attackers to defend against every conceivable attack, they move one step forward and use that to their advantage. FortiGuard Labs goes on the threat hunt every day, not just to react to existing threats, but to get ahead of the curve and research everything from the latest targets to following recent attacks campaigns. It’s interesting to note as well that there’s been a lot of information disclosure that could have consequences. People are going to public, open-source platforms with samples of emails or other information because they believe they are being targeted. While those people may have good intentions, cybercriminals can get access to that information and use it to launch spear phishing attacks. Some of the information people upload can also contain sensitive corporate information and personal identifiable information (P.I.I.), which really leaves no work for cybercriminals other than downloading the documents and public information that has been shared with the forum. 

What should organizations keep in mind as they advance their security plans to fit new work models? 

Aamir - If you're sending anything to a service provider or vendor, consider what your vendor is doing with that data and how they are treating it internally. How are your service providers and vendors analyzing for threats, securing sensitive data, and are they able to communicate that information to you? It’s important to ask the hard questions first. If you purchased an IoT device, asking questions about the security lifecycle with this vendor, its visibility into your other networks, how it communicates with your devices, etc. goes a long way. Let’s be honest with ourselves and ask why don’t we do that? You can consider the same questions when sharing information. If you forward an email, are you potentially disclosing sensitive information? 

Derek - It’s important to work collaboratively to respond to events and trust is also key in this solution. If malicious emails are going out under the disguise of the corporate IT team, employees need to have the resources and knowledge to identify those potential threats and verify the identity of the sender. The zero trust model is super important here, as it’s too easy to fall prey to these attacks. Operating on a zero trust model significantly scales down the room for cybercriminals to enter. This solution was paramount during the shift to telework and should be carried through for the shift to hybrid work, or work from anywhere. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.

Subscribe to Fortinet's YouTube channel for the latest video content from Fortinet, FortiGuard Labs, and our Training Advancement Agenda (TAA), including customer stories, product demos, interviews on the latest cybersecurity trends, and more.