Over the last year, cyber criminals have continued to increase their use of social engineering rather than automated exploits, scaling up people-centered threats and attacks that rely on human interaction. They have found new ways to exploit “the human factor”—the instincts of curiosity and trust that lead well-intentioned people to click, download, install, move funds, and more every day.
These threats focused on people and their roles within an organization rather than just computer systems and IT infrastructure. Threat actors (cyber attackers and their sponsors) attacked people at both macro and micro scales. At the macro level, they waged massive, indiscriminate campaigns in email and social channels. Ransomware was the biggest email-borne threat of 2017.
And broad, multimillion-message malicious campaigns defined the new normal for the year. At the micro level, state-sponsored groups and financially motivated email fraudsters launched highly targeted attacks. Even attacks on cloud-based platforms relied on human error, carelessness, and credulity to penetrate systems of value.
Whether they are broad-based or targeted; whether delivered via email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive
information at scale.