Social engineering is present in 90% of phishing attacks today. However, business email compromise (BEC) attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception.
Part of what makes social engineering such a prominent part of BEC and other types of phishing attacks is its ability to manipulate human levers to achieve a desired outcome. Oftentimes, social engineers will create a false sense of urgency, push victims into a heightened emotional state, or capitalize on existing habits or routines in order to get their victims to behave in a way that might otherwise be out of character.
By examining common social engineering tactics and prevalent threat groups, organizations can better defend against these attack vectors.
4 Threat Actor Groups to Monitor
Social engineers often target company executives, senior leadership, finance managers, and human resources staff to gain access to sensitive information, such as Social Security numbers, tax statements, or other personally identifiable information. New employees, who may be more susceptible to verifying unfamiliar email requests, are also at risk.
In order to help defend against BEC attacks, organizations need to stay up to date on the latest threat intelligence and adversarial activity. Following are four prominent threat groups that leverage social engineering and BEC to enact harm.
Octo Tempest: This financially motivated collective of native English-speaking threat actors is known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping capabilities. First spotted in early 2022, the group initially targeted mobile telecommunications and business process outsourcing organizations with SIM swaps. However, it has since partnered with ALPHV/BlackCat — a human-operated ransomware-as-a-service (RaaS) operation — to drive greater impact.
Diamond Sleet: In August 2023, Diamond Sleet conducted a software supply chain attack on German software provider JetBrains that compromised servers for software building, testing, and deployment processes. Because Diamond Sleet has successfully infiltrated build environments in the past, Microsoft assesses that this activity poses a particularly high risk to affected organizations.
Sangria Tempest: Also known as FIN, Sangria Tempest frequently targets the restaurant industry to steal payment card data. One of the group's most effective lures involves accusing restaurants of food poisoning by sending a malicious email attachment with further details. This Eastern European group uses underground forums to recruit native English speakers and train them on how to deliver the email lure. Sangria Tempest has successfully stolen tens of millions of payment card data through this process.
Midnight Blizzard: Midnight Blizzard is a Russia-based threat actor that primarily targets governments, diplomatic entities, nongovernment organizations (NGOs), and IT service providers across the US and Europe. The group leverages Teams messages to send lures that attempt to steal credentials from targeted organizations by engaging users and eliciting approval of multifactor authentication (MFA) prompts.
Social engineering is generally a long con. These types of attacks can take months of planning and labor-intensive research as adversaries seek to build a strong foundation of trust with their victims. Once this trust has been established, social engineers can manipulate victims into taking certain actions that would otherwise be out of character.
There are many ways that organizations can protect themselves against social engineering fraud. First, employees should keep their personal and work accounts separate. When people use their work email for personal accounts, threat actors can take advantage by impersonating these programs and reaching out to gain access to their corporate information. Organizations should also enforce the use of MFA, as social engineers frequently target login credentials. However, it's important to note that MFA is not a perfect solution. Attackers are increasingly using SIM swapping to compromise phone numbers used for MFA. Organizations can remediate this risk by using an authentication app to link MFA to a user's device rather than their phone number.
Next, organizations should educate users on the danger of oversharing personal information online. Social engineers need their targets to trust them for their scams to work. If they can find personal details from an employee's social media profile, they can use those details to help make their scams seem more legitimate.
Finally, secure company computers and devices with endpoint security software, firewalls, and email filters. If a threat does make its way to a company device, protection will be in place to help safeguard user information.
Ultimately, social engineers are constantly looking for new ways to make their attacks more effective. By monitoring ongoing threat intelligence and ensuring your defenses are up to date, organizations can better prevent social engineers from using previously successful attack vectors to compromise future victims.
— Read more Partner Perspectives from Microsoft Security