Social Engineering Attacks: Preparing for What’s Coming in 2023
Everyone can improve their safety online by keeping their guard up when dealing with unknown websites and users. Watch out for these emerging types of cyberattacks.
- By Shannon Flynn
- December 21, 2022
Social engineering attacks continue to rise each year, but cybercriminals are getting more creative and cunning. Five key types of social engineering cyberattacks will likely boom in 2023, including some that have only emerged in the last few months.
#1: Doppelganger Websites
Doppelganger websites are a particularly elaborate form of phishing. These social engineering attacks work by duplicating an entire website or a few key pages.
For instance, a cybercriminal might create a doppelganger of Apple’s consumer website using a slightly different web address, such as “Appple.com” rather than “Apple.com.” If the site looks similar enough to the real deal, people are unlikely to notice the slight difference in the actual address. The criminal may use ads to ensure their fake site is strategically placed on search engines.
The idea is that victims will land on the fake doppelganger site and try to log in to their accounts. They enter their credentials, the cybercriminal gets their info, and by the time the victim notices something isn’t right, it is already too late.
Users can avoid doppelganger websites by double-checking the web address of any site they visit and using known safe links to get to their favorites rather than clicking on a link from an ad.
#2: Abuse of Law Enforcement Privileges
Compromised law enforcement email credentials have become a highly concerning social engineering cyberattack vector over the past year. In March 2022, Apple, Meta, and Discord announced they had all fallen victim to a cyberattack scheme that led to users’ data being leaked to hackers who abused something known as an Emergency Data Request, or EDR.
Law enforcement uses EDRs strictly for time-sensitive emergencies. For example, someone may be missing and presumed to be in imminent danger. The last known GPS coordinates of their phone or smartwatch could potentially allow law enforcement to save their life. There is no time for companies to press for more information in these situations.
By sending fake EDRs from compromised accounts, hackers were able to steal large amounts of personal data from these big tech companies. The problem is compounded by the fact that it is very difficult for Apple, Meta, or any other business to tell whether or not a law enforcement representative’s email is compromised.
One step companies and police are taking is flagging known compromised accounts so they can be blacklisted from sending EDRs in the future.
#3: Social Media Social Engineering Attacks
Impersonation and comment spam have exploded over the past year and will likely be some of the most prominent forms of phishing in 2023. This type of social engineering attack exploits the trust and recognition associated with influencers.
Attackers create an account on a social media site that looks nearly identical to an influencer’s. The posts are often giveaway announcements, declaring that fans just need to “click this link” or “DM this account on Telegram” to collect their winnings. Instead, people are tricked into giving away money and are ghosted by the fake account.
Impersonation and comment spam have become so serious on YouTube that prominent creators have asked the platform to address the issue. The scam results in monetary theft and hurts the reputation of the creators being impersonated.
Users should always be wary of comments on social media and double-check that something is coming from a legitimate account.
#4: Reputation Ransomware
One peculiar new form of social engineering on the rise is reputation ransomware. This scare tactic exploits the headline nature of data breach announcements. The cybercriminal will demand ransom from the victim organization, threatening to “leak” news of a fictional data breach if they do not pay.
What distinguishes this type of attack is that the cybercriminal is not actually attempting to hack an organization. They know that simply announcing the company suffered a data breach would be enough to seriously damage its reputation. No real hack is necessary if all the cybercriminal wants is the profits from the ransom payment.
Developing ways to defend against reputation ransomware will likely be a top priority for organizations in 2023. The FBI strongly discourages victims from paying ransoms in cyberattacks. In fact, it may even become illegal if lawmakers determine it’s a form of funding terrorist activity.
The best defense organizations have going into 2023 is to strengthen their PR departments and avoid paying ransoms. In the event of a reputation ransomware attack, they are better off trying to disprove accusations with hard data and reestablish trust with their customers and the public.
#5: Deepfake Attacks
Deepfakes are no longer just a fun party trick for graphic designers and video editors. The threat of deepfake social engineering attacks has been on the rise for a few years. In 2019, a cybercriminal used AI to replicate a CEO’s voice over the phone, leading to the theft of over $200,000. Film director Jordan Peele made headlines in 2018 when he attempted to raise awareness of the danger of these attacks using a deepfake video of President Barack Obama.
The threat of deepfakes has risen significantly largely thanks to advances in artificial intelligence. AI is more accessible than ever and getting better every year. This means it will be increasingly easier for cybercriminals to create convincing video or audio deepfakes of anyone they wish.
Tech leaders are developing tools that people can use to identify potential deepfakes online. Users should consider researching and utilizing one of these detection tools in 2023. It is also important to remain wary of content online that seems too extreme or good to be true.
Staying Safe Online in 2023
Common sense and constant awareness of potential hazards are everyone’s best defenses against social engineering attacks in 2023. These attacks prey on people ignoring red flags or reacting to messages without pausing to think first. Everyone can improve their safety online by keeping their guard up when dealing with unknown websites and users.
Shannon Flynn is the managing editor of ReHack magazine where she is responsible for managing daily operations and technology content. You can reach the author via email, Twitter, or LinkedIn.