There are 7.2 billion people in the world, and last year people willingly downloaded more than 2 billion apps that steal their personal data. The chance you've been (or will be) a victim to social engineering is greater than the chance you won't. The schemes are easy money, as cyber criminals create a product that people will want, then watch them shoot themselves in the foot.
Proofpoint just released the annual Human Factor report which found that attackers are all in on social engineering. Basically, they engage people through social media, email, and apps, then sit back and watch them infect their own devices. After the self-inflicted infection, it's easy to steal data, passwords, and transfer funds.
"A whopping 99.7% of documents used in attachment-based campaigns relied on social engineering and macros. At the same time, 98% of URLs in malicious messages link to hosted malware, either as an executable or an executable inside an archive. To work, these files have to be opened by the user. So attackers trick users into double-clicking them and infecting themselves," the report reads.
Timing is everything
Cyber criminals are also doubling down on social media optimization campaigns, and they're catchy. You may have seen this "quiz" on Facebook. I would venture to say that a good 60% of my friends clicked on it.
It's not just catchy content that crooks are using, but they are optimizing it to hit at peak times. For example, the Proofpoint report finds that social engineering email attacks are sent at the start of the business day specific to target markets, while social media posts also go out at peak usage times. It seems that the modern day cyber-criminal would be just as well equipped to serve as a social media consultant for a major corporation. If it's not catchy content hitting at peak times, then there's also the whole "cyber-criminals are really, really good at making fake accounts" thing.
"The ease of creating fraudulent social media accounts for known brands drives a clear preference for phishing in social media-based attacks. Distinguishing fraudulent social media accounts from legitimate ones is difficult: we found that 40% of Facebook accounts and 20% of Twitter accounts claiming to represent a Fortune 100 brand are unauthorized," Proofpoint reports.
Social engineering doesn't discriminate
Social engineering doesn't discriminate when it comes to platform. If you think apps from the "official stores" are safe, then it's time to burst that bubble.
"Malicious mobile apps are no longer corner cases--they're real-world threats. Our analysis of authorized Android app stores discovered more than 12,000 malicious mobile apps-- capable of stealing information, creating backdoors, and other functions--accounting for more than 2 billion downloads," the report found.
Your boss is a target, too
If these facts aren't terrifying enough, there's also a new scheme known as "CEO Phishing," a technique that gives hackers access to wire transfers. The scheme works when employees receive an email from who they believe to be their boss. The email is typically urgent in tone, and asks for money to be transferred into a specific account.
In order to avoid these attacks, solid security platforms need to be in place, but even then it's ultimately up to the end-user to take extra precautions when downloading or clicking on anything. Just keep in mind that as fun as that Facebook quiz looks; it may come with the biggest price tag of all, your personal information.