2022 SOCIAL ENGINEERING REPORT | STRATEGIC OUTLOOK
2
Social interest is also frequently leveraged: at the beginning of the COVID-19 pandemic there was a collective desire for information
around updated health guidelines, company policies, regional mandates, and vaccine development. Because of the universal
relevance, threat actors of every sophistication level pivoted to make use of COVID-19 related content.
Ultimately, the techniques which are successful will continue to be utilized and refined. What isn’t effective will be discarded. The
result is that throughout the year we observe threat actors constantly trialing new methods and content while improving those
which already reliably earn clicks.
These developments coincide with the ability of the intended victims to recognize the threat actors’ attempts as malicious. As users
are better trained and become more aware, actors will be forced to pivot. In 2021, Proofpoint Threat Research noted social
engineering content often aligned to key mistaken assumptions end-users continue to hold:
• The assumption that threat actors will not spend time building rapport prior to executing attacks, such as by holding
regular conversations
• The assumption that legitimate services such as those provided by authoritative technology companies like Google and
Microsoft are safe to use
• The assumption that threats only involve their computer and not orthogonal technologies such as the telephone
• The assumption that threat actors are unaware of email conversations held with colleagues and that those existing
conversation threads are safe
• The assumption that threat actors won’t make use of timely, topical, socially relevant content to pique interest or exploit
emotions
This report provides evidence of how, throughout 2021, threat actors repeatedly subverted these assumptions to exploit the human
element in their attacks.
Key Assumption: Threat actors don’t have conversations with you
An important component of enticing people to interact with malicious content is to get them to trust the source. Effective social
engineering is about generating feelings within a user that mentally drive them into engaging with content. Something is urgent,
someone is trustworthy, someone can help. By sending benign emails with the intent to lure the user into a false sense of security,
threat actors lay the groundwork for a relationship to be more easily exploitable.
Proofpoint researchers observe multiple threat types sending benign emails to kickstart a conversation.
Lure and Task Business Email Compromise (BEC) threats typically start with a benign conversation or ask a question to get the
recipient to engage with the email. Lure/task emails are typically a gateway theme – if the victim replies, they may be led to another
type of threat such as a gift card, payroll, or invoice fraud. Proofpoint automatically identifies and blocks around 80,000 task themed
emails each month.