Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In

The ever-evolving threat from phishing is growing more sophisticated as attackers design high-pressure situations and leverage ever-more-convincing social engineering tactics to increase their success rates.

This week, it came to light that gaming platform Roblox was breached via a phishing/social-engineering attack that led to the theft of internal documents and the leaking of them online in an extortion attempt.
The hacker has posted documents on a forum that purport to contain information about some of Robloxs most popular games and creators,
according to Motherboard
. Additionally, some of the documents include individuals personally identifiable information.
But Roblox is hardly alone — its just the latest in a long line of corporate phishing victims. The success of these attacks showcases just how effective phishers have become at manipulating employee targets at various enterprises.
In the last few months, the IT security news cycle has been dominated by reports of phishing attacks exploiting trusted applications like email, QuickBooks, and Google Drive, to name just a few. This week, research from Avanan shows that
hackers have found a new way into the inbox
by creating fake invoices in PayPal, leveraging the sites legitimacy to gain access.
The abuse of legitimate services is a key factor in the latest spate of phishing attacks, which use social engineering tactics to lure victims into giving up information like login credentials. SlashNext Threat Labs reported a 57%
increase in phishing attacks
from trusted services between the fourth quarter of 2021 and the first months of 2022.
In June, Microsoft 365 and Outlook customers
were targeted
with voicemail-themed emails as phishing lures, while QuickBooks users were victims of
back-to-back campaigns
in June and July, including a vishing scam
targeting small businesses.
And, indeed, concerns over multichannel phishing attacks
are growing
, with a particular focus on smishing and business text compromises.
Meanwhile, cloud collaboration and the use of tools like Zoom and Microsoft Teams have exploded during the past two years since the onset of the pandemic, and have become standard operating procedures for remote workers. Attackers have seen this trend and capitalized on it.
Jeremy Fuchs, cybersecurity research analyst at Avanan, points out that phishing attacks continue to become more sophisticated, and social engineering tactics continue to evolve. He says he thinks there will be increased usage of legitimate services like PayPal to send phishing emails that come from a legitimate email address.
Weve seen an uptick in so-called double-spear tactics, whereby the hackers not only get your funds, but they also get your phone number for future attacks, he says. Well see more of these attacks that can snag more than one item from an end user.
Gretel Egan, senior cybersecurity awareness training specialist at Proofpoint, says she continues to see attackers abusing well-known brands and taking advantage of legitimate services to trick people into making fundamental mistakes in the inbox.
These are messages that look right on the surface, that tap into ways of working, she says. These types of subtle manipulations can be difficult for people to spot, and its critical that workers be made aware of attackers capabilities and propensities to operate in this manner.
Egan explains that threat actors are using real-time events and themes that have the attention of the wider world.
If its something we are talking about as a society, or something that elicits strong emotions, then it is content that is likely to be exploited, she says. Increasingly, we are seeing threat actors use their social engineering content to move victims out of the corporate email environment to alternate communication platforms such as the telephone and conferencing software.
Social engineering is inherently people-centric, and in todays hybrid workforce, organizations are struggling to protect data, devices, and systems while remaining agile.
Egan points out employees are also having to adapt to remain connected and engaged with their co-workers.
Those in remote and hybrid environments are relying heavily on collaboration applications and social media, both public and enterprise, she says. These trends have opened the door to a whole host of social engineering tactics and other cyber threats.
She notes social engineering techniques aren’t seen only in emails — these tactics are being used successfully across text messages, phone calls, direct messages, and more.
Fuchs agrees remote work has its challenges, including not being able to stop by ITs desk to ask about an email.
But while working from home, distraction might play a role, he adds. There are more stimuli — the dog barking, the child crying, answering a thousand Slack messages — that taking the time to focus on the keys in an email that alert you to the fact it might be suspicious can go to the wayside.
Fuchs argues IT policies must move away from static allow and block lists and move toward advanced AI.
Static lists allow these legitimate services to be used for phishing, Fuchs says. Advanced AL and ML can suss out whats real and whats not.
Egan says multilayered protection is the best strategy against phishing emails, layered within a culture of security with the placement of people at the center.
She adds that its important to understand which users are most targeted and which are the likeliest to fall for the social engineering that phishing attacks rely on.
Users are a critical line of defense against phishing and its important that security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it, she says. This should be combined with layered defenses at the email gateway, in the cloud, and at the endpoint.
Fuchs agrees that, for employees, training continues to be a must and it needs to focus on having the user slow down and check a few critical signs, like sender address and URL destination.
From his perspective, a two-second check can often avoid disaster.
The key takeaway from this this deluge of phishing attacks is that hackers have found tremendous success leveraging legitimate brands, he says.
Whether its spoofing the brand or sending phishing emails directly from the service, anything that looks like a trusted brand is more likely to land in the users inbox and more likely to be acted upon.
Impersonation scams are on the rise, and, given the tremendous amount of services they can leverage, its not likely to slow down, he warns.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In