Cyber attackers are getting more creative as they choose their victims.
For evidence, look no further than Proofpoint's "Strangest Social Engineering Tactics of 2021," released in early March.
"They all gave us reason for concern," said Ryan Kalember, the executive vice president of cybersecurity strategy at Proofpoint. "Just in terms of how much effort the attackers are putting into this, the labor that they use in order to do this, it means that their businesses are quite successful."
#5: Soccer clubs targeted
Soccer clubs in France, Italy and the U.K. were specifically targeted in one 2021 attack, according to the report
Con artists, pretending to be player agents, sent videos of "young players looking for a big break" to club officials.
"It's very, very niche," Kalember said. "It would only work to target something like a soccer club, but it's the sort of thing that, because the gains can be quite big, really made sense."
The emails included YouTube links and a Microsoft Excel spreadsheet.
Anyone who downloaded the spreadsheet also wound up infected with malware.
"If you think about the types of transactions where millions and millions of dollars flow across national borders, there's not that many of them," Kalember said. "The attackers saw some daylight and saw that it was actually worth going through all of the effort to create these fake videos, these fake prospects, and this fake agent, all to try and defraud the soccer clubs."
#4: Long con aimed at scholars
In summer 2021, evidence emerged that "an Iran-aligned actor" was posing as a legitimate scholar and engaging in conversation with "various experts in Middle East society and politics."
"In this case, the Iranian cyber actor actually started inviting targets to things like Zoom meetings and video conferences," Kalember said. "You'd think that a spoofed identity would fall apart as soon as you do things like that. It's a really new tactic, and one that we hadn't seen previously."
Researchers believe the goal was to steal credentials from the targets, a move that Kalember said could lead to "embarrassment or monetary gain."
"The scholars who were impersonated, one of them found it flattering," Kalember said. "It is pretty consistent with spycraft. For years and years, cultivating relationships has always been a part of human intelligence, and I think that will continue. It will be interesting to see the new forms it's mutating into in the cyber world."
#3: Carefully crafted deception
The report highlights multiple scams involving BazaLoader malware.
In August 2021, con artists disguised the malware in an Excel spreadsheet that doubled as an apparently functional freight calculator.
The malware also appeared on BravoMovies, a web site that claimed to be a streaming service but was actually designed to deliver malware.
"They actually set up a full fake version of Netflix," Kalember said.
The bad actors would email victims about a recent transaction on their BravoMovies account. The account didn't exist, but when users went to the website to unsubscribe, they were told to download an Excel spreadsheet.
The Excel spreadsheet contained malware.
"In that case, they were looking to basically say, 'Hey, you're enrolled in this ongoing subscription service, click here to cancel,'" Kalember said. "Which required, of course, the downloading of a document which was a spreadsheet that had macros in it."
#2: Scam served two ways
During the 2021 holiday season, con artists tested two email tactics to lure victims.
One email informed victims that they'd received a promotion and a holiday bonus.
The other informed victims they'd been fired.
Both included an Excel file that displayed a "Merry Christmas" pop-up as it installed malware on victims' computers.
"You often see marketers do this, where they test if it's more useful to send a message with a positive spin or a negative spin," Kalember said. "I'm sure the threat actor measured very carefully whether it was the positive or the negative lure that got them more clicks."
#1: Inheriting millions
The strangest social engineering scam of 2021, according to the report, involved a fairly common tactic.
Bad actors claimed their victims were entitled to millions of dollars.
The email claims the victim's deceased relative won the lottery, and the Chief Judge of Canada personally spoke to Canadian Prime Minister Justin Trudeau to ensure payment.
The sheer outlandishness landed this scam at the top of Proofpoint's list.
"It's like a Dali painting," Kalember said. "It's just surrealist art, almost, at this point. They are trying so many of these angles, that are both old and new, in order to get somebody to respond."
Most security experts agree that some common sense and threat awareness can protect people from common cyber-attacks.
But Kalember warned that more targeted attacks can deceive seasoned web users.
"It's hugely concerning," Kalember said. "You can't really teach everybody to be on alert a hundred percent of the time. As the social engineering tactics move beyond the ones we've been taught to recognize, it becomes more problematic for the average user to not fall victim to these schemes."