Security

Universities Must Secure Identities as Social Engineering Attacks Increase

CrowdStrike’s new Global Threat Report finds voice phishing is up, China and North Korea are making their way into the cloud, and more.

Dave Nyczepir

Dave Nyczepir is a Senior Editor for Manifest.

Social engineering attacks are on the rise. This means universities should invest in tools like cybersecurity automation and identity governance to help secure identities and establish cross-domain visibility.

Voice phishing attacks in particular rose 442% between the first and second half of 2024, in part because safeguards and preparedness have led more threat actors to abandon traditional cyberattacks (such as deploying malware via malicious documents) in favor of targeting help desks, according to CrowdStrike’s 2025 Global Threat Report.

China’s cyberactivity increased an average of 150% year over year across all sectors, and 200% to 300% in the financial services, media and manufacturing sectors. Decades of investment have led to the nation-state developing fully functional offensive cyber capabilities on par with that of other world powers and driven by the goal of becoming the global hegemon.

“As we see the geopolitical landscape shifting, we see China becoming more belligerent toward Taiwan,” said Adam Meyers, senior vice president and head of counter adversary operations at CrowdStrike, during a report briefing in late February. “This is going to come to a head in the next 12 to 24 months.”

Click the banner below to see how identity and access management can improve the user experience.

The Rise of Social Engineering Attacks

China has adopted an operational-relay base model that relies on botnets of infected routers in the U.S. That’s because attacks “coming from inside the house” are easier to pass off as normal network activity.

Salt Typhoon, a Chinese advanced persistent threat actor, has become adept at targeting U.S. telecommunications companies, Meyers said.

Hands-on-keyboard attacks, in which the threat actor forgoes scripted commands in favor of manually handling the operation, accounted for 79% of all cyberattacks in 2024, according to the report.

Attackers using this method log in to a network with compromised user credentials and then move across the network via an application or browser. They often obtain these credentials by impersonating the user and calling the help desk for a password reset or, conversely, flooding a user with spam, then impersonating the help desk to send that person a link that bypasses authentication.

While it has numerous benefits, generative artificial intelligence is also making it easier to harvest credentials. Phishing emails written by generative AI had a click-through rate of 54%, compared with 12% for those written manually, according to the report.

In one instance, a company made a $25.6 million wire transfer in response to an emailed deepfake video. Companies are also unwittingly hiring North Korean attackers who create fake LinkedIn profiles with generative AI, then use deepfake videos during their interviews while answering questions — also using generative AI.

“Not only are these adversaries using different techniques, different capabilities, they’re also doing it faster,” Meyers said.

The average breakout time — the time it takes an adversary to move laterally within a network — was 48 minutes in 2024, down from 62 minutes the year before. The fastest breakout recorded was just 51 seconds, according to the report.

Some threat actors, known as access brokers, gain access to a target and then sell it to the highest bidder. This activity jumped 50% in 2024, per the report.

Not only are these adversaries using different techniques, different capabilities, they’re doing it faster.”

Adam Meyers Senior Vice President and Head of Counter Adversary Operations, CrowdStrike

Don’t Underestimate Cloud-Conscious Adversaries

CrowdStrike further found a 26% increase in cloud intrusions, and abuse of valid accounts has become the primary method attackers use to access the cloud, accounting for 35% of cloud incidents in the first half of 2024. This signals that adversaries are improving their ability to target and operate in such environments.

Once inside the cloud, adversaries are targeting generative AI models — one reason China and North Korea are increasing their cloud collections, Meyers said.

Salt Typhoon often accesses the cloud by finding vulnerabilities in student devices.

“You can gain access to an older VPN concentrator or network router and then pivot from there, deeper into the environment,” Meyers said. “And because those things don’t run modern security tools, they’re softer targets.”

Organizations need to develop strategies for what they patch based on intelligence assessments of what adversaries are exploiting, especially as threat actors increasingly chain vulnerabilities together, Meyers said.

Plenty of adversaries do their homework, scouring public research, disclosures and blogs for new exploits targeting small parts of identities.

“If you're not looking across all of those domains, then you’re going to miss all of these attacks,” Meyers said.

MTStock Studio/Getty Images