As 2018 drew to an end, many cybersecurity reports published their findings on the most common types of attacks that targeted small and large organisations. Let’s take a closer look at an evergreen method of cybercrime, social engineering and more specifically phishing.
Social engineering focuses on human interaction and its aim is to take advantage of manipulating people into giving up confidential personal and/or company information for malicious reasons.
Phishing is the most common vector of cyberattacks and via the use of emails, criminals can extract valuable personal information or login credentials, which can come pricey for organizations when a data breach or incident happens and affects them. Spear phishing is an even more targeted form of phishing, where the attacker will personalise their attack to their victim by doing extensive research on their target in advance to make the attack more likely to succeed.
Phishing attacks are on the rise year by year as hackers and their techniques become more sophisticated. The focus in 2018 shifted from private people to more and more attacks targeting businesses.
“Overall, phishing attacks in 2018 were up from 2017. In addition, more organizations were affected by all types of social-engineering attacks (phishing, spear phishing, SMS phishing, voice phishing, and USB drops) year over year.
“Infosecurity professionals reported a higher frequency of all types of social engineering attacks year over year. Phishing increased to 83% versus 76%. Spear phishing increased to 64% from 53%.”
(Source: Proofpoint: Annual state of Phish report)
Why is phishing so attractive?
Phishing’s popularity is mainly due to the fact that it only requires a limited amount of technical know-how. Instead, it relies on understanding basic human nature in order to anticipate their target’s reaction to an attack and thus maximize its success. It yields maximum profit for the attacker with minimum effort. In addition, most companies and individuals tend to trust and rely too much on technical measures in protecting against phishing attacks and overlook the human factor of cybersecurity.
The human factor
It is one of the biggest threats to cybersecurity nowadays, only second to Malware. A recent report by Kaspersky Lab states that 52% of business are worried about data breach stemming from their employees and acknowledge that they (especially non-IT employees) are the weakest link to their cybersecurity strategy.
Another report by Symantec (2018 Internet Security Threat Report (ISTR), 54.6% percent of all email is spam and the average user receives 16 malicious emails a day. That means a lot of opportunity for human error to sneak in and wreak havoc.
“Against the backdrop of a complex and growing cyber threat landscape, where 57% of businesses now assume their IT security will become compromised, businesses are also waking up to the fact that one of the biggest chinks in their armor against cyberattack is their own employees. In fact, 52% of businesses admit that employees are their biggest weakness in IT security, with their careless actions putting business IT security strategy at risk.”
Exploiting fear and obedience
Hackers like to rely on inducing fear with their phishing campaigns and as a result prompt a careless response from an employee. Say, an email from the bank informs about the company account being compromised. Many employees would worry about the consequences they might face if the problems aren’t solved fast and therefore they’ll often be too rash to comply without questioning whether the request is really legitimate. The hackers usually add a sense of urgency to further manipulate the victim to obtain a quicker result.
Another trick of attackers aims at employee’s readiness to obey instructions coming from cybercriminals posing as executives. Attackers use spoofing to create credible looking email addresses and employees rarely think twice to question the legitimacy of such emails.
CEO fraud or Business email compromise (BEC; formerly known as man-in-the-email-scams), is such an impersonation attack. They usually target employees who have access to company finances or who have the authority to conduct wire transfers from company accounts. They then trick these employees into transferring money that ends up in the attacker’s account. If they can get hold of login details, they can use these to steal sensitive company data and sell it on the dark web.
An example for this was reported on trendmicro.com:
“On March 8, scammers sent a BEC email to the Amsterdam branch managing director. The email, which impersonated Pathé’s chief executive, asked the managing director to make a confidential payment of over US$900,000. Although the managing director forwarded the email to an assistant and discussed it with the finance director, the email was not spotted as a scam and eventually led to five consecutive money transfers to scammers in less than a month. Pathé’s losses due to the scam may be the biggest reported stolen amount from a single company for this year.”
Phishing attacks will continue to become more targeted in 2019 to match organizations and users and the one of the crucial ways to protect against them is not ignoring the importance of the human factor.
A combination of technology and employee awareness training should be in the foreground in an effort to protect against social engineering and phishing attacks. Security can be improved by setting and enforcing clear policies to continuously train and educate employees on current and emerging social engineering threats.