Building a slide deck, pitch, or presentation? Here are the big takeaways:
- 17% of social engineering attacks are successful, and could lead to the compromise of a company's entire corporate infrastructure. — Positive Technologies, 2018
- 27% of employees clicked an emailed phishing link, making it the most effective method of social engineering. — Positive Technologies, 2018
Cybercriminals are increasingly turning to social engineering to enter a corporate network, as they know that humans are the weak link in any company's security plan, according to a Monday report from security firm Positive Technologies.
The firm studied its 10 largest pen testing projects performed for clients in 2016 and 2017. These tests included 3,332 emails sent to employees with links to websites, password entry forms, and attachments, mimicking the work of hackers.
If these emailed "attacks" had been real, 17% of the messages would have led to the compromise of an employee's workstation, giving the hacker a foothold into the entire corporate infrastructure, the report found.
SEE: Security awareness and training policy (Tech Pro Research)
According to the report, phishing was the most effective form of social engineering attack: 27% of recipients clicked the phishing link, which led to a fake website.
"To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form," Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in a press release. "Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password."
Employees not only open unknown files and click suspicious links, they sometimes correspond with attackers, the report found. In 88% of cases of correspondence, the employees worked outside of the IT department. However, 3% of security professionals did so as well.
At times, employees complained that the malicious files or links would not open. In some cases, these employees tried to open the files or enter their password on the fake site 30-40 times, according to the report. Frustrated employees unable to open files sometimes forwarded them to the IT department for help—further increasing the risk to the organization, as IT staff are more likely to trust their colleagues and attempt to open the file.
Hackers have also learned that sending messages from fake companies is less effective than in the past, causing only 11% of risky actions from employees, the report found. However, sending messages from the fake account of a real company and person increases the odds of success to 33%.
These attackers also carefully select email subject lines to illicit a response from employees, including "list of employees to be fired" (which caused 38% of risky actions), and "annual bonuses" (which caused 25%).
The report highlights the need for companies to implement continuous employee security training. A number of companies run internal phishing attacks to identify weak links and strengthen their cybersecurity posture.
"To reduce the risk of successful social engineering attacks, it is important to hold regular trainings and test how well each employee follows security principles in practice,"Galloway said. "Whilst people are often the weakest link in your organization, businesses can benefit a lot by fostering a security positive culture."
For more tips on how to make your employees care about cybersecurity, click here.
- 27 ways to reduce insider security threats (free PDF) (TechRepublic)
- This phishing trick steals your email and then fools your friends into downloading malware (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing the phishers: Sneaky crooks put backdoors into kits for wannabe fraudsters (ZDNet)
- Why traveling CEOs and coffee shops are your company's greatest security risks (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.