A new report by security firm Positive Technologies shows that 1 in 10 employees would fall for a social engineering attack.
What Is A Social Engineering Attack?
Social engineering cyber-attacks rely upon the element of human error e.g. convincing / fooling a person into downloading malicious files, unwittingly corresponding with cyber-criminals, sharing contact information about employees and transferring money to hackers’ accounts, or clicking on phishing links.
Test
The results of the report are based on ‘penetration tests’ which involved sending 3,300 emails to employees containing links to websites, password entry forms and attachments. As the name suggests, a penetration test is an authorised simulated attack on a computer system, which is performed in order to evaluate the security of that system.
Tricked
The results showed that, worryingly, 17% of the messages were successful in convincing the recipients to take actions that would have resulted in a compromise of a workstation and potentially the entire corporate network if the attack was real.
The tests showed that 15% of employees responded to emails with an attachment and link to a web page, while only 7% responded to test emails with an attachment. The most effective method of social engineering identified in the test was reported to be sending an email with a phishing link. In this case, 27% of recipients clicked on a link that led to a web page requesting credentials.
Real Company Names Convincing
The study showed that messages received from what appeared to be the account of a real company resulted in 33% or risky actions being taken by recipients, whereas messages from fake companies only resulted in 11% success.
Emotional Response Sought
Cyber-criminals often use methods that are designed to produce an emotional response that will make people forget about basic security rules. For example, in the tests, an email subject line of ‘list of employees to be fired” resulted in a 38% response, and “annual bonuses” brought a 25% response.
Overly Trusting If Not In IT
One interesting finding highlighted in the report was that 88% of those outside of IT work (and presumably less aware of the risks), such as accountants, lawyers and managers, opened / clicked on suspicious links and even corresponded with attackers. However, 3% of security professionals also responded.
Kept Trying To Open
The study found that some recipients who couldn’t open the malicious files even resorted to trying to open the files or enter their password on a fake site up to 40 times!
What Does This Mean For Your Business?
Clearly, there is a case for better education and training among employees about the variety of methods, and the level of sophistication that cyber-criminals now use in attacks. Employees need to be able to spot potential attacks, and have clear policies, instructions, and help on hand about how to proactively protect the company, and how to respond to certain types of attack. One of the simplest forms of defence against threats entering the company via email is to make it policy never to open suspicious emails / emails from unknown sources.
In reality, attackers now use a combination of methods to breach the defences of companies, plus there are evolving new threats, such as fileless hacking and fileless malware attacks facilitated by the PowerShell scripting language that is already built-in to Windows. Some basic ways that your business can improve security against social engineering attacks are :
- Blocking delivery of email attachments with extensions that are executable e.g. (.exe, .src), system (.dll, .sys), script (.bat, .js, .vbs), and other files (.js,.mht, .cmd).
- Authenticating the domain of an email sender e.g. using the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols.
- Authenticating a sender’s identity using other protocols e.g. Domain-based Message Authentication.
Conformance (Dmarc) protocol. - Regularly updating the operating system, anti-virus, and other software patches.
- Implementing an on-demand malware detection system.
- Scanning files before and after opening them.