Cyber criminals use social engineering approaches to install malware, steal information, perform fake transactions and even shutdown businesses. Greater than 97% of reported attacks target “the human factor” as opposed to making use of known system vulnerabilities.
Social engineering approaches used by Cyber Criminals focus on people, their role in the business, the data they have access to and the likelihood they can be enticed to perform an action. The human factor, our ability to be curious, the biases we have and their effect on our decision-making processes, our emotional state of mind, the way in which we monitor and evaluate situations on the basis of risk or reward, and the level of boredom in our roles all contribute to people being the most effective attack vectors in infiltrating businesses to facilitate fraud, theft and potentially worse.
Over the last 3 years there has been a marked shift towards information-stealing malware, with “the human factor” becoming ever more effective at preying on people. From impostor messages, where an email appears to come from a person the target knows, or malware that silently profiles individuals and steals data and credentials for future attacks, Cyber Criminals have their eyes firmly set of your businesses most valuable assets and the monetary value it holds. This ultimately fuels their revenue streams and funds future attacks.
Who is the Focus?
The Social Engineering approach, focused on “the human factor”, is all about exploiting select individuals and identities in targeted industries, not infrastructure and systems. Conversely, most businesses focus their IT Security budgets on infrastructure and systems,
The largest attack vector is still email, with 93% of all breaches targeting select individuals via approaches ranging from spam to imposter attacks. These select individuals are targeted on the basis of obtaining credentials to,
- Feed further attacks against the targeted business,
- Improve the effectiveness of the Social Engineering techniques with which they can obtain credentials and information,
- Committing fraud
The people representing the greatest source of risk in business are,
- Very Attacked Persons or VAPs. These are easily discovered identities and shared accounts. More than 35% of identified VAPs details are found online via corporate Websites, social media platforms, newsletters and annual reports
- VIPs and C-Level executives. Again, these are readily discovered via social media platforms and more than 20% of the email addresses can be discovered via simple Google Searches
- VAPs, VIPs and shared accounts in Education, Finance and Banking, Automotive & Manufacturing, IT, Media & Advertising (including Marketing) and Retail are frequently the most targeted
What are the Attacks?
As shown in the diagram, email is still the biggest initial attack vector for businesses. In 2018-19 generic email harvesting accounted for almost 25% of all phishing schemes. These were in the main focused toward credential harvesting. Over 99% of emails distributing malware require human intervention, this includes following links, opening attached documents, enabling macros, accepting security warnings and saving and unzipping executables for them to be effective.
Malware free Imposter Message attacks, including Business Email Compromise (BEC) are on the rise. Imposter Messages and BEC are used by Cyber Criminals to build rapport with attacked individuals, obtain multiple points of contact and create a sense of urgency around the activities they require the targeted individuals to perform. These activities include approving payments for fake invoices, or releasing business data.
Phishing lures typically simulate well-known brands such as Banks, Retailers and Webmail, offering login portals that seek to capture specific service credentials or simply obtain email logins that are used in future credentialstuffing attacks.
Domain fraud continues to increase, with attackers using techniques from look-alike domains to legitimate certificates to make malicious Websites appear trustworthy.
How are Select Individuals Identified?
Cyber Criminals are increasingly focused on attacking select individuals in a business instead of every user and reviewing which attacks are successful. These select individuals are either targets of opportunity or identified users with sufficient access and privilege. These people make up the group of VAPs in a business.
VIPs, C-level Executives and Members of the Board are often not VAPs. VAPs are typically more easily identified online, presenting a simpler and more direct means for Cyber Criminals to discover their role and contact details, then targeting them with multiple attacks. On average, across all industries, more than 35% of VAPs details can be found online. The following graph shows the average % of VAPs identified by Web based source,
as opposed to the common source of VIP identities,
However, one area of significant risk for businesses is VIPs who are also VAPs. In these cases, the average, across all industries, is greater than 20% of their email identities could be discovered online via a Google search.
How can Click Studios Help?
Click Studios specialises in the development of Passwordstate, an on-premise web based solution for Enterprise Password Management, allowing teams of people to access and share sensitive password resources. Our solution uses role based access control, with end-to-end event auditing, to provide a secure platform for password storage, management and collaboration.
For more information on how we can help please contact sales@clickstudios.com.au and as always, we welcome your feedback via support@clickstudios.com.au.