In tests that imitated the actions of hackers by sending emails to employees with links to websites, password entry forms and attachments, 17% of the messages would have led to a compromise of the employee's workstation and, ultimately, the entire corporate infrastructure if they had been real.
In total, 3,332 messages were sent by cybersecurity firm Positive Technologies. The most effective method of social engineering turned out to be phishing emails: More than a quarter (27%) of recipients clicked the link, which led to a special website. Users often glance over or ignore the address, leaving them unaware that they are visiting a fake website.
“To make the emails more effective, attackers may combine different methods: A single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. “Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password.”
Employees often open unknown files, click suspicious links and even correspond with attackers. In 88% of cases of such correspondence, these overly trusting employees worked outside of IT (such as accountants, lawyers and managers). One quarter of these employees were team supervisors. However, 3% of security professionals fell for the bait as well.
Furthermore, occasionally users complained that the malicious files or links would not open – in some cases trying to open the files or enter their password on the site as many as 30 to 40 times. When employees were unable to open a file right away, often they forwarded it to the IT department for assistance. This increases the risks further still, since IT staff are likely to trust their colleagues and run the "broken" file. On occasion, the recipients responded that they were not the intended recipient and instead offered the name of another person at the company.
Sending messages from fake companies is an increasingly ineffective tactic (causing only 11% of risky actions), but sending messages from the account of a real company and person increases the odds of success considerably (to 33%).
“Attackers take advantage of fear, greed, hope, excitement, or any other imaginable emotion to trick recipients into ignoring their better judgment,” the company said in its report. “The subject is often the reason that compels an employee to open a letter, click a link, or download and run a file." Subject lines carry the most risk include those that mention a firing (38%) and those that mention bonuses (25%).
Email is not the only method in the social engineering toolbox. Criminals often call employees by phone, claiming to be from technical support, and request a certain action or information from the employee. This could be a phone call early Sunday morning asking the employee to come to the office, for example. The criminal tells the irritated employee that everything can actually be fixed and there is no need to come in – as long as the employee gives his or her password over the phone.
Also, 71% of employees replied to messages on Facebook during pentesting, and 21% opened the link included in the message.
“To reduce the risk of successful social engineering attacks, it is important to hold regular trainings and test how well each employee follows security principles in practice. Whilst people are often the weakest link in your organization, businesses can benefit a lot by fostering a security-positive culture,” said Galloway.