Positive Technologies has released a new report with statistics on the success rates of social engineering attacks, based on the 10 largest and most illustrative pentesting projects performed for clients in 2016 and 2017.
To verify the security of corporate systems, testers imitated the actions of hackers by sending emails to employees with links to websites, password entry forms, and attachments. In total, 3,332 messages were sent. If the “attacks” had been real, 17 percent of these messages would have led to a compromise of the employee’s workstation and, ultimately, the entire corporate infrastructure.
The most effective method of social engineering was to send an email with a phishing link: 27 percent of recipients clicked the link, which led to a special website. Users often glance over or ignore the address, leaving them unaware that they are visiting a fake website.
“To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies. “Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password.”
Employees often open unknown files, click suspicious links, and even correspond with attackers. In 88 percent of cases of such correspondence, these overly trusting employees worked outside of IT (such as accountants, lawyers, and managers). One quarter of these employees were team supervisors. However, no one is immune from mistakes: 3 percent of security professionals fell for the bait as well.
Furthermore, occasionally users complained that the malicious files or links would not open—in some cases trying to open the files, or enter their password on the site, a whopping 30 to 40 times. When employees were unable to open a file right away, often they forwarded it to the IT department for assistance. This increases the risks further still, since IT staff are likely to trust their colleagues and run the “broken” file. On occasion, the recipients responded that they were not the intended recipient and instead offered the name of another person at the company.
Sending messages from fake companies is an increasingly ineffective tactic (causing only 11% of risky actions), but sending messages from the account of a real company and person increases the odds of success considerably (to 33%). This latter technique is used by the Cobalt group, for example, which in its attacks sent phishing messages via fake domain names and from the accounts of employees at real banks and systems integrators, which the group had previously compromised for this purpose.
Cybercriminals use fear, greed, hope, and other emotions to make their attacks more effective. Subject lines are carefully chosen to inspire a response: “list of employees to be fired” (causing 38% of risky actions), “annual bonuses” (25%), and so on. Emotional reactions are often enough to make employees forget about basic security rules.
Email is not the only method in the social engineering toolbox. Criminals often call employees by phone, claiming to be from technical support, and request a certain action or information from the employee. This could be a phone call early Sunday morning asking the employee to come to the office, for example. The criminal tells the irritated employee that everything can actually be fixed and there is no need to come in—as long as the employee gives his or her password over the phone.
“To reduce the risk of successful social engineering attacks, it is important to hold regular trainings and test how well each employee follows security principles in practice. Whilst people are often the weakest link in your organization, businesses can benefit a lot by fostering a security positive culture,” said Leigh-Anne Galloway.