The human is the weakest link in a company’s cyber security strategy. Studies show that 75% of large organisations and 31% of small businesses in the UK had a staff-related security breach in 2015, up from 58% and 31% respectively in 2014.
Manipulative tactics to obtain information
Cyber criminals use a multitude of tactics and attacks to manipulate inattentive staff and to access the most valuable asset that companies possess: information – customers’ and employees’ personal details, financial information, intellectual property and so on.
The criminals are smart: they understand that getting people to do something for them increases the likelihood of success with fewer resources spent. Rather than wasting enormous resources trying to get in the hard way, they prefer dropping their bait via email campaigns or on social media and waiting for someone to swallow it.
Three tactics identified
A recent study published by Proofpoint uncovered three tactics that attackers use to exert control over people. In all three cases, people are manipulated to such a degree that they voluntarily do what attackers ask.
Tactic 1 – People run attackers’ code
Email phishing campaigns and social media platforms are the preferred vehicles for this tactic because they maximise the likelihood of success by reaching the largest number of people. The tactic relies on social engineering to take advantage of greed, curiosity, anger and naivety to get victims to click on malicious links, open and share infected attachments and documents, and let the malicious code run freely. Attackers don’t waste their time trying to intrude into the company’s boundaries to spread the malicious code: they wait for careless staff to do that for them.
Tactic 2 – People hand over credentials to attackers
In this case, the attacker knows who in the company they want to get to, who is usually a key member of staff with access to specific or restricted areas. Through a phishing email or vishing call, cyber attackers dupe your staff by pretending to be someone they trust or should trust (a bank employee or a policeman, for instance) in order to induce them to reveal access credentials for confidential accounts, bank accounts and so on.
Tactic 3 – People do what attackers ask
This tactic is the basis of whaling campaigns: it targets low-level staff in key departments, like finance, on the assumption that they follow orders from higher-ups without asking questions. Attackers impersonate a top figure in the company and ask for things like wire transfers of funds. It’s not as simple to spot the theft because it’s your staff who arrange a legitimate transfer of money.
Protect your staff from manipulation
Avoiding falling victim to phishing, whaling and vishing attacks is not always easy, especially if your staff don’t know how they work and how to protect themselves from them. That’s why we developed the Phishing Staff Awareness e-learning course: written in non-technical language, it explores the latest techniques cyber criminals are using to dupe your staff, and gives useful tips and guidance how to spot the bait and stay cyber secure.