Photographee.eu - Fotolia
How do criminals choose their victims? Studies conducted with muggers suggests they identify easy victims by their body language. Those who exude the least confidence are sending out a MUG ME message, the criminals in these studies say.
It’s the opposite online, according to our conversation with cyber crime expert Aaron Higbee, who co-founded PhishMe in order to help protect companies. Often the biggest liabilities online are those who appear to be the most confident. Their constant humble-bragging on social media is practically an invitation to burglars, according to Higbee, because the more of yourself you put out there, the better equipped are the confidence tricksters.
“There isn’t a specific rule of choosing victims, but employees that are easily visible are often targeted,” Higbee tells Microscope. Personally identifiable data, gushed onto social media accounts, soon has the predators circling. A Twitter profile gives hackers an accurate picture of the target’s activity, location, likes and dislikes.
The smart phishers will go after the biggest blubbers, such as members of the management team, in a selection process known as “whaling”.
How do they bait their hooks? I’ve found that if I tell a CMO I loved his presentation - even if I wasn’t even at the show - they fall hook link and sinker for my request for an interview. Sadly, most chief marketing officers talk about as much sense as whale music, so this ploy never gets me anywhere. Still, egos are clearly the key to unlocking secrets.
Flattery is one tactic, but Higbee reports a rise in ‘double barrel’ attacks, which sounds like they are inspired by the ‘good cop bad cop’ tactics that are only ever employed by detectives on TV shows.
The ploy centres around two emails sent consecutively, one benign and the other containing the malicious element. But in the main, hackers are concentrating on thinking up new ways to hook victims through the lure of advanced social engineering tactics. The recipes for preparing this bait all recommend publicly available information from social media.
Sometimes, a simple email, pretending to be from the Chief Financial Officer to the accounts department, works. These small (but frequent) requests to transfer money often pass under the radar of scepticism. The most effective phishing emails contain an “office communication” style and the phishers often back them up with bogus voicemails.
When are we at our most gullible? When we’re tired? Just after lunch on Friday?
No, again, the online universe has completely opposite logic. We’re all at our most gullible in the morning, says Higbee’s latest PhishMe Susceptibility Report. For many the hours between 8am and 11am are when you are at your most bright and alert but, apparently, it’s also the time when you are most susceptible.
“This is when employees are sifting through their inboxes and identifying emails they have to take immediate action on. Attackers are aware of this and very often rely on the employees’ sense of urgency to act on something that seems of high importance,” says Higbee.
PhishMe has found that most employees respond to phishing emails as soon as they accessed their email inboxes and 87% generally do so on the same day that it is sent. So sober, efficient workers are the biggest liability!
They are repeat offenders too. Employees who react to phishing emails are 67% more likely to respond to another phishing attempt. It takes four simulations for them to fully wise up, it seems.
What are the best ‘convincers’ that Phishers use?
It’s all about prompting humans into sharing sensitive information, says Higbee. Hackers know the right buttons to push because they study their target victims. “Generally, the most susceptible victims experience emotions such as greed, curiosity, anxiety or fear when responding to emails, and these are often used as emotional triggers,” says Higbee.
If only there was some way to harness the ingenuity of these phishers. They would make fantastic sales people. What a team they would make if only their creativity could be channeled.
Many employees have fallen for a prize or reward, or for an employee raffle. Historically, hackers have exploited world events, like a tsunami, a disease outbreak or a political coup. The Referendum created a surge in activity, exploiting social media loudmouths to put their names onto phoney petitions. I can guess which side were the most gullible. But I’m not telling you. The less personal information we share, the better!
PhishMe meantime deserves to recruit some disciples. But they want fishers of men, not Phishermen.