Cyber security training and policy management is imperative for businesses, according to the Hacking the Human OS report by Intel Security.
There is growing concern about the effect of cyber crime on the global economy, which is currently estimated to be around $445bn.
The report encourages businesses to address and educate employees on the “six levers of influence” being used in the digital world by hackers.
According to the report endorsed by the European Cyber Crime Centre (EC3), all businesses and employees should be aware of the basic persuasion techniques commonly used by cyber criminals.
These techniques are used by cyber criminals to manipulate employees to do things they would not usually do, often resulting in the loss of money or valuable data.
The report comes just days after spear phishing attacks were identified as the key initial step in what has been described in the most daring cyber heist to date, believed to have netted up to $1bn.
Bank computers and networks were breached by targeted phishing attacks, demonstrating the inherent weakness in the “human firewall” and the need to educate employees about the top persuasion techniques in use in the digital world, the report said.
Despite the huge role played by social engineering in cyber attacks, a recent study by Enterprise Management Associates found that only 56% of all workers had gone through any form of security or policy awareness training.
MORE ON SOCIAL ENGINEERING
- Pretexting: How to avoid social engineering scams
- Beating socially engineered malware with web browser security
- Socially engineered malware attacks: Enterprise defence best practices
- Social engineering attacks: Is security focused on the wrong problem?
- Combat social engineering attacks with these mantras
The scale of the problem is further underlined by the fact that two-thirds of the world’s email is now spam aiming to extort information and money.
The extent and severity of social engineering was highlighted by McAfee Labs, which identified a dramatic increase in the use of malicious URLs, with more than 30 million suspect URLs identified towards the end of 2014.
The increase is attributed to the use of new short URLs, which often hide malicious websites, and a sharp increase in phishing URLs.
These URLs are often “spoofed” to hide the true destination of the link and are frequently used by cyber criminals in phishing emails to trick employees.
With 18% of users targeted by a phishing email clicking on a malicious link, the increased use of these tactics is cause for concern, the report said.
This provides more incentive for consumers and employees to be on guard for the most prolific phishing and scam techniques currently in use, the report said.
Studies have indicated that around 80% of workers are unable to detect the most common and frequently used phishing scams.
“The most common theme we see when investigating data breaches today is the use of social engineering to co-erce the user into an action which facilitates malware infection,” said Raj Samani, chief technology officer for Europe at Intel Security and advisor at EC3.
“Cyber criminals have become expert at exploiting the subconscious of a trusted employee, often using many of the selling tactics we see in everyday life. Businesses must adapt and employ the right mix of controls for people, process and technology to mitigate their risk,” he said.
Paul Gillen, head of operations at EC3, said cyber criminals do not necessarily require substantial technical knowledge to achieve their objectives.
“Some well-known malicious tools are delivered using spear phishing emails and rely on psychological manipulation to infect victims’ computers,” he said.
“The targeted victims are persuaded to open allegedly legitimate and alluring email attachments or to click on a link in the body of the email that appeared to come from trusted sources,” added Gillen.
Six levers of influence
When people are provided with something, they tend to feel obligated and subsequently repay the favour.
People tend to comply when they believe something is in short supply. For example, a spoof email claiming to be from a bank asking the user to comply with a request or else have their account disabled within 24 hours.
Once targets have promised to do something, they usually stick to their promises because people do not wish to appear untrustworthy or unreliable. For example, a hacker posing as a company’s IT team could have an employee agree to abide by all security processes, and then ask them to perform a suspicious task supposedly in line with security requirements.
Targets are more likely to comply when the social engineer is someone they like. A hacker could use charm via the phone or online to win over an unsuspecting victim.
People tend to comply when a request comes from a figure of authority. This could be a targeted email to the finance team that might appear to come from the CEO or company president.
6. Social validation
People tend to comply when others are doing the same thing. For example, a phishing email might look as if it’s sent to a group of employees, which makes each employee believe that it must be okay if other colleagues also received the request.