grandeduc - Fotolia
The report is based on penetration tests that sent emails to employees containing links to websites, password entry forms and attachments.
Across 10 penetration tests, more than 3,300 messages were sent, and 17% of them succeeded in tricking recipients into taking actions that would have resulted in a compromise of an employee’s workstation and potentially the entire corporate network, if the messages had been sent by attackers.
The most effective method of social engineering, the report said, is sending an email with a phishing link, with 27% of recipients clicking a link that led to a web page requesting credentials. The report noted that users often glance over or ignore the address, leaving them unaware that they are visiting a fake website.
In testing, 15% of employees responded to emails with an attachment and link to a web page, while 7% responded to test emails with an attachment.
“To make the emails more effective, attackers may combine different methods, so a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form,” said Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. “Malicious attachments can be blocked by properly configured antivirus protection, but there is no surefire way to prevent users from being tricked into divulging their password.”
Employees often open unknown files, click suspicious links, and even correspond with attackers, the report said. In 88% of cases of such correspondence during testing, these overly trusting employees worked outside of IT, such as accountants, lawyers and managers, and 25% were team supervisors. But no one is immune from mistakes, the report said – 3% of security professionals also took the bait.
The study found that in some cases, where users found that the test malicious files or links would not open, they tried to open the files or enter their password on a fake site up to 40 times. When staff were unable to open a file right away, they often forwarded it to the IT department for assistance. This increases the risks still further, because IT staff are likely to trust their colleagues and run the “broken” file, the report said. In some cases, recipients responded that they were not the intended recipient and provided the contact details of another person at the company.
Read more about social engineering
The study found that while sending messages from fake companies resulted in only 11% of risky actions, sending messages from the account of a real company and person increased the odds of success considerably – to 33%. This latter technique was used by the Cobalt cyber criminal group, which sent phishing messages from the accounts of employees at real banks and systems integrators, which the group had previously compromised for this purpose.
Cyber criminals use fear, greed, hope and other emotions to make their attacks more effective, the report said. Subject lines are carefully chosen to inspire a response. For example, “list of employees to be fired” resulted in a 38% response and “annual bonuses” brought a 25% response. Emotional reactions are often enough to make employees forget about basic security rules, the report said.
Although email is a common and effective channel for social engineering, the report warned that criminals also call employees by phone, claiming to be from technical support, and request a certain action or information from the employee. This could be a phone call early on a Sunday morning, claiming that everything can be fixed if the employee gives his or her password over the phone.
“To reduce the risk of successful social engineering attacks, it is important to hold regular training sessions and test how well each employee follows security principles in practice,” said Galloway. “While people are often the weakest link in your organisation, businesses can benefit a lot by fostering a security positive culture.”
As wells as recommending that employees be on the look-out for potentially malicious links and attachments, the report recommended that organisations apply a number of simple measures to enhance protection from phishing email attacks, such as:
- Using the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols so that the internet domain of an email sender can be authenticated.
- Using the domain-based message authentication, reporting and conformance (Dmarc) protocol, which is an email authentication and reporting protocol designed to help ensure the authenticity of the sender’s identity.
- Looking up an IP address and identifying the sender’s host, as well as checking spam databases for the sender’s IP address.
- Blocking delivery of email attachments with extensions that are used in executable (.exe, .src), system (.dll, .sys), script (.bat, .js, .vbs), and other files (.js,.mht, .cmd).
- Implementing an on-demand malware detection system so that employees can send email attachments or any other files for scanning at any time.
- Scanning files both immediately before opening and retrospectively.
- Keeping operating system and application software up to date.
- Developing and implementing a program for improving the information security awareness of employees and testing this regularly.