Spear-phishing and social engineering are the most commonly used attack vectors in data breaches. Nation-state actors and financially motivated cybercriminals regularly exploit the fact that human beings are the weakest link in most security systems.
There’s no patch for human stupidity
Typically, social engineering attacks will involve sending spear-phishing emails containing a malicious attachment (often a document with a macro) or a link to a malicious website that will harvest the victim’s username and password.
In many cases, spear-phishing campaigns are supported by phone social engineering attacks, where the attacker impersonates an individual of authority and coerces the victim on the phone into clicking on the email or opening the attachment. Our own research shows that a phone pretext drastically increases the chance of getting a target to fall prey to the payload delivered in an email.
Awareness training — insufficient and ineffective
Most companies deal with the threat from social engineering by attempting to educate their staff on the dangers of opening an email or revealing information to a stranger on the phone.
Unfortunately, this awareness approach has been shown to yield very low success rates. Even staff who received training a week prior to a social engineering simulation fall victim to the attacks at alarmingly high rates. In short — you can’t rely on the human to do the right thing.
Even worse, a social engineering campaign only requires one victim for the attacker to establish a foothold on the network. Even if training reduced the number of victims to just one in a hundred, the attacker has still succeeded.
What about spam filtering?
Spam filtering and email blacklists are of limited value to prevent these attacks as they attempt to ‘enumerate badness’ (much like antivirus signatures). Even when heuristics are applied, they can only catch attacks that have been seen before.
In a targeted campaign, the attacker will carefully craft the email to bypass spam and anti-phishing controls. They will also not reuse the emailing infrastructure that they have used in other campaigns as it may now be ‘burned’ and part of various blacklists.
Note also that the attacker can keep re-trying the attack with different scenarios, and can vary the target spread from hundreds to a single specifically chosen victim. As a result, the attack vector is extremely difficult to protect against.