17 percent of employees fall for social engineering attacks
Employees are still falling for social engineering techniques leading them to download malicious files, click phishing links, correspond with hackers, and even share contact information for their colleagues.
Enterprise security specialist Positive Technologies imitated the actions of hackers by sending emails to employees with links to websites, password entry forms, and attachments.
In total, 3,332 messages were sent. If the 'attacks' had been real, 17 percent of these messages would have led to a compromise of the employee's workstation and, ultimately, the entire corporate infrastructure.
The findings show the most effective method of social engineering is to send an email with a phishing link. 27 percent of recipients clicked the link, which led to a special website. Users often glance over or ignore the address, leaving them unaware that they are visiting a fake site.
"To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form," says Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. "Malicious attachments can be blocked by properly configured antivirus protection; however, there is no sure fire way to prevent users from being tricked into divulging their password."
Recipients often open unknown files and click suspicious links, in some cases even complaining that the malicious files or links will not open. Employees unable to open a file right away, often forwarded it to the IT department for assistance. This increases the risks further still, since IT staff are likely to trust their colleagues and run the 'broken' file.
Sending messages from fake companies is becoming a less effective tactic (causing only 11 percent of risky actions), but sending messages from the account of a real company and person increases the odds of success considerably (to 33 percent).
Social engineering techniques are not restricted to email either. Criminals often call employees by phone, claiming to be from technical support, and request a certain action or information from the employee. This could be a phone call early Sunday morning asking the employee to come to the office, for example. The criminal tells the irritated employee that everything can actually be fixed and there is no need to come in -- as long as the employee gives their password over the phone.
Galloway adds, "To reduce the risk of successful social engineering attacks, it is important to hold regular trainings and test how well each employee follows security principles in practice. Whilst people are often the weakest link in your organization, businesses can benefit a lot by fostering a security positive culture."
You can find out more in the full report on the Positive Technologies site.