“It doesn’t matter how deep or high your walls are if somebody opens the gate and lets the enemy walk right in,” say Rotem Iram and Omri Zaid, members of K2 Intelligence’s Cyber Investigations and Defense practice. “It’s not that sophisticated—any kid at home can fake an email and start phishing. He could probably even change the origin of the email to make it look like it came from the CEO.”
Attacking the human element of a cybersecurity system, or manipulating people into performing actions or divulging confidential information, is known in the trade as “social engineering.” A recent report by Verizon shows that 29 percent of all security breaches are social engineering attacks, and email phishing is the most common form. Most alarmingly, around 80 percent of recipients are prone to click on the fake messages, opening up themselves and their organizations to risk.
As well as prompting people to enter their email and password, phishing emails may ask recipients to click on links or download programs that contain malware. “The social engineering attack is only the first step—it gives hackers an entry point into an organization,” says Zaid. “Once they’ve got a bridgehead, they’ve got complete freedom to do almost anything they want in the system.”
That could mean stealing credit card details to sell in the black market, as happened to U.S. retailer Target, or they could work covertly, gathering confidential information from a company for years.
While it has not been proven that the hackers who grabbed private celebrity images from Apple’s iCloud did so by phishing, or by any other method, the story itself has spawned a genuine phishing campaign. Cyber criminals are now using the uproar around the security of iCloud to send fake emails purporting to be from Apple asking people to click into a link and confirm their Apple ID and password, which the hackers then steal.
But with highly realistic looking emails and websites, and employees downloading documents as part of their jobs, how can companies and organizations protect themselves against social engineering attacks? Showing people the signs to look for in a fake email, and highlighting their awareness that such scams go on, are the only truly effective steps because it is the humans who are the weak link, says Iram.
K2 Intelligence is currently working with a client on a simulation of a phishing attack to show staff how easy it is to be fooled. We create a fake email and website and, in consultation with the company, choose a sample group of 500 employees to whom to send the phishing email. We then monitor which staff open it and follow the instructions, and pass on analytics detailing how many people fell for the scam and the particular departments or regions which were most susceptible. Cybersecurity training can then be directed where it is most needed.
Once hackers are inside a system, they can sit there undisturbed for years, with most companies only realizing the problem after the damage has been done. In the case of Target mentioned above, the hack was discovered when people started calling their banks to complain their credit cards were being used fraudulently, and the banks spotted a pattern that all the cards had been used at Target. Prevention is the best possible form of protection.