Each year, threat actors continue to refine their use of social engineering, relying on human interaction rather than automated exploits to install malware, initiate fraudulent transactions, steal data, and engage in other malicious activities. Less than 1% of the attacks we observe make use of system vulnerabilities. The rest exploit “the human factor”: the instincts of curiosity and trust that lead well-intentioned people to click, download, install, open, and send money or data.
Below are key findings from 18 months of data on ways threat actors leverage the human factor presented in the 2019 Human Factor report. For more details, download the full report here.
Attackers target people, but "VAPs" are not necessarily who you might expect
“Very Attacked People” (VAPs) represent significant areas of risk for organizations. They tend to be either easily discovered identities or targets of opportunity like shared public accounts. Of the identified VAPs, 36% of the associated identities could be found online via corporate websites, social media, publications, and more. However, VAPs are often not the high-profile individuals in organizations we might expect, such as C-level executives. Rather, only 7% of executive emails could be found online. For the VIPs, though, who are also VAPs, almost 23% of their email identities could be discovered simply by a Google search. This intersection is an area of particular risk for organizations.
Looking across organizations, education, finance, and advertising/marketing were the industries with the highest average Attack Index, an aggregated measure of attack severity and risk.
Social engineering reaches critical mass
Social engineering became increasingly sophisticated and pervasive across email threats, from the spam that clogs inboxes to business email compromise schemes. Many social engineering tactics focused on the effective distribution of phishing templates and malware designed to obtain credentials for cloud applications, feeding further attacks. In contrast to just two years ago, malware distributed via email is far more focused on establishing a silent foothold in organizations to commit fraud and steal data and credentials rather than simply smash-and-grab via ransomware attacks.
For phishing actors, generic email harvesting accounted for almost 25% of all phishing schemes in 2018. In 2019, Microsoft Office 365 phishing has been the top scheme, but the focus remains credential harvesting. Conversely, in 2018 the most effective phishing schemes were dominated by “Brain Food,” a diet and brain enhancement affiliate scam that harvested cedit cards. However, 2019 has already seen a shift in terms of effectiveness towards cloud storage, DocuSign, and Microsoft cloud service phishing, aligning with the most common types of phishing.
Impostor attacks include schemes like business email compromise (BEC) and also include increasingly mainstream identity deception techniques used in a variety of scenarios supporting social engineering and more effective people-centered campaigns. 2018 saw impostor attacks at their highest levels in the engineering, automotive, and education industries. This likely reflects easily exploited supply chain complexities in the first two and high-value targets and user vulnerabilities—especially among student populations—in the latter.
Vectors multiply and attackers refine their targeting across a range of platforms
While social engineering themes vary widely by both actor and intended target, food, shelter, love, and money remained perennial favorites, feeding everything from threats of lawsuits over food poisoning in attacks on restaurants to rampant sextortion schemes targeting individuals.
BEC tactics, on the other hand —building rapport with attacked individuals, multiple points of contact, and creating a sense of urgency, among others—began appearing more frequently in attacks involving commodity malware.
At the same time, domain fraud and abuse ramped up even more, with attackers leveraging a range of techniques from look-alike domains to legitimate secure certificates to make malicious websites appear trustworthy.
For more information, download the complete 2019 Human Factor Report.