Nearly all successful email-based cyber attacks require the target to open files, click on links, or carry out some other action.
While a tiny fraction of attacks rely on exploit kits and known software vulnerabilities to compromise systems, the vast majority of campaigns, 99%, require some level of human input to execute. These interactions can also enabling macros, so malicious code can be run.
The finding comes from Proofpoint’s Annual Human Factor Report, a paper based on 18-months of data collected from the cybersecurity company’s customers.
Sometimes it seems easy to blame users for falling victim to phishing attacks, but campaigns are becoming increasingly sophisticated. It’s often difficult to distinguish a malicious email from a regular one because attackers will tailor attacks to look as if they come from a trusted source, such as cloud service providers like Microsoft or Google, colleagues, or even the boss.
This social engineering is the key element in conducting campaigns: the report even states that attackers are even mimicking the routines of businesses to ensure the best chance of success.
For example, a user might be suspicious of an email claiming to come from a colleague which arrived in the middle of the night, but one which arrives in the middle of the working day is more likely to be treated as a legitimate email, with the potential for the victim to accidentally set the ball rolling for an attack.
Phishing is one of the cheapest, easiest cyber attacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works.
“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of threat operations for Proofpoint.
“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defense. To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users,” he added.
While many phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.
For example, unexpected emails which are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message.
It’s also worth noting that cloud service providers like Microsoft and Google won’t ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.
Organisations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware which relies on known vulnerabilities can’t operate.