• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cybercrime   »   Employees may be a company’s biggest cybersecurity risk: The threat of social engineering

Employees may be a company’s biggest cybersecurity risk: The threat of social engineering

  • Posted on:November 16, 2014
  • Posted in:Cybercrime, Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

There are a number of ways cybercriminals can infiltrate an enterprise, but new research suggests that the biggest weakness to most companies may be the employees themselves. Malicious actors are increasingly utilizing a technique known as social engineering. While there are multiple forms of social engineering attacks, the most common come in the form of phishing emails that use personal details to make them seem more authentic and trick readers into providing privileged information.

While most Internet users have gotten better at spotting fake sites and phony emails, social engineering enables attackers to use information readily available on the Internet to tailor an attack specifically for the victim, tricking them into thinking it’s the real deal. Other schemes use particular wording to pressure readers into clicking on the links contained in the message, such as threatening to give bad feedback on an e-commerce site or claiming to be from a utility company that is going to terminate service unless action is taken.

There is a phishing campaign currently running that uses subject lines related to the recent Ebola outbreak – things like “What You Need to Know About the Deadly Ebola Outbreak” and “The #1 Food Items You’ll Need in an EBOLA Crisis” – which claims to share information from the World Health Organization. However, the link to the attached file that supposedly contains safety tips actually installs the DarkComet Trojan malware on victims’ devices, providing attackers with remote access to the compromised machine.

Phishing schemes on the rise
Corporations and even governments are being targeted by a growing number of sustained, sophisticated spear phishing campaigns. According to research by Symantec, data breaches resulting from spear phishing have increased 62 percent since last year. Symantec’s recent “Internet Security Threat Report” found that, while the total number of emails used in phishing campaigns and the overall number of targets have decreased, spear phishing campaigns themselves saw a massive increase in 2013, growing 91 percent.

According to Kevin Haley, director of Symantec Security Response, attackers are beginning to favor the use of less frequent, large scale attacks over multiple minor ones.

“One mega breach can be worth 50 smaller attacks,” said Haley. “While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better.”

A separate study by Trend Micro found that not only are these types of attacks becoming more prevalent, IT workers are growing more worried about their effects. Trend Micro’s recent “2014 Cyberthreat Defense Report” found that malware and phishing attacks were the types of cyberthreats that caused the most concern for the IT professionals surveyed.

At the same time, the study also revealed that respondents were almost twice as concerned about external threats as internal ones, despite the increased worry related to phishing attacks. Only 5 percent of participants reported being significantly more concerned about internal threats, suggesting most decision-makers aren’t aware of where the real enterprise threats originate from.

Hackers show a shift in attack targets
While cybercriminals have changed their methods to employ social engineering and phishing attacks more frequently, and large scale attacks are being favored over frequent minor ones, hackers have also begun targeting organizations in different agencies than they once did.

“Traditionally, manufacturing and mining companies have not had to worry about information security threats as much as say, financial services, as the primary adversaries were cybercriminals,” said Rohyt Belani, CEO and co-founder of PhishMe. “However, with the rise of the nation-state actors these industries are under constant attack as the proverbial ‘pot of gold’ of proprietary information and intellectual property is very lucrative. The lack of an IT savvy workforce and appropriate budgets to fund cyber-security efforts further exacerbate the problem.”

The Symantec study found that one-third of organizations in the mining, government and manufacturing sectors have suffered at least one spear phishing attack in the last year.

Education, threat protection best best for security
One simple way for users to know if an email they’ve received is fraudulent or not is to check the address of the sender. Oftentimes a quick review of the web address hosting the email will reveal a phony shell site used for malicious purposes. Educating employees on easy tricks to remember when interacting with links in email messages can drastically improve an organization’s cybersecurity posture.

In an interview with SecurityWeek, vice president and principal analyst for Forrester Research Ed Ferrara noted that organizations that effectively mitigate the effects of a breach and properly manage the fallout from an intrusion can actually improve the customer perception of an enterprise, while poorly handling a cyber attack can ruin a company’s reputation forever. Utilizing defense techniques designed to identify targeted attacks within emails can help not only to educate workers about the risks associated with online communication but reduce the likelihood of experiencing a breach.

Related posts:

  1. Social engineering attacks on the rise, part 2: social media and Iranian schemes
  2. As exploitable software flaws decline, social engineering rises
  3. Social engineering attacks on the rise, part 1: eBay breach
  4. Social engineering plus pizza equals credit card fraud

Security Intelligence Blog

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • How To Be An Informed Skeptic About Security Predictions
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Worries CISOs Most In 2019

Follow Us

Trend Micro In The News

  • Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy
  • Trend Micro Partners with Snyk to Fix Vulnerabilities for DevOps
  • Trend Micro Partners With Snyk To Advance DevSecOps
  • Hackers to stress-test Facebook Portal at hacking contest
  • NEW TECH: Trend Micro inserts 'X' factor into 'EDR' - endpoint detection response
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.