The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems.
In other words, he’s an ethical hacker, although he prefers “friendly hacker”.
During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people.
Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.
Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.
Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.
While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye.
This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference.
This is powerful ammunition for a spear phishing attack.
People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.
People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help.
People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done.
Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening.
Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success.
If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them.
The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.
More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential.
In reality, they will have installed malware on their computer.
While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ.
In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.
“If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours.
“I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.”
But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of.
While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.