All organisations attempting to figure out how to prevent social engineering should note the findings of a new report. The security firm behind the research discovered that employees were continuing to fall prey to malicious files, phishing links and enticements by hackers.
The study performed penetration tests on employees by sending them emails containing links to websites, attachments and password entry forms.
What were the findings of the research?
10 penetration tests were undertaken, with over 3,300 messages sent. 17% of these fooled recipients into taking actions that would have enabled attackers to compromise their workstation or corporate network.
The report described the sending of an email with a phishing link as the most effective social engineering method. 27% of recipients clicked a link leading to a webpage that asked for credentials. Users were often unaware that the site was fake, having only glanced over or ignored the address.
Tests resulted in 15% of employees responding to emails that had an attachment and webpage link. Meanwhile, test emails with an attachment drew responses from 7% of recipients.
Wide-ranging scope for vulnerability
The staffers that the study observed frequently opened unknown files, clicked suspicious links and even corresponded with the attackers. Testing found that employees working outside IT – such as lawyers, accountants and managers – constituted 88% of these overly trusting employees.
However, the firm added that these tests even duped 3% of security professionals. It’s a sign that even those in the security profession need to familiarise themselves with how to prevent social engineering within their organisation.
Also uncovered were examples of users being unable to open the test malicious files or links and therefore trying to open the files or enter their password on a fake site instead.
Perceived reputability of the source was another key factor. Sending a message from a fake company resulted in just 11% of risky actions. However, this rose to 33% in instances of a real company and person’s account being used to send the message.
The testers also chose subject lines with the aim of inspiring a response – as real-life attackers do. The result was a 38% response for “list of employees to be fired”, while “annual bonuses” prompted a 25% response. The report said that playing on emotions in this way often led to employees forgetting about basic security practices.
Learn how to prevent social engineering with us
Our solutions can play a big role in minimising instances of social engineering, phishing and cyber fraud at your business. Contact our team today to discuss our expertise in biometric verification, and what this could mean for your firm.