By Patrick Harr, CEO, SlashNext
Wikipedia defines social engineering – aka “human hacking” — as “the psychological manipulation of people into performing actions or divulging confidential information.” In the case of cyber security, this information would be things like social security numbers, health records, banking information, log-in credentials, etc.
In the first half of 2021, SlashNext Threat Labs analyzed billions of domains and URLs for phishing attacks targeting humans at work and in their personal life. The key findings, published in the 2021 Human Hacking Report, use data collected from those attacks to provide insights on the current threat landscape so organizations can better protect their people and systems from quickly evolving phishing threats. This article will provide some of the report’s highlights.
Social Engineering Rose Significantly
According to the Human Hacking Report, social engineering rose 270% in 2021 vs. 2020. One of the reasons for this rise was the prevalence of scams for fake streaming sites and adware for the Olympic Games. Another contributing factor revolved around two major LinkedIn data breaches, which resulted in over a billion records being sold on the Dark web. Cybercriminals are using attacks like these to gain access to corporate data, which leads to 91% of all successful cyber breaches – including ransomware attacks, data theft, and over $30B in financial fraud.
Phishing Attacks and Channels are Increasing
Eighty-five percent of data breaches involve human interaction, according to the Verizon Data Breach Investigations Report (DBIR) 2021. Furthermore, phishing is the most pervasive way to initiate that human interaction. It is the most effective tool to perpetrate data breaches, and it has moved to the number one position for ransomware attacks. While phishing has been growing exponentially for years, 2020 was a record-breaking year, but the triple-digit spike was not an aberration. SlashNext Threat Labs saw a 51% increase in 2021 vs. 2020.
Phishing is one of the riskiest forms of human hacking in terms of damage it can do to enterprises, and it goes far beyond email and spam. In fact, focusing on phishing as an email-only challenge gives threat actors the upper hand because today, there are countless additional threat channels to protect – from Zoom and Teams, to mobile phones, to social media.
Remote Work Opened the Floodgates
With the shift to remote and hybrid work come even more challenges. Cyber threat actors are capitalizing on channels that today’s distributed and remote workers are leveraging every day to enhance productivity, including SMS/text, Slack, LinkedIn, Zoom, Microsoft Teams, Google Meet, and WhatsApp. Employees tend to trust these collaborative platforms more than email because they are business tools, and the assumption is that they come with less risk than email. That assumption is wrong simply because employees (as all humans) are prone to making human errors in judgment. In fact, humans do not stand a chance against sophisticated, targeted phishing attacks coming at them from all digital channels. Once reliable security strategies, including secure email gateways (SEGs), firewalls, and proxy servers, are not enough to stop these new cyber threats. Security training, which is the last means of defense, is useless against these well-crafted attacks.
Let’s look at some of the ways people are understandably fooled.
Zoom is a popular target for malicious actors. SlashNext Threat Labs reports a growing trend of malicious URLs that appear identical to an authentic meeting invite. The fake URL looks remarkably similar to a Zoom link and when clicked, takes the user to a fake landing page, where they are asked to enter their company Microsoft 365 credentials. The user will usually fill it in because it seems legitimate, and their credentials are now with the attacker. Once credentials are compromised, the organization is immediately susceptible to further, more dangerous breaches.
With the recent LinkedIn breaches, over one billion profiles were compromised. Attackers have leveraged this information to automate targeted attacks tricking users into sharing even more sensitive information. Threat actors have built accounts that look extremely authentic and well-connected, making professionals more likely to respond to messages and connection requests. It is not difficult to understand someone accepting a LinkedIn request from what seems like a senior executive at their own company. Once a fake account has connected with unwitting professionals, there are countless opportunities for phishing through LinkedIn messaging and connection features.
A malicious actor who has found his way into a team Slack channel can easily pass as an employee’s coworker or manager with a simple message asking, “Hey, I’m stuck in traffic, can you pinch hit for me and download this presentation?” One click and the well-meaning employee, instead of thanks for their helpful efforts, gets malware installed on their computer.
Another trend revealed in The Human Hacking Report is the increase in phishing on legitimate hosting infrastructures. Of the more than 14 million malicious URLs SlashNext identified in 2021, 2.5 million were spear-phishing URLs hosted on legitimate infrastructures like AWS, Azure, outlook.com, and sharepoint.com. Using legitimate infrastructure platforms like this enables cybercriminals to easily evade current detection technologies like secure email gateways, firewalls, and proxies.
The shifting phishing landscape, combined with cybercriminals’ access to automation, data, and intelligence, has quickly made human hacking the number one cyber threat. Most organizations are using established security tools like SEG, proxy, SASE, and endpoint protection to minimize phishing threats, but those solutions are not accurate or fast enough to detect the newest and increasingly rapid attacks. That’s where AI comes in, centering on behavioral analysis of the content and detecting threats missed by human forensics, URL inspection and domain reputation analysis used by established security tools.
AI is the only effective tool to counter well-crafted spear phishing attacks because it emulates human cognitive reasoning to learn and respond accurately without the need for human intervention. Machine learning uses computer vision, natural language processing and other classifiers to see, examine and understand the context of a threat. AI examines billions of URLs and domains to determine if they are malicious.
Assess and Protect
There’s little doubt having “remoteness” as part of any network will continue – some employees simply won’t return full-time of offices. Which leaves organizations facing a complex threat landscape and a need to protect their people. It’s critical that humans are connected on every digital channel from spear phishing attacks – they simply can’t be stopped with training and the human eye any longer.
- Where are your employees connecting and accessing systems – they need protection at every single point – including employee-owned mobile phones. What phishing attacks are you missing on mobile, in browsers, on collaboration apps, or in search?
- Are your users protected from zero hour threats in real-time?
- Are they protected when accessing URLs on their browser or their mobile device?
- Do they have on-app or extension protection from zero hour phishing threats?
Once you have answered these questions fully, then you can identify the risks you need to manage, create safeguards to ensure delivery of critical services, define continuous ways to monitor for cyber incidents (leveraging clear visibility and AI), activate an incident response program, and build cyber resilience.
As CEO of SlashNext, Patrick Harr directs a workforce of security professionals focused on protecting people and organizations from phishing anywhere. Before SlashNext, Harr was CEO of Panzura, which he transformed into a SaaS company, grew ACV 400%, and led to successful acquisition in 2020. He has held senior executive and GM positions at Hewlett-Packard Enterprise, VMware, BlueCoat and was CEO of multiple security and storage start-ups, including Nirvanix (acquired by Oracle), Preventsys (acquired by McAfee), and Sanera (acquired by McDATA).