Each year, cyber criminals continue to refine their use of social engineering, relying on human interaction rather than automated exploits to install malware, initiate fraudulent transactions, steal data, and engage in other malicious activities. Less than 1% of the attacks we observed made use of system vulnerabilities. The rest exploited “the human factor”: the instincts of curiosity and trust that lead well-intentioned people to click, download, install, open, and send money or data.
Instead of attacking computer systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to “click here.” Whether attacking at a massive scale in large, indiscriminate campaigns, going after specific industries or geographies with more targeted campaigns, or seeking out a single person within an organization, attackers and their sponsors consistently found human beings to be the most effective vectors to infiltrate organizations and facilitate fraud and theft.
While ransomware was the biggest threat of 2017, the last 18 months have seen a marked shift towards information-stealing malware, with social engineering becoming ever more pervasive and effective at preying on people. Whether sending impostor messages that appear to come from a trusted colleague or installing increasingly robust malware that can silently profile individuals and steal data and credentials to make future attacks more effective, threat actors are following the money. While cryptocurrency volatility and a growing ability to detect and mitigate ransomware may have driven this shift initially, the information provided by victims via malware and phishing attacks is fueling revenue streams and facilitating future attacks.
Regardless of the means of attack—email, cloud applications, the web, social media, or other vectors—threat actors repeatedly demonstrated the effectiveness of the social engineering tactics that convinced victims to click malicious links, download unsafe files, install malware, transfer funds, and disclose sensitive information at scale. Whether financially motivated or state-sponsored, attackers all had one thing in common: an understanding of and a willingness to take advantage of the human factor.