Cybersecurity: 99% of email attacks rely on victims clicking links

PhishingOneMinuteDanny Palmer at ZDNet had the scoop: "Social engineering is by far the biggest factor in malicious hacking campaigns, warn researchers – so how can it be stopped?"

"Nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action.

While a tiny fraction of attacks rely on exploit kits and known software vulnerabilities to compromise systems, the vast majority of campaigns, 99%, require some level of human input to execute. These interactions can also enable macros, so malicious code can be run.

Sometimes it seems easy to blame users for falling victim to phishing attacks, but campaigns are becoming increasingly sophisticated. It's often difficult to distinguish a malicious email from a regular one because attackers will tailor attacks to look as if they come from a trusted source, such as cloud service providers like Microsoft or Google, colleagues, or even the boss

This social engineering is the key element in conducting campaigns: the Proofpoint report even states that attackers are mimicking the routines of businesses to ensure the best chance of success.

For example, a user might be suspicious of an email claiming to come from a colleague that arrived in the middle of the night, but one which arrives in the middle of the working day is more likely to be treated as a legitimate email, with the potential for the victim to accidentally set the ball rolling for an attack.

Phishing is one of the cheapest, easiest cyberattacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works.

While many phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.

For example, unexpected emails that are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message.

It's also worth noting that cloud service providers like Microsoft and Google won't ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.

Organisations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware that relies on known vulnerabilities can't operate."

We could not agree more. Original article at ZDNet with grateful acknowledgement. 

Note: KnowBe4 has no affiliation with either ZDNet or Proofpoint

UPDATED 9/14/2019

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews