Danny Palmer at ZDNet had the scoop: "Social engineering is by far the biggest factor in malicious hacking campaigns, warn researchers – so how can it be stopped?"
"Nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action.
While a tiny fraction of attacks rely on exploit kits and known software vulnerabilities to compromise systems, the vast majority of campaigns, 99%, require some level of human input to execute. These interactions can also enable macros, so malicious code can be run.
Sometimes it seems easy to blame users for falling victim to phishing attacks, but campaigns are becoming increasingly sophisticated. It's often difficult to distinguish a malicious email from a regular one because attackers will tailor attacks to look as if they come from a trusted source, such as cloud service providers like Microsoft or Google, colleagues, or even the boss
This social engineering is the key element in conducting campaigns: the Proofpoint report even states that attackers are mimicking the routines of businesses to ensure the best chance of success.
For example, a user might be suspicious of an email claiming to come from a colleague that arrived in the middle of the night, but one which arrives in the middle of the working day is more likely to be treated as a legitimate email, with the potential for the victim to accidentally set the ball rolling for an attack.
Phishing is one of the cheapest, easiest cyberattacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works.
While many phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.
For example, unexpected emails that are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message.
It's also worth noting that cloud service providers like Microsoft and Google won't ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.
Organisations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware that relies on known vulnerabilities can't operate."
We could not agree more. Original article at ZDNet with grateful acknowledgement.
Note: KnowBe4 has no affiliation with either ZDNet or Proofpoint
UPDATED 9/14/2019