Why Spear Phishing and Social Engineering Work

People are the weakest link when it comes to cybersecurity. Why do they click on an embedded link contained in an email. Why do they open what looks like a suspicious email in the first place? Successful ransomware and spear phishing attacks continue to be on the rise; in February a Los Angeles hospital paid $17,000 to hackers in order to “free” their computers. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

So far this year the FBI estimates $200 Million in cyber ransom has been paid out. http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

Researchers at Buffalo State University decided to find out why users continue to put themselves at risk. ( http://www.govtech.com/security/Cybersecuritys-Weakest-Link-Humans.html ) The answer is two fold: Cognitive efficiency and Habit.

The first factor, Cognitive Efficiency, is the process wherein the brain wants maximum information for minimum effort. Users view a brand, logo or recognized sentence like “sent from my iPhone” and then take mental shortcuts assuming they already know what the trigger is and what it represents.

The second factor is Habit. Technology and its use is so pervasive in our society it has created ingrained habits, like a morning routine or driving the same route to work: little or no concentration is required. People click through email without thinking.

The combination of these two factors has created the perfect environment for social engineering by cyber criminals to distribute their malware. Users, going through their daily routine do not pay attention to potential threats and without thinking click on the wrong email or embedded link. Ransomware gets downloaded and a company or individual is held hostage.

But there is good news. Training and education will instill better cyber hygiene practices. Once users are shown their bad habits and given ways to combat the problem security increases.

If you are interested in learning more about cyber crimes, cybersecurity and how to create a resilient business, please contact us at: contact@layer8cybersecurity.com