Phishing, and more specifically spearphising — hiding malware behind e-mail messages that appear to come from your friends and co-workers — is on the rise. “By all accounts, the majority of successful security attacks are a direct result of benign, well-educated company staffers who did something stupid or forgot to do something easy,” writes Alan Wlasuk at TechRepublic. Even though we’re supposed to know better, we still fall victim to the phishing trap.
A fun fact to start any conversation about social engineering is this surprising occurrence: Oak Ridge National Labs (one of the U.S. national energy labs) was a target for a spear-phishing attack where 57 out of a targeted 530 employees opened up an email that installed malware on their personal computers. Oak Ridge was shut down for days to repair the damage. The amazing fact behind this occurrence is that Oak Ridge National Labs is a government agency with a charter to study malware and computer viruses. However, the majority of the staff that opened up the affected e-mails were senior scientists and executives—people who should have known better.
There are a lot of reasons we mess up — greed, poor passwords, idle curiosity, quid pro quos, and Wlasuk has horror stories to make his point. For example, hackers posing as tech support call around to office workers, dialing over and over until they actually find a worker who needs tech support and gladly volunteers his password or other info. That’s pretty clever.
As Wlasuk observes: “Humans are, by all accounts, imperfect,” Wlasuk says.