In agreement, Kennedy said that when his firm stages attacks against large organizations, with customers in the Fortune 50 to Fortune 1000, their success ration is around 94 percent. The difference between what he does for his customers and what the criminals are doing with the previously mentioned malicious messages is focus.
The attackers in the Halon study are casting a wide, generic net for victims, and are still able to pull a 30 percent success rate. Those numbers will only climb if the messages are less generic and more finely tuned.
"It only takes about an hour or so to craft up a 'pretext' or attack that we know will be believable. It only takes the employee to believe the fantasy is real in order for them to click something...these are completely obscure emails that have no relevance or believability in a lot of cases and it's still a 30 percent success ratio...For us, the attacks have moved from the external perimeter to the [social engineering] route because of the ROI," Kennedy said.
In their day-to-day work, both Kennedy and Hadnagy seek to lower the ROI many attackers are seeing though social engineering. Each of their respective firms use ongoing training and education in order to accomplish this. Humans are the weakest link in the security chain, so there isn't an appliance or solidly technical control available to prevent focused Phishing attacks (Spear Phishing) or to stop someone from doing as the attacker has asked one-hundred percent of the time.
"I think the alarming trend in all of this is that we are literally defenseless right now with our current technology or procedures to handle these types of attacks," Kennedy explained.
"The problem with this one is that no piece of technology can fix this alone. It's a coupling of education and awareness, handling procedures, and technical controls on the user population. Our daily lives revolve around opening up emails at a rapid response rate, clicking just this one or that one has no relevance anymore and to take a few extra seconds to review the email isn't part of our daily tasks."
What about the topics of the messages referenced in the study, and the brands represented, is that typical? According to Hadnagy, when humans see emails that hit on things that are on our minds, we're more inclined to click.
"It is basic psychology that they use social media for women and money/power/sex for men as lures... Although highly targeted attacks may use a different lure, tuning into the psychology of the intended victim plays a significant role in a successful lure," he said.
Adding a corporate example to this, Kennedy told the story of one campaign where they used the customer's health benefits program as a lure. The point, he explained, is that whenever an attacker can impact someone personally, there is a higher degree of success. Health benefits issues would impact someone personally, and they fall in-line with normal day-to-day business operations, so as expected, people took the bait.
Sign up for CIO Asia eNewsletters.