Adding a corporate example to this, Kennedy told the story of one campaign where they used the customer's health benefits program as a lure. The point, he explained, is that whenever an attacker can impact someone personally, there is a higher degree of success. Health benefits issues would impact someone personally, and they fall in-line with normal day-to-day business operations, so as expected, people took the bait.
"If health benefits are in jeopardy and they need to do something that will take two minutes out of their lives to remediate and fix, they will do it without rhyme, reason or thought," Kennedy said.
"[Social engineering] is effective, it's the most effective, and has the most ROI for an attacker. The reason we don't hear about these more in the news is that we have nothing to detect these attacks. We're already compromised, we've already experienced it, and we just don't know it yet."
Everybody slips sometimes
How serious is this threat? Serious enough that even the professionals can be caught by social engineering tactics. As previously covered on CSO, Hadnagy ran the Social Engineer Capture the Flag (SECTF) contest at DEF CON this year. While answering our questions for this story, he shared an interesting anecdote.
As he was preparing for the DEF CON contests and a four-day training class at Black Hat, Hadnagy had made a large amounts of purchases from Amazon in order to procure the supplies needed. To make things easy, said supplies were then shipped to the hotels in [Las Vegas].
"Rushed, behind the 8-ball and trying to get 500 things done at once I [wasn't] thinking when I received an email that said: 'One of your Amazon Purchases was declined&.'. I almost clicked through until I double-checked the URL and saw it went to a [domain] in Russia," he explained.
"Even someone who does this for a living can fall for these things. Why? We are all human. No one is 100 percent all the time. Condition, psychology, curiosity, fear, greed-these are common themes that attract and make us react. I think this sounds typical for most people."
Sign up for CIO Asia eNewsletters.