Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks

from the so-why-do-we-need-information-sharing? dept

To hear politicians and the media talk about things, “cybersecurity” threats are some sort of existential threat that can only be stopped by giving the government more information and more control over our data. There is, of course, little to actually support that notion. And, two new studies show that (as has been the case for decades), the real threats are not because of super sophisticated technology and tools for hacking, but rather because end users are fallible and IT folks don’t do a very good job locking doors (hat tip: WarOnPrivacy):

But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

In fact, the real problem tends to be that people are still easily fooled by phishing emails:

In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry’s term for trick emails.

Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.

And, then, of course, if the IT staff hasn’t done much to secure things inside the gates, the hackers get the run of the place.

Stopping phishing is definitely a difficult problem, but it’s difficult to see how that’s one that’s solved by giving the NSA more of our data. Of course, none of this should be new or surprising if you spend any time at all in online security realms. “Social engineering” has always been the most effective way to get into systems. But hyping up the fact that people are gullible and can be tricked into giving up their passwords isn’t very sexy and doesn’t get big companies and governments to shovel hundreds of millions of dollars at solutions. Freaking people out about sophisticated technology (that isn’t nearly as effective) being used to launch hack attacks seems much sexier (and profitable).

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Most Cyberattacks Are Phishing Related, Not Sophisticated Technical Attacks”

Subscribe: RSS Leave a comment
John William Nelson (profile) says:

Wetware is usually the weaker link . . .

Social engineering (i.e. phishing) has always been the most reliable way for serious intrusion artists to enter systems without authorization.

Heck, they even made three movies involving an Ocean about it with that Clooney guy involved. (Or was it 4?)

Why hack serious encryption when you can get it more easily by socially engineering the intrusion?

Anonymous Coward says:


Honesty is the USG’s policy? Who I would like to point out are the only ones pulling off tech based attacks.. Simply because they’ve physically hijacked the lines that carry the data.

The NSA/FBI will continue to use FUD tactics and deception to gain more powers because it’s effective. Most politicians think technology is mystical voodoo arts and the general public doesn’t really care how this stuff works so long as they can social their media.

Today seems appropriate to apply the following quote:

“Fuck it, fight it, it’s all the same.” – Bradley

madasahatter (profile) says:

Ease of Phishing

The underlying problem with phishing attacks is that many legitimate emails will arrive with attachments in one’s corporate email over the course of a week. Some may be from people who are outside the company.

While my position is one were almost all my company email is internal and the few outsiders are well, many sales and technical support people deal with outsiders mostly. Many of these outsiders may legitimately need to send an attachment.

tqk (profile) says:

Re: Ease of Phishing

I’d disagree. The underlying problem is your average computer user is an ignorant sluggard (and I mean that in the nicest way 🙂 who only barely knows how to use the tools they’re given. There are technical people who use a spreadsheet program (ie. Excel) to create what is little more than a list of items, when simple text in an editor would do. I’ve watched accountants transcribe numbers from a spreadsheet program into desktop calculators to sum a column. There’s Sun Certified “engineers” who can’t list the contents of a directory.

I know, people just want to get stuff done. They don’t want to learn how computers work. They just want to use them. Well, think of all those carpenters out there building houses. How far can they get without knowing how to use a hammer, or what materials to use in any given situation.

For all those mere users out there, I’m sorry we haven’t yet invented the DWIM (Do What I Mean) key. Please bear with us.

Or, maybe don’t use computer operating systems and software which were implemented so stupidly that things like this become a problem.

Anonymous Coward says:

Re: Ease of Phishing

I put the blame squarely on IT for phishing emails that make it in.

Looking at spam stuck in the list is boring, and no admin wants that kind of grunt work.

The reality is that having human eyes at that level to spot those emails before they make it to the end user is a very good line of defense against phishing. We are the ones that understand the impact if that email makes it to an end user that clicks that link because they haven’t had their coffee, or if they are mad because their wife didn’t blow them last night, so they are gonna click it to make someone else have a rotten day, or if the person just truly thinks it’s a legit link/attachment.

We have the ability, knowledge, and expertise to stop those, and we choose not to because we justify it being a task that is beneath us.

I agree things should be as automated as possible, however, there are certain places that it just makes more sense to take 15 min out of the day to protect what could potentially be millions of dollars in loses to the company.

Anonymous Coward says:

Re: Re: Re: Ease of Phishing

I’m just going to agree to disagree with you on this.

Yes, you can automate, however, you can’t just blindly automate spam filtering without having decent, human eyes at the right spots…no matter what the volume.

I come across at least 5-8 zero day exploit emails a day (that we properly forward to several security vendors). I can’t count the number of times that I will read about 2 days later some huge company got hammered for millions of dollars in damages because that same thing I visually spotted made it past all the “automated” filtering.

If you can get your automated systems to filter out even down to a few thousand that someone had to eyeball, it is more than worth the time spent.

It’s just ‘too boring’ and ‘completely beneath’ the sysadmins to do…when in reality just a few minutes of time to just make damn sure everything making it to the end user is legit.

I mean, even rich people have more than just a security camera to protect their home (heck even some have body guards). Why would you do anything less for email (esp since the risk for getting attacked by a rabid fan is way less for most of us than a sales associate getting a phishing email).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...