The most vulnerable part of every secure system is the human element. Which brings attention to one of the most widely adopted tactics that has been used to acquire information in recent years: social engineering. By interacting with the human component and appealing to either emotions or inattentiveness, bad actors can obtain information or access to locations with next to zero technical prowess. A study at the university of Luxembourg showed that among three groups of individuals given a gift either at the start of interaction, after the question, or as a reward for revealing their password, anywhere from 3050% disclosed their sensitive information. The number goes as high as 47.9% when the reward is predicated on giving an answer. While this is just a single anecdote involving college students, the mentality doesn’t disappear when applied to the working world. Even clicking a real website link is enough when there exists a piece of malware that utilizes a flash exploit to infect the computer upon displaying the malicious advertisement.
One of the best solutions for this social vector is due diligence. Well-designed policies that employees are intimately aware of through thorough training, including awareness of these threats, better threat identification in e-mail firewalls, and clearer communication of proper procedures for employees will help ease the threat of this specific branch of malware. The science does not lie, people want to trust other people, especially those who are friendly, and identifying those who would abuse this trust for personal gain is easier said than done. As professionals, the education and increased awareness of those who aren’t so technically inclined is paramount for the safety of the collective companies that we represent.