How to Attack Yourself Better in 2021

How to Attack Yourself Better in 2021

It's not a matter of if — it's when an employee will receive that "urgent" email or call asking them to transfer money to a safe place, log in to your corporate network, or install a remote access Trojan. Social engineering has always been a sure-fire way for cybercriminals to ensure a high success rate. But the pandemic-driven increase in remote work turned social engineering techniques into a tool of limitless creativity and prosperity like never before.

When working from home, employees don't have the full-scale protection offered by corporate security solutions and must instead rely on their gut feeling, which is a cybersecurity team's worst nightmare. After realizing the scale of the catastrophe, many companies have rushed to educate their employees.

To assess the scope of the problem, Group-IB carried out a social engineering penetration testing project in a logistics company. The test used a pretext related to COVID-19 and demonstrated employees' unrelenting interest in the matter. It used a well-crafted phishing email sent from a fake email address supposedly belonging to the company's IT department. More than half (51%) of the test subjects submitted their credentials on the fake VPN portal login page.

Some Social Engineering Attacks Are More Effective Than OthersOur social engineering testing projects have also shown that some attack techniques are more effective than others. Of the more than 100 social engineering testing projects we conducted in 2020, we discovered that voice calls ("vishing") were more effective than phishing emails with links to fake resources or executable attachments. Vishing, which had a success rate of 37%, is particularly effective because victims do not usually expect these calls. Additionally, threat actors can adjust the script to match changes in the victim's behavior and tap into their emotions.

In addition to obtaining personal or ..