Cyber Criminals Exploit the Human Factor

Cyber criminals use social engineering approaches to install malware, steal information, perform fake transactions and even shutdown businesses. Greater than 97% of reported attacks target “the human factor” as opposed to making use of known system vulnerabilities.

Social engineering approaches used by Cyber Criminals focus on people, their role in the business, the data they have access to and the likelihood they can be enticed to perform an action. The human factor, our ability to be curious, the biases we have and their effect on our decision-making processes, our emotional state of mind, the way in which we monitor and evaluate situations on the basis of risk or reward, and the level of boredom in our roles all contribute to people being the most effective attack vectors in infiltrating businesses to facilitate fraud, theft and potentially worse.

Over the last 3 years there has been a marked shift towards information-stealing malware, with “the human factor” becoming ever more effective at preying on people. From impostor messages, where an email appears to come from a person the target knows, or malware that silently profiles individuals and steals data and credentials for future attacks, Cyber Criminals have their eyes firmly set of your businesses most valuable assets and the monetary value it holds. This ultimately fuels their revenue streams and funds future attacks.

Who is the Focus?

The Social Engineering approach, focused on “the human factor”, is all about exploiting select individuals and identities in targeted industries, not infrastructure and systems. Conversely, most businesses focus their IT Security budgets on infrastructure and systems,


The largest attack vector is still email, with 93% of all breaches targeting select individuals via approaches ranging from spam to imposter attacks. These select individuals are targeted on the basis of obtaining credentials to,

  • Feed further attacks against the targeted business,
  • Improve the effectiveness of the Social Engineering techniques with which they can obtain credentials and information,
  • Committing fraud

The people representing the greatest source of risk in business are,

  • Very Attacked Persons or VAPs. These are easily discovered identities and shared accounts. More than 35% of identified VAPs details are found online via corporate Websites, social media platforms, newsletters and annual reports
  • VIPs and C-Level executives. Again, these are readily discovered via social media platforms and more than 20% of the email addresses can be discovered via simple Google Searches
  • VAPs, VIPs and shared accounts in Education, Finance and Banking, Automotive & Manufacturing, IT, Media & Advertising (including Marketing) and Retail are frequently the most targeted

What are the Attacks?

As shown in the diagram, email is still the biggest initial attack vector for businesses. In 2018-19 generic email harvesting accounted for almost 25% of all phishing schemes. These were in the main focused toward credential harvesting. Over 99% of emails distributing malware require human intervention, this includes following links, opening attached documents, enabling macros, accepting security warnings and saving and unzipping executables for them to be effective.

Malware free Imposter Message attacks, including Business Email Compromise (BEC) are on the rise. Imposter Messages and BEC are used by Cyber Criminals to build rapport with attacked individuals, obtain multiple points of contact and create a sense of urgency around the activities they require the targeted individuals to perform. These activities include approving payments for fake invoices, or releasing business data.

Phishing lures typically simulate well-known brands such as Banks, Retailers and Webmail, offering login portals that seek to capture specific service credentials or simply obtain email logins that are used in future credentialstuffing attacks.

Domain fraud continues to increase, with attackers using techniques from look-alike domains to legitimate certificates to make malicious Websites appear trustworthy.

How are Select Individuals Identified?

Cyber Criminals are increasingly focused on attacking select individuals in a business instead of every user and reviewing which attacks are successful. These select individuals are either targets of opportunity or identified users with sufficient access and privilege. These people make up the group of VAPs in a business.

VIPs, C-level Executives and Members of the Board are often not VAPs. VAPs are typically more easily identified online, presenting a simpler and more direct means for Cyber Criminals to discover their role and contact details, then targeting them with multiple attacks. On average, across all industries, more than 35% of VAPs details can be found online. The following graph shows the average % of VAPs identified by Web based source,


as opposed to the common source of VIP identities,


However, one area of significant risk for businesses is VIPs who are also VAPs. In these cases, the average, across all industries, is greater than 20% of their email identities could be discovered online via a Google search.

How can Click Studios Help?

Click Studios specialises in the development of Passwordstate, an on-premise web based solution for Enterprise Password Management, allowing teams of people to access and share sensitive password resources. Our solution uses role based access control, with end-to-end event auditing, to provide a secure platform for password storage, management and collaboration.

For more information on how we can help please contact sales@clickstudios.com.au and as always, we welcome your feedback via
support@clickstudios.com.au.

Passwordstate V9 Changes for Authorized Web Servers

With the soon to be released Passwordstate V9 Beta we've overhauled the Authorized Web Servers functionality. The Authorized Web Servers is used to mitigate against the theft of your Passwordstate Database and the credentials it contains. This is … [Continue reading]

Auditing and Graphs

Passwordstate provides comprehensive reporting to ensure you can meet the governance requirements within your organization. All reporting makes use of the built-in audit events. There are more than 110 audit events in Passwordstate, providing a rich … [Continue reading]

Ignored URLs and Browser Extensions

There is no doubt that Browser Extensions make your browser-based-life easier. The ability to securely manage website logins, while enforcing a reduced attack vector through unique login credentials, should not be understated. The statistics speak … [Continue reading]

Google Workspace, SAML Authentication and Passwordstate

Last week's blog was all about SAML2 Authentication with Microsoft Azure. Keeping to a like theme, this week we'll concentrate on setting up SAML Authentication for Google Workspace (formerly G Suite) and Passwordstate. Google Workspace provides … [Continue reading]

SAML Authentication with Azure AD

The Click Studios Technical Support group is regularly asked if we support authentication between Passwordstate and Microsoft Azure AD. The simple answer is yes, and in order to do this you must be using SAML2 Authentication as your global … [Continue reading]

Control Access to Local Accounts with Credential Check-In and Check-Out

Many organizations implement strict access control to privileged accounts in their Domain and on their Windows Workstations and Servers. They work through a stringent process, ensuring local and domain user accounts have the least amount of … [Continue reading]

Specifying Authentication Options

A customer recently asked us to assist in resolving an issue with authentication for some of their users. This sparked some discussion between members of our Technical Support Team as to whether most customers knew where you can set the … [Continue reading]

Password List Performance Testing

We're asked every now and again about potential performance impacts with regard to the size of Password Lists. While every organisation is different there are some general considerations that should be thought about when designing your Password … [Continue reading]

Some Examples of Best Practices for Passwordstate

Here at Click Studios a couple of staff from Pre-Sales and Technical Support are pulling together the first draft of our Best Practices guide for Passwordstate. The recommendations provided in the Guide are a direct result of assisting organizations … [Continue reading]