In my December 2019 webinar, Hacking the Human, I demonstrate how to conduct a phishing campaign, using email-based social engineering to gain passwords. Why do I teach you how to phish this time, instead of showing you how to compromise computer systems? Well, one of the most effective ways to hack into an organization, hands down, is to use social engineering against its employees/members. This is borne out time and time again, as we see the bulk of compromises begin with a phishing attack. Even nation-state hacking operations, which have certainly bought/collected “zero day” exploits, appear to save these for precious few occasions. They know the same thing that organized crime and professional loan wolf bad actors know: phishing will get the initial access you’re seeking—almost every time.
Phishing is the best bang-for-your-buck form of social engineering, where “buck” here refers to a threat actor’s time. It scales better (hits more people per second) than in-person confidence games. Even in this era of robo-calls, online phishing still appears to have a higher success rate than phishing by voice (phone), also known as “vishing.”
So, why do phishing and social engineering techniques continue to work with such unwavering consistency?
At the end of the day, social engineering is effective because human beings have evolved to be vulnerable to it. That might sound pessimistic, so let’s expand. Social engineering is effective because it targets the very strengths that evolution has built for us.
Humanity’s unique strength as compared to other mammals, and even primates: we are incredibly social and can work together in very large groups. Put simplistically, we are inclined to be helpful to each other. That helpfulness means ancient human teams could hunt mammoths and that modern human teams can create multi-year, 50-person software engineering projects.
Unfortunately, social engineering can prey on humanity’s social strengths. Our helpful nature is one of the primary targets that effective social engineering exploits.
For a more in-depth exploration of how phishing works, and a demonstration on how to build your own phishing campaigns, watch this webinar.