By: Maria Williams
The US Federal Trade Commission has reported that ‘phishing’ – an online scam that contacts targets under pretenses to direct them into divulging sensitive or personal identifying information – is a dynamic and evolving underworld practice. There are several subcategories of phishing scams, such as vishing (voice phishing), SMiShing (SMS phishing), fake websites, and hybrid phishing campaigns, and in 2022 Agari and PhishLabs found a 550% increase in detected phishing scams across all platforms, resulting in hundreds of thousands of reported phishing attempts over twelve months.
And these are only the campaigns thwarted by information security (InfoSec) experts. In the first month of 2021, there were almost 250,000 reported phishing attacks. Indeed, the sheer number of successful attacks leads to a loss of $17,700 every minute in the USA, totaling over $4 billion a year according to the FBI.
Phishers quickly adapt to new technologies, whether they work against them or not, and are developing increasingly subversive tactics to manipulate their targets to do their bidding. Additionally, these tactics are only becoming faster and cheaper to deploy. With a turnaround of 21 hours from launch to a takedown, most attackers use relatively accessible readymade kits bought off the dark web to create domains and exploit unwitting targets.
Phishing and its various derivatives successfully infiltrate a target’s vulnerabilities because they use social engineering principles to exploit human psychology. Most consumers report having high confidence in the safety and security of the Internet. This uncritical trust allows a scammer’s point of contact to fly under the radar, with the remaining hours used to create a false sense of urgency through manufactured scarcity or time constraints.
“When scammers successfully create a sense of fear in their targets, this triggers their amygdala and shuts down the frontal cortex, causing targets to stop making rational decisions. They begin acting emotionally through their limbic system. This is how phishers get your credit card details and other verifying data through a single phone call,” explains Christopher Hadnagy, founder and CEO of Social-Engineer LLC, a leading corporation in InfoSec and the fight against phishing scams, and author of several books, including his most recent: Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You.
In today’s world, phishing kits include programs that scan their target’s available data to use against them during scam campaigns. And there is no longer a guarantee that the voice behind an unknown caller ID is completely human. As Chris retells, “I demonstrated on live TV that it takes me – whose brain is not made for coding – only 11 and a half minutes to create a deepfake of Elon Musk. I made it say that I was his best friend.” Phishers may not be technologically savvy, and they can simply locate deepfake programs and buy them.
Similarly, since generative artificial intelligence tools have become publicly available, there has been a 1,256% increase in malicious phishing emails. As AI becomes more sophisticated and accurate at mimicking human behavior, phishing scams will only follow in their speed and volume. “There is an ever-escalating need to raise awareness in the public of the dangers and vulnerabilities their implicit biases hold against their security,” Chris reflects.
Social-Engineer’s scientific methods and patented processes in uncovering vulnerabilities through simulated vishing attacks have quickly ascended to its industry leader status since 2010. Now celebrating its 15th anniversary, the company aims to mitigate the evolving capabilities of phishing attacks and empower employees to identify and report malicious emails and calls effectively.
With thousands of vishing calls a month through Social-Engineer’s trained staff, the company has amassed a comprehensive database of vishing attempts, over 100,000 calls strong. Using this novel collection, Social-Engineer is training an AI model to detect deception in hybrid phishing campaigns accurately. “We use the technology that bad actors are using to hurt us, to help us,” says Chris.
As a deeply human crime, phishing attacks fundamentally use behavioral psychology to find and exploit weaknesses. Chris demonstrates that educating individuals to overcome their biases and identify when their vulnerabilities are being targeted is increasingly important. “The most important piece of advice I can provide: If you cannot verify the person who is emailing or phoning you if you cannot verify the legitimacy of a website, then do not take action.”
Subsequently, more extensive methods need to be developed to verify personal identities. Chris recommends that individuals devise concrete and personal codes that are not publicly available, as caller ID and other generic information are no longer sufficient.
Finally, Chris emphasizes the importance of identifying when one feels pressured or scared by an email, website, or phone call. “If you get a call that’s imposing time constraints on the action they say you need to take, you’re allowed to say: ‘I’m going to put you on hold for a moment.’ Take a breath and get yourself back to critical thought.” Social-Engineer advises their clients to empower employees to cut suspicious calls and immediately report them.
Social-Engineer has launched a three-tiered training course on ethical and social engineering to impart comprehensive education and raise security awareness against exploitation. Their Foundational, Practical, and Certified Master’s courses teach students the psychology of human behavior from speech to facial expression and provide opportunities to field-test their skills through real-life applications. The company is excited to celebrate 15 years in InfoSec by continuing to prevent the devastating damage that security attacks engender.
Published by: Nelly Chavez
