What Is Really At Stake With The People Part Of The Cyber Equation?

images (15)

In 2016, the world experienced an enormous uptick in data breaches; numerous ransomware attacks and devastating DDOS attacks. In 2017, the attacks are increasing in number and scope with no slowdown in sight including the WanaCry Ransomware attack that targeted 74 countries, spread by a phishing email. According to a recent PhishMe study, 91 percent of all cyberattacks begin as phishing emails.

In today’s world of technology, human error can be the difference between success and ruination. Nowhere is this truer than in the workplace, where humans are the weakest link.

Case and point being, last week I was sitting on the tarmac, my flight had been delayed due to an unruly passenger, which is nothing new these days. However, what happened next was mind-boggling.

The man sitting next me was talking to his office; he explained that his flight was being delayed upwards of an hour and wanted to make use of the time by calling his list of ‘cold calls,’ the only thing is, the list was on a word file on his computer. Apparently, he never heard of the cloud.

He instructed his assistant Julia, whom he mentioned by name several times to turn on his computer, gave her his username and the password- three times, very slowly – at a decibel so loud, it was heard by more than half of the 100+ passengers on the plane.

He then told her that his username/password in the future could be found on a blue sticky note in his top left-hand drawer and that it is never locked.

When he hung up with his assistant, he made several cold calls which he proceeded to tell each one the same nauseating scripted story. Adding insult to injury, on one call he explained to the prospective client how to avoid the security desk. I was trying not to stare, but that was ultimately futile at this point.

So, just what did I learn? (All names have been changed.)

  • His name is Paul XXXXXXX.
  • He is a Senior Vice President.
  • Paul works for a Financial Services Company.
  • His company specifically works with high-net-worth clients.
  • His office is located at xxx Wacker Drive, Chicago.
  • His office is on the XXth floor, on the west side of the building.
  • Sensitive information in his office is not secured.
  • Username is first and last name.
  • His Password for all his accounts is ‘654321′ <= Clever…
  • His Business email is PaulW@company.com.
  • Office Phone number is 872-xxx-xxxx
  • Cell Phone number is 312-xxx-xxxx
  • His personal email is Paul2xxxxxxx@AOL.com
  • His assistant’s name is Julia, who just had a baby boy 3 months ago
  • He has 4 kids (3 boys, 1 girl), all in Ivy League Universities, that is costing him an arm and a leg.
  • His 3rd wife, Natalie, who cannot cook a meal to save her life, rents high-end Jewelry for a variety of events.
  • This is my favorite => If you do not want to deal with the ‘hassle’ of going through the security desk, there is a side entrance that is always opened and will not alert the alarm system because the smokers in the building use it for a smoking area and the elevators are located at the end of the hall
  • Come up to the XXth floor, knock on the window, and ‘someone will always let you in.’

I thought for sure this has to be a joke and at any minute someone probably dressed in a killer clown suit, was going to jump out and yell ‘Never, ever do this.’ No one jumped out.

The bottom line on how does this happen? Employees know far too little about the cyber security threats today and organizations are not doing enough to educate their employees or protecting their clients’ critical data.

 It is time for all organizations to act.

It is estimated that the majority of incidents globally involve human error. Cyber imagescriminals know this is an area of weakness and they target it, and more often than not, very successfully.

Cyber security awareness is a process that needs to concern the entire organization. All employees must understand both their roles and responsibilities as employees.

Moreover, all organizations whether small, medium or large, need to understand where their weaknesses are. A good first step is by conducting cyber-risk assessments through a holistic review of their policies and education for all employees from the C-suite to the third party relationships.

Suggested training activities

  • Educate employees on the need for resource protection including protecting passwords, locking computers and locking up sensitive information.
    • Never leave your password on a sticky note where it can be stolen. Once it is out of your control, so is your security.
    • Never share your password with another co-worker. NEVER.
    • Create different passwords for different accounts and applications.
  • Educate employees on why using strong passwords is essential, not a hassle.
    • A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
    • Adding just one capital letter, and one special character changes the processing time for a cybercriminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!
  • Train employees on strategies used by cybercriminals to compromise networks including Phishing and fake websites; and how malicious software is installed by clicking on the links within the emails and downloading attachments from compromised websites.

Frequently conduct unannounced tests.  Engage your IT department or use outside experts to test employees both in person and on the computer using social engineering strategies.  Moreover, employees who routinely fail the tests need to be held responsible for their actions.

Cybersecurity is an enormous problem to address. Training and testing require planning and resources, but the process of preparation is far better than dealing with the aftermath.

A single vulnerability can lead to data breaches; it can also result in the theft of Personally identifiable information (PII) which often proves the most costly and detrimental to organizations. Negative headlines, financial and reputational penalties, while legal and regulatory sanctions can quickly escalate into the millions of dollars.


Phishing Evolved.

A Whaling attack or phishing evolved is specifically aimed at a single, high-profile business target including maxresdefaultC-Suite executives. This group has access to sensitive employee, and/or customer data, banking, and/or securities accounts. Phishers target this group with e-mails and web-pages embedded with malicious code. When e-mail attachments are opened, or web-pages clicked the code is activated. The malicious code unleashes backdoors, remote access or embeds keyloggers; and within hours or days, the phisher gains access.

How does the ‘bait’ differ between Plain-Vanilla Phishing and Whaling?

Plain-Vanilla phishing attacks are a numbers game and are mass generated; they are casually addressed ‘Dear customer,’ or ‘Dear user’ e-mails, web-pages or pop-ups that appeal to a personal aspect of the target’s life. They may include ‘once in a lifetime vacation offers’ that is time-sensitive, or an urgent message which appears to be from your bank, PayPal or Netflix accounts that use threats of ‘account closure’ or ‘compromise.’

In the case of Whaling, there are a smaller number of attacks, but the phishers are looking for a bigger score.  Whaling campaigns are highly customized to an executive’s specific position and responsibilities within the organization. Moreover, the phishers will specifically target those individuals who have wire transfer authority. Phishers craft e-mails and malicious web-pages that appear to come from a trusted source which will necessitate an immediate response.

The target opens the viral e-mail attachment or clicks into a malicious Web-page. Game Over. What is even more disturbing, once phishers are armed with access, often they will launch further attacks causing considerable damage including monetary and reputational.

Why is whaling pervasive? 

A key reason whaling is so pervasive is that individuals overshare personal and behavioral data on social media applications. Phishers can tap this information otherwise known as OSINT. The well-crafted e-mails and web-pages are designed using the targets OSINT.  The more personal information the target shares publicly, the greater the risk that this information will be used to manipulate them.

The risks are real. 

The FBI has commented that whaling or what they refer to as BEC (Business Email Compromise) attacks are an ’emerging global threat.’ Companies from all 50 US states and 79 countries have lost approximately $1.2 Billion dollars in the previous two years (2013-2015).

Reducing risk.

  • Lockdown privacy settings on social media accounts.
  • Limit the use of third-party applications.
  • Two-factor authentication and multiple signatures should be implemented for the vendor payment process.
  • Employ a team either in-house or from the outside that can effectively assess the organization’s overall predisposition to phishing/whaling attacks by having a precise idea of what OSINT is available that could be used against the organization.
  • Increase awareness through continuous and ongoing training programs with staged, real-world phishing, whaling, and other social engineering attacks.
  • Look to C-Suite executives to make data breach preparedness a continuing priority for the entire company.

As information security professionals develop new defenses and warnings, the threat actors will continue to adapt, and we need to be prepared. There is no one-hundred percent fix for social engineering threats. The key is continuous training and reinforcement and should include all employees, not just management and the executive branch.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Chances are, the next security breach will be caused by social engineers exploiting the weakest link in the security chain of your organization.

The art of manipulating people into giving up personal or sensitive information is known social-engineeringas Social Engineering. Social engineers are ruthless and innovative criminals who take advantage of human behavior to gain access to data, networks or infiltrate businesses; because it is often ‘easier to exploit an individual’s penchant to trust than discovering new methods to hack’ your systems.

The weakest link in the security chain of any organization is its employee’s. The weakness stems from the lack of training and awareness of social engineering methods. Organizations need to become versed on the threats posed by social engineers as employees from C-level executives to the mail room can and will be targeted, and some will fall victim; introducing risk into the organization.

The techniques used by social engineering criminals range broadly, from phishing emails that trick users into opening an attachment that includes dangerous payloads, showing up as delivery people, tech support, or job applicants, to physically access data centers including- ISOC’s and SOC’s. Worse yet, the social engineering criminal rings which resort to strong-arm tactics, ransom, and threats. Whatever the method of strategy the social engineer uses, they all play on our emotions motivated by curiosity, fear or greed.

There are thousands of variations of attacks used by social engineers. The only limit to the number of exploits is the criminal’s imagination. Often one victim can experience multiple forms of exploits wrapped up in a single attack. Nevertheless, when they get all they can from the individual, it is not over, more than likely their information is sold, and shortly new criminals are exercising innovative exploits against the same individual, their contacts, and their contacts’ contacts; resulting in an interminable cycle.

Start building your social engineering smarts.

Free Money! 

People, it is 2017, offers of ‘free money’ including winnings from foreign lotteries, a previously unknown wealthy relative who wants to leave you billions or requests to transfer funds from a foreign entity for a share of the money. All are guaranteed to be a scam. Don’t fall for it.

Email Hijacking

If it is out of the ordinary to receive an email from a friend, co-worker, your boss or your bosses boss that includes ‘links or attachments’ make a phone call before clicking on the potentially malicious attachments. The social engineer’s goal is to take control of an email account, then your social media, and all your friends and friends’ friends. All they need to accomplish this is for the recipient to click on that attachment. Don’t do it. Call and verify.


A phisher will send e-mails, instant messages (IMs), or text messages that seem to come from a legitimate organization such as your bank that requires you to ‘verify’ your personal information. Often the messages include an impending doom warning of what will happen if you fail to act ‘now.’  Criminals play on your emotions, whether it is a familiar bank,  or a co-workers name they utilize urgency and panic to get you to ‘respond first and think later.’ Stop and think before acting.


Ransomware is malware which kidnaps your critical data, encrypts it and holds it for payment in return for the decryption key. Ransomware spreads through phishing e-mail attachments, infected programs, and compromised websites. No organization is immune from healthcare to critical infrastructure. Once the computer or network becomes infected, there is no option other than paying the ransom. There are no guarantees the criminals will not kidnap your data again nor is there any guarantee that the data will be released. Don’t click on links and or attachments in unsolicited emails. Look up sites you are unsure of on  Malware Domain List before visiting them.


Vishing is a phone scam usually carried out through robocalling. These criminals are intent on stealing account numbers and passwords. The criminals are prepared with a convincing phone number which appears as if it is coming from your bank; the victim is then persuaded that their account(s) have been endangered and have to act quickly – panic often leads people into acting without thinking. The balances are transferred, and the criminals move on. Remember, banks, and financial institutions will never contact you to ‘verify’ your personal information.


Social engineers recognize that if you dangle something people want like free music, free movies or the hottest game in town for free, someone will eventually take the bait. Once the bait is taken, the individual’s computer is now corrupted with malicious software that often can lead to countless continued exploits. Often the victim loses their money without receiving their purchased item(s), and, if they used a checking account, they may find that their bank account(s) have been emptied.  Free is good, but it’s never actually free.

Social engineers want you to act first and think later. Never let their actions influence your careful review of the situation.

  • Be suspicious of all unsolicited messages.
  • Never open a link or attachment without verifying first.
  • Delete all requests for passwords or personal information.
  • Block all Automated calls.
  • Register on the Do Not Call List (1-888-382-1222)
  • Never answer a call from a Blocked number

Cybersecurity is a shared responsibility. Stop. Think. Connect.