A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Video Thought Leadership

Why Do People Fall for Social Engineering Attacks in a Crisis?

Ed Bishop
12.08.2021
Share

Illustrations by Sua Balac

Tessian CTO and Co-founder, Ed Bishop was joined by Jeff Hancock (Prof. at Stanford University) and David Kennedy (Co-founder and Chief Hacking Officer at TrustedSec) to talk about how hackers have capitalized on the pandemic, and what can be done to stop them.

Watch the full interview here, or read on for three of Ed’s key takeaways.

People are easier to manipulate when they are working from home

JH: When we change environments as radically as we have over the pandemic – moving from working in an office to working at home – it requires a mindset shift. Classically, we see the office as a psychological space where we’re familiar with what is safe, and what is not. When this is disrupted, it’s not that we become more careless or stupid…we just need some time to adjust to the new environment. This is the case because some of our cognition resides in our environment, and attackers take advantage of that.

Another similar idea is that of ‘places’. Most of the time people have three places – home, work, and where they have fun. Combining two places into one is challenging psychologically, and makes users more vulnerable to attacks. This is because at home, we are without all of the usual cues that remind us to think about cybersecurity, and we also don’t have a colleague to turn to in the way that we usually would. This vulnerable state does not last forever, but it is a huge disruption.

 

 

Attackers will use hot topics and high-profile global events to gain access to systems

DK: When people moved to work from home, the cyber landscape changed, but the vast majority of companies provided no additional security training to keep up with it. In contrast, the techniques that attackers use change very rapidly with major events and the changing world. 

One of the very first cases that we saw of leveraging real-world events for social engineering was when Patrick Swayze passed away. Cybercriminals used Google to attack users. Shortly after Swayze’s death, if you Googled ‘Patrick Swayze death’ and clicked on the first search result, it would deliver malware to your computer. This campaign was highly successful – infecting tens of thousands of machines before Google managed to take it down.

Since then, there has been a number of examples of this type of attack. What is clear is that attackers will use this type of information very quickly – spinning it into something that they can use to gain trust and access your systems.

Share this Article

Attacks are becoming more targeted and sophisticated, and security education needs to reflect this

DK: These days, attacks often involve highly specialized infiltration groups that focus on open-source intelligence gathering and understanding your employees, their positions, and the technologies use. Attackers then craft pretexts for attacks directly off information that would be used within your own environment. These attacks are typically targeted against 1-3 individuals and are incredibly hard to defend against because they have a low ratio of detection versus commodity attacks that often target thousands of employees.

A recent attack I saw involved an employee being contacted by an attacker pretending to be from the IT department to gain access to their device. What attacks like this tell us is that during times of disruption, not a lot of people know what ‘normal’ looks like, and attackers take advantage of this. So, our work from home cybersecurity strategy needs to be very simplistic, and involve ongoing education that includes real-world examples.

JH: Legitimacy and trust play a part in the human psyche, and we use heuristics that we have evolved over many millennia. So if we encounter someone who knows a lot about us, our friends, and our network, we believe they are likely to be a ‘friend’, not a ‘foe’. For example, we recently had a case where an attacker used Google Maps Streetview to identify a plumbing van outside a user’s house. They then referred to ‘recent plumbing issues’ to convince the user that they were their neighbor. 

So, to keep up with the creativity of attackers we have to think of security education as a journey, not a destination. We also need employees to believe in their company, to feel that their company is on a journey to something big. When employees believe in the company they want to help it move forward, and security falls into place.

For more on how crises can change the cybersecurity landscape, watch the full discussion, here.