By Christopher J. Mondoux

Hacking-Human-Nature-bbt-perspectives-feature

As a cybersecurity professional, I am often asked what keeps me awake at night. If I had a dime for every strange look I receive when I answer, “you,” I would be a very rich cybersecurity professional. Not that I believe you personally are a security risk, but that humans, in general, are.

Phishing emails, in particular, are successful because they target our typical good nature and compliancy, along with our desire to help. This business of exploiting human nature is a thriving venture, and email is the perfect delivery system. We only need to be reminded of the following statistics as proof of this theory:

250%

#1

90%

 Hacking-Human-Nature-bbt-perspectives-mail    

In the first quarter of 2016, the world witnessed a 250 percent surge in phishing email activity1.

Phishing emails have become the No. 1 method for the delivery of malware2.

By March of 2016, nine out of every 10 phishing emails were reported to be the primary delivery mechanism for ransomware3; one of the most destructive types of malware known to organizations and individuals alike.

These statistics are not growing by coincidence. Hackers understand human nature — and by using our everyday tools, such as email, they know how to take advantage of us.

As if those statistics don’t already tell the story, this alarming and revealing statistic will: 30 percent of all phishing emails are opened by those receiving them4.

Unfortunately for business owners, it only takes one employee (not 30 percent) clicking on one malicious link or attachment to bring an entire business network down. From the moment they click on malicious content, any employee’s hard drive can be encrypted, sensitive information can be downloaded from their computer and personal information can be sold to the highest bidder.

Saving Us from Ourselves

Better technology will never be enough to keep us safe, and, in some cases, may provide a false sense of security. If employees believe our technical controls will stop everything “bad,” their guard will always be down. No matter the situation, it is important to understand how to protect ourselves, as employees or personally, from our human nature. I have found this requires awareness and a little discipline. Here are some ways to stay secure:

  • Avoid public Wi-Fi. Public Wi-Fi is insecure and allows information you pass through the internet (i.e., user IDs, passwords, credit card numbers, etc.) to be easily captured.
  • Suspect unsolicited emails, even from trusted resources.
  • Use multiple email accounts. Having a single account puts all your eggs in one basket. If that account is compromised, everything is compromised. Even better, use different email providers for each account.
  • Suspect emails with poor grammar. Don’t ever assume someone made an editing mistake.
  • Avoid clicking on embedded links, especially in unsolicited emails.
  • Never provide personal, confidential or financial information in an email or attachment. If such information is requested, provide it in person.
  • Be suspicious of emails that appear to be of a pressing, urgent nature.
  • Refrain from clicking on attachments prior to verifying that the source is legitimate.
  • When in doubt, always verify. Never be afraid to call the sender using a number you know is legitimate to verify an email’s legitimacy. Be safe, not sorry.

Email has made our lives easier and more productive. It is a tool that allows us to stay connected to our world, while providing that same world access to us. For those reasons, it is also a perfect medium for hackers to gain access to our lives. We need to make it harder for hackers. By adopting the simple actions outlined in this article and being aware of our natural human tendencies, we can protect ourselves and avoid being victims.

By Christopher J. Mondoux

Hacking-Human-Nature-bbt-perspectives-feature

As a cybersecurity professional, I am often asked what keeps me awake at night. If I had a dime for every strange look I receive when I answer, “you,” I would be a very rich cybersecurity professional. Not that I believe you personally are a security risk, but that humans, in general, are.

Phishing emails, in particular, are successful because they target our typical good nature and compliancy, along with our desire to help. This business of exploiting human nature is a thriving venture, and email is the perfect delivery system. We only need to be reminded of the following statistics as proof of this theory:

250%

Hacking-Human-Nature-bbt-perspectives-mail
In the first quarter of 2016, the world witnessed a 250 percent surge in phishing email activity1.

 

#1

Phishing emails have become the No. 1 method for the delivery of malware2.

90%

By March of 2016, nine out of every 10 phishing emails were reported to be the primary delivery mechanism for ransomware3; one of the most destructive types of malware known to organizations and individuals alike.

As if those statistics don’t already tell the story, this alarming and revealing statistic will: 30 percent of all phishing emails are opened by those receiving them4.These statistics are not growing by coincidence. Hackers understand human nature — and by using our everyday tools, such as email, they know how to take advantage of us.

Unfortunately for business owners, it only takes one employee (not 30 percent) clicking on one malicious link or attachment to bring an entire business network down. From the moment they click on malicious content, any employee’s hard drive can be encrypted, sensitive information can be downloaded from their computer and personal information can be sold to the highest bidder.

 

Saving Us from Ourselves

Better technology will never be enough to keep us safe, and, in some cases, may provide a false sense of security. If employees believe our technical controls will stop everything “bad,” their guard will always be down. No matter the situation, it is important to understand how to protect ourselves, as employees or personally, from our human nature. I have found this requires awareness and a little discipline. Here are some ways to stay secure:

  • Avoid public Wi-Fi. Public Wi-Fi is insecure and allows information you pass through the internet (i.e., user IDs, passwords, credit card numbers, etc.) to be easily captured.
  • Suspect unsolicited emails, even from trusted resources.
  • Use multiple email accounts. Having a single account puts all your eggs in one basket. If that account is compromised, everything is compromised. Even better, use different email providers for each account.
  • Suspect emails with poor grammar. Don’t ever assume someone made an editing mistake.
  • Avoid clicking on embedded links, especially in unsolicited emails.
  • Never provide personal, confidential or financial information in an email or attachment. If such information is requested, provide it in person.
  • Be suspicious of emails that appear to be of a pressing, urgent nature.
  • Refrain from clicking on attachments prior to verifying that the source is legitimate.
  • When in doubt, always verify. Never be afraid to call the sender using a number you know is legitimate to verify an email’s legitimacy. Be safe, not sorry.

Email has made our lives easier and more productive. It is a tool that allows us to stay connected to our world, while providing that same world access to us. For those reasons, it is also a perfect medium for hackers to gain access to our lives. We need to make it harder for hackers. By adopting the simple actions outlined in this article and being aware of our natural human tendencies, we can protect ourselves and avoid being victims.

  1. Bradley Barth, “APWG report:  Phishing surges by 250 percent in Q1 2016,” SC Media, May 25, 2016, https://www.scmagazine.com/apwg-report-phishing-surges-by-250-percent-in-q1-2016/article/528186/
  2. Jonathan Crowe, “Phishing by the Numbers: Must-Know Phishing Statistics 2016,” Barkly, July 2016, https://blog.barkly.com/phishing-statistics-2016
  3. Jonathan Crowe, “Ransomware delivery channel #1: Email,” Barkly, September 2016, https://blog.barkly.com/how-ransomware-infects-computers#email
  4. Melissa Stevens, “Bitsight Security Ratings Blog,” BITSIGHT, July 14, 2016, https://www.bitsighttech.com/blog/data-breach-statistics

About the Author

Christopher J. Mondoux

Christopher J. Mondoux

Information Security Manager – Financial Services BB&T Corporate Information Security

Chris currently serves on the BB&T Corporate Information Security Subsidiary & Affiliate team and is the Information Security manager focused on the financial services lines of business. Chris earned his master’s degree in information security from Regis University and has more than 12 years of information security experience working in various capacities throughout several different industries.