Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Request a Demo

How to Hack a Human

Download the report now.

Social Media, Social Engineering, and Business Email Compromise

Over the last decade, phishing – a type of social engineering attack – has transformed from something more like spam to the threat most likely to cause a breach. During that same period, the number of adults on social media platforms like Facebook increased by almost 1,300%.

See the correlation? To find out just how vulnerable people and businesses are, we surveyed 4,000 employees and interviewed ten hackers.

Craig Hays
Ethical Hacker
Harry Denley
Security and Anti-Phishing at MyCrypto
Alyssa Miller
Hacker, Researcher, and Security Advocate
Alon Gal
Co-Founder & CTO, Hudson Rock
Spencer Pearlman
Security Researcher at Detectify
Katie Paxton-Fear
PhD Student, HackerOne Community
Ben Sadeghipour
Manager, Hacker Education, HackerOne, HackerOne Community
Dawn Isabel
Mobile Security Research Engineer at NowSecure, HackerOne Community
Douglas Day
Senior Security Engineer at Elastic, HackerOne Community
Jenny Radcliffe
Host, Human Factor Security Podcast
The social network
90% of people post information related to their personal and professional lives online. As you might expect, younger generations are more likely to have a social media presence than older generations.

We know what you’re thinking: “So what?”

Every photo we post, status we update, person we tag, and place we check-in to reveals valuable information about our personal and professional lives. With this information, hackers are able to craft more targeted, more believable, and – most importantly – more effective social engineering attacks against people and businesses, leaving PII, trade secrets, and money vulnerable to attack. 

Hackers hack humans to hack companies
While those in the UK share slightly less information online than those in the US, employees in both regions are leaving their organizations incredibly vulnerable to BEC. Remember: The more bad actors know about you, the more personalized (and effective) their attacks will be.

One-third of people share business travel updates and photos online. 93% of people update their social profiles when they get a new job. This can help hackers decide who to impersonate, who to target (new-starters can be prime targets), when to target them, and what mediums to use for the attack. Download the full report for examples. 

Connecting the dots
But social media isn’t just used for reconnaissance. It can also be used as a cheat sheet to access your accounts.

Think about the most common questions you’re asked to verify your identity as a first-step in any “security check”.

Your birthday, your pet’s name, your mother’s maiden name, your zipcode… 

If your social media accounts are public, if you share photos, and if your family and friends are also active online, this information is surprisingly easy to unearth, especially with tools like Sherlock.

 

 

 

Social Engineering Attack

Type of Attack: CEO Fraud
Industry: Financial Services
Hacker Motivation: (Quick) Financial Gain

1. The hacker group monitors news wires for up-to-date information about banks in the United States to find their target, an asset management firm called SoBank

2. They see that the company’s CFO – Andrew Neal – is OOO at a conference

3. Thanks to his OOO message, they’re able to identify their target, Tristan Porter. They also learn that Andrew goes by “Andy” at work.

4. The hacker group sends a fabricated email chain that appears to be between Andy and Gregory Ellwood, Senior Partner at Dorling Clayton – SoBank’s advising firm – urging Tristan to make a wire transfer.

About that OOO message…
Whether they realize it or not, people share a lot of personal information on email, too. For example, 93% of people automate Out of Office (OOO) messages. It’s a sensible thing to do.

But, sharing too much information in those OOO messages isn’t so sensible, especially because email is an open channel. Anyone can email you. That means – depending on your OOO settings – anyone could access the information included in your message. 53% of people say how long they’ll be gone. 43% give the details of where they’re going. (A conference, for example.) 48% identify a point of contact. 

All this information provides a hacker with the raw material they need to craft a convincing email targeting or impersonating the person out of the office or a colleague.

 

 

How to Hack a Human
Download the full report
Want to get inside the mind of a hacker? Download the report for more insights, including a peek inside a hacker’s toolkit.
Download Now
Not-so-strong passwords
Your birthday, your pet's name, your mother’s maiden name, your zipcode...this information is often easily accessible online.

As we’ve mentioned, it can help hacker’s breeze through security checks. It can also help them crack passwords.

This is especially the case since the overwhelming majority of people reuse passwords. In fact, only 15% of people don’t reuse passwords. That means if a hacker gains access to one of your accounts – either by brute force or credential phishing – they could be able to access several of your accounts.

For consumer accounts like Amazon, that could mean fraudulent transactions and a compromised address book. For professional accounts like G-Suite, that could mean easy access to everything on your drive and in your inbox.

“Hackers start by finding the employees who are the most susceptible. There are a lot of factors to consider, but someone who overshares will of course be a better initial target than a buttoned-up Head of IT.”
Spencer Pearlman, Security Researcher at Detectify
“Believe me, hackers are willing to try 24/7. They have nothing but time. This is something businesses don’t have. An employee working 9-5 just doesn’t have the same commitment to protecting a company as a hacker has to hacking a company. That means hackers have a big advantage here.”
Alon Gal, Co-Founder & CTO, Hudson Rock
“OOO messages - if detailed enough - can provide attackers with all the information they need to impersonate the person that’s out of the office...without the attacker having to do any real work.”
Katie Paxton-Fear, PhD Student, HackerOne Community
“Think about when you have to verify your identity or your account. What information do they ask you for? First name, last name, birth date. All you need is a ‘Happy Birthday!’ post on social media to garner all that information. It really is that easy.”
Alyssa Miller, Hacker, Researcher, and Security Advocate
We’re not all security experts
Social engineering attacks are carefully crafted. That means it’s unfair and unrealistic to expect the average person to be able to spot one. But, our data shows that the majority of people don’t inspect emails thoroughly before responding to them.

55% don’t inspect cc’d recipients. 50% don’t inspect the sender’s display name. 46% don’t even inspect the sender’s email address.

Why? Quick-to-click cultures. Decreased visibility on mobile. Stress. Distraction. 

Whatever it is, the lack of due diligence makes it even easier for hackers to carry out successful attacks.

Does this look suspicious to you?
You could make the argument that people don’t carefully inspect their incoming emails because they have no need to be diligent. Our data tells a different story.

88% of people have received a suspicious message or link in the last year. Via which channel? Most often…email, followed by social media, then text message.

And some industries are receiving more suspicious messages than others. Unsurprisingly, it’s those that handle the most sensitive information, like Financial Services, Healthcare, and Information Technology.

How to Hack a Human
Download the full report
Download the full report to learn more about how bad actors leverage publicly available information and social engineering techniques to hack people and businesses...and how you can level-up your personal and enterprise-level security.
Methodology
In addition to using Tessian platform data, and insights garnered from interviews with the HackerOne community and experts in social engineering, we commissioned OnePoll to survey 4,000 working professionals: 2,000 in the US and 2,000 in the UK.

Survey respondents varied in age from 18-51+, occupied various roles across departments and industries, and worked within organizations ranging in size from 2-1,000+.
Publically available third-party research was also used, with all sources listed on this page.

Midpoints and averages were used when calculating some figures and percentages may not always add up to 100% due to rounding.
Advanced Email Threats
14 Real-World Examples of Business Email Compromise (Updated 2022)
Read More →
Advanced Email Threats
What is Social Engineering? 4 Types of Attacks
Read More →
Research & Reports
The Psychology of Human Error
Download Now →
Research & ReportsAdvanced Email Threats
14 Real-World Examples of Business Email Compromise (Updated 2022)
Read More →
Research & ReportsAdvanced Email Threats
What is Social Engineering? 4 Types of Attacks
Read More →
Research & ReportsResearch & Reports
The Psychology of Human Error
Download Now →
Why Tessian?
By Industry
Integrations
Solutions & Products
Protection for Microsoft Office
Phishing Prevention
Email Data Loss Prevention
Our Platform
Customers
Customers by Industry
Resources
Resources by Type
Blog
Blog Posts by Category
Copyright © Tessian Limited. All Rights Reserved. Company registered number 08358482.