“Hey, it looks like your Twitter account was hacked!”
I knew the attack was coming, and was on high alert for tricks that might fool me into forking over my username and password. I shouldn’t have clicked the link inside the message. But I did. Suddenly and without warning it was all over: I was hacked.
Phishing attacks deliver malicious and links in email messages that are designed to steal account login credentials. The scheme is effective for a broad range of hackers—from well-funded nation-states to lone-wolf hacktivists—because it’s inexpensive, easy to deploy, and customizable to fit the victim. Social media makes researching potential victims easy, and phishing software is so robust that cyberattackers can quickly create graphic design and text precisely tailored for specific targets.
Anyone can be hit by a phishing attack, and many consumers are vulnerable to losing thousands of dollars to identity theft scams. Phishing is also expensive for businesses, with the average cost of a data breach resulting from a phishing hack now in excess of $1 million per incident.
To learn more about the sophisticated targeting methods used by many attackers, my colleague Graham Kates and I asked a team of professional hackers to target us with a sustained phishing simulation designed to mimic a real-world attack. We learned that even when you’re prepared for a cyberattack, it’s remarkably easy to be fooled by a determined phisher.
Cofense, the team of professionals we enlisted, specializes in protecting enterprise companies against cyberattacks. (CBS News is a customer of Cofense.) After researching our personal interests, professional network and social media accounts, the company’s experts hammered our email accounts with provocative messages. After the assault, the company drafted a 25-page report that revealed specific tactics, and what we fell for and what we didn’t.
Over the two-week simulation timeline, we both successfully avoided the vast majority of messages. But we also each fell for a few particularly clever links. We were each vulnerable to email messages that manipulated our sense of stress and fear related to work. And we were receptive to attacks that preyed on empathy by appearing to come from family and friends.
Defensive protocols like two-factor authentication can fend off some attacks, but we learned the hard way that even when you expect a cyberattack it’s still remarkably easy to be victimized by a determined adversary.