Rather than targeting systems and infrastructures, cybercriminals are focusing most of their efforts on exploiting human instincts.

More than 99 percent of cybercriminals rely on human interaction to install malware, initiate fraudulent transactions, steal data, and more, according to a recently released study by Proofpoint.

To conduct the study, the enterprise security company gathered data from across its customer base and analyzed billions of messages per day on hundreds of millions of domains.

Here’s what the study’s researcher highlighted in the report, titled “Human Factor Report 2019”: People remain the primary target of attackers and remain the last line of defense for businesses.

Threat actors are exploiting people (and they’re good at it)
Even though cybercriminals do exploit system vulnerabilities from time to time, it’s not their favorite way to attack a business.

The much easier way to infiltrate networks and systems is by targeting the humans connected to them through deceitful tactics and other means.

These threats make things much harder for SMBs doing nearly everything possible to protect their networks and systems. There are actions they can take to limit their exposure to potential cybersecurity threats in an evolving threat landscape that are typically increasingly “people-centric.”

For example, SMBs should do what they can to identify employees who represent the greatest sources of risk.

These employees typically have larger digital footprints than others. The identities of 36 percent of employees frequently attacked by cybercriminals can easily be found online (via corporate websites, social media, publications, and elsewhere), according to Proofpoint’s report. The researchers also found that the contact information for these identities is typically available in more than one place.

Unbelievably, C-suite executives typically aren’t targeted as much by cybercriminals. It’s a lot more difficult for threat actors to find contact information for these high-level executives. Only 7 percent of their email addresses can be found online, according to the study; however, of high-profile individuals who are more likely to be targeted by cybercriminals, 23 percent of their email identities can be found by simply using Google search.

After gathering the data, cybercriminals are attacking employees in a variety of ways.

How are cybercriminals exploiting employees?
While there are numerous attack vectors hackers can use to gain access to networks and systems, the top one, by far, is email.

Phishing campaigns are growing, especially those seeking email credentials from their victims. The study found this type of generic email harvesting accounted for nearly 25 percent of all phishing schemes in 2019. Close behind is account phishing for Office 365, which took the top spot in the first half of 2019.

Hackers are also using imposter attacks, which primarily rely on identity deception techniques, to siphon money from their intended targets — and the numbers are staggering.

Imposter scams, in general, are effective. Here are the numbers: Consumers reported losing a total of nearly $488 million to several types of imposter scams in 2018, according to the Federal Trade Commission (FTC).

Back in 2016, the FBI released data on the effectiveness of imposter emails. The agency learned that over several years, these attacks collected $2.3 billion by exploiting more than 17,000 victims.

These attacks were common in a variety of industries throughout 2018, including engineering, automotive, and education, but in 2019, a shift toward financial services, healthcare, and retail began, according to the report.

Businesses of all sizes are potential targets for imposter threats. Cybercriminals aren’t only using these attacks on larger organizations; they’re targeting SMBs, too, the report found.

By targeting humans, cybercriminals are exploiting instincts, many of which will help drive millions of dollars into the hands of threat actors — who will be sure to continue their efforts in the future.