Very Attacked People (VAPs) are doing cybercriminals’ work for them: report

Credit: ID 85050881 © Pavlo Syvak |

System vulnerabilities were responsible for less than 1 percent of observed cyber attacks, according to a damning analysis that found human error was responsible in 99 percent of cases as criminals increasingly – and successfully – target vulnerable people with social-engineering tactics.

Despite the increase in executive-targeting business email compromise (BEC) attacks – which the US FBI recently said has become a $US26b ($A38b) problem in the past three years – Proofpoint’s 2019 Human Factor Report found that ‘very attacked people’ (VAPs) often were not company executives.

Rather, the report notes, they are people who “tend to be either easily discovered identities or targets of opportunity like shared public accounts”.

Fully 36 percent of identities associated with a breach could be found online just by scanning corporate websites, social-media accounts, publications, and other documents. From there, detailed and highly effective social-engineering campaigns were proving so effective that cybercriminals were finding them easier to run and manage than malware.

“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of Threat Operations for Proofpoint.

“More than 99 percent of cyberattacks rely on human interaction to work—making individual users the last line of defence. To significantly reduce risk, organisations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defences that provide visibility into their most attacked users.”

Real-estate, construction, government, and insurance targets were most frequently attacked, according to Proofpoint Attack Index ratings – a combined measure of actor, targeting, and threat type – that also found that the education, entertainment/media, automotive, construction, engineering and healthcare industries had the highest concentration of VAPs.