Skip to content

Trending tags

Gone phishing – A social engineering experiment

Noora Hyvärinen

07.03.18 3 min. read


Employee security awareness plays a key role in protecting your business from advanced cyber threats. In many cases, an unsuspecting employee opens the avenue for an attacker by clicking on a link, opening an attachment or providing information that is not intended to be shared. We designed a phishing experiment to show how social engineering works in real life.

Linda Liukas, a renowned children’s programming author and TEDx speaker,  agrees to do something most people would not do – she lets our cyber security experts hack her. Watch the video to see, what was the result of the hacking experiment and what kind of tactics were used.

Social engineering – should one be worried about it?

For ordinary people, it is indeed not very common to become a target of an advanced cyber attack, but for employees who have access to companies’ most critical information and systems, it is actually a very relevant concern. In Linda’s case, the goal of an attacker could be for example to gain access to the valuable network of companies she works with.

Nowadays, one of the best methods for an attacker to get in is social engineering, the exploitation of human psychology. To gain access to companies’ valuable assets, the reconnaissance phase is important. In addition to online data mining and social media research, the attacker might attempt to gain physical access to the company’s premises or even dig through the trash to find material that will help establish access to the target.

Spear phishing targets specific individuals

In Linda’s case, one interesting avenue of attack would be to gain access to Linda’s email or social accounts through a phishing email, for example. Spear phishing emails are personalized and appear to be from someone the target trusts. They are designed to trick the target into clicking on a malicious link and give out sensitive information, such as passwords.

With access to Linda’s accounts, the attackers would be able to leverage the trust Linda’s network has on her, send over a crafted malware payload and gain access to the target organization.

The attackers’ advantage

Most attacks are a result of simple human errors. For a savvy individual, it might be possible to dodge an attack for some time by being extra alert and suspicious. For organizations, the problem is that all it takes is a single mistake by one individual employee. Attackers, on the other hand, have an unlimited number of attempts and time on their side. With enough time and persistence, they will get in.

In fact, it is not fair to talk about human errors. Emails are designed to be opened and read, aren’t they? The right way to address the issue is to have other controls in place. If you have a business to protect, you shouldn’t depend on the fact that people don’t open malicious emails.

A targeted attack can remain unnoticed for months

An attacker who has gained access by social engineering methods is extremely difficult to trace. Typically, an organization is unable to detect a well-crafted cyber attack for months. Attackers rely on companies’ lack of visibility to their IT infrastructures to hide their movements. The longer the attacker remains unnoticed, the bigger the financial losses and damage to the company brand and reputation will be.

The only way to protect your company against targeted attacks is the combination of smart software and top human talent. Powerful detection and response solutions are a great way to make sure your organization is well equipped to face an attack.

Linda Liukas, Tuomo Makkonen, hacked, cyber security, Adventures in Cyberland

F-Secure Cyber Security Crash Course explains in simple terms what kind of threats are out there and how they can be spotted and stopped. Linda Liukas, a programmer, children’s book author and TED speaker, explores the wonders of cyber security with the best talent in the industry. She even agrees to let F-Secure’s experts hack her. Watch the six short videos to learn what you can do to detect and respond to advanced cyber attacks. Include the Cyber Security Crash Course videos in your security training programme to foster awareness within your organization.

Noora Hyvärinen

07.03.18 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.