Many other hacks start with a text message. According to The New York Times, a fake text message tricked an employee into revealing their password, which led to a large-scale compromise of the company's IT systems.

These kinds of social engineering threats are not easy to defend against. It doesn't matter how good a firm's password policies are, whether sensitive information is properly stored, or whether multi-factor authentication is used, there's always a chance that a human employee will be fooled into letting the attacker in.

A blanket term for this kind of attack is social engineering, which involves a wide range of techniques that trick targets into revealing sensitive information. ZeroFox said in its quarterly threat report that social engineering remained one of the most frequently reported intrusion tactics in Q2. It is one of the most difficult attacks to protect against for the reason that people are gullible.

Josh Yavor is the CISO at email security providers. According to Yavor, social engineering is the most common way that companies fall victim to breeches.

It was the use of social engineering techniques that allowed the attacker to skirt around multi-factor authentication processes that would usually prevent an unauthorized login.

Screenshots from conversations with the hacker show how the attack unfolded. After obtaining the employee's password, the hacker sent a message to the employee claiming to be from the IT department instructing them to confirm that the login attempt was legit.

This gave them access to a virtual private network that they could use to connect to the corporate intranet of the company. An admin password was found in a script that is used to automate tasks on Windows machines.

In a Telegram message, the hacker said he was able to get secrets for all services.

Social engineering is not included in most bug bounty reward schemes, making it more difficult to prepare companies. Social engineering attacks are usually not covered by the schemes that offer a reward for revealing how they can break into systems. In the case of Uber, it was clear that social engineering was out of scope for the company's own bug bounty program.

If social engineering attacks are excluded from bug bounty programs, attackers would be more likely to target employees.

Carruthers said that the target isn't an internet address or endpoint. There may be ethical concerns if the bounty hunter is allowed to test a person for whom they don't have legal authority.

The ethical challenge is more difficult to fix than the problem. Even though a software vulnerability can be patched once it is disclosed, there are few options for fixing the problem.

Organizations don't include social engineering in their bug bounty program because they know a social engineering attack will work

The target isn't an address or a device, it's a person.

Companies try to prepare their staff against such attacks with "red teaming", hiring a security firm to try to compromise employees' systems with similar tactics and then providing a report on how they could improve. It is a strategy that improves security but may fail to emulate the deviousness and persistence of real world social engineering hacks due to ethical constraints.

Physical security keys can be required to log on instead of the app-based notifications. Cloudflare was recently targeted by a sophisticatedPhishing scam but was able to minimize impact due to the use of hardware tokenAuthentication If the employee had a security key, the hacker wouldn't have been able to get into the system without physical access.

The threat is not completely eliminated by social engineering.

Carruthers says that you can't patch an attack when it's human.