Five social engineering scams employees still fall for

You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails about avoiding phishing scams. Still, they keep falling for the same ploys they’ve been warned about for years. It’s enough to drive security teams to madness.

You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails about avoiding phishing scams. Still, they keep falling for the same ploys they’ve been warned about for years. It’s enough to drive security teams to madness.

According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of phishing messages were opened by their intended target, and about 12 percent of recipients went on to click the malicious attachment or link that enabled the attack to succeed. A year earlier, only 23 percent of users opened the email, which suggests that employees are getting worse at identifying phishing emails -- or the bad guys are finding more creative ways to outsmart users.

The consequences of a security breach caused by human error are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4. What’s more, a handful of competing cyber mafias “are casting their nets wider and wider,” with more scams to more users, to attract more hits, he says.

A single ransomware cyber mafia was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses, according to McAfee Labs’ September 2016 Threats Report. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.

One look at the top five social engineering scams that employees still fall for, and it’s not hard to see their appeal. Sjouwerman calls them the seven deadly social engineering vices that most employees share: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.

Human nature may be to blame for many security breaches, but there are ways to help employees shed their bad habits and avoid these scams.

1.‘Well it looked official’

Official-looking emails that appear to be work related – with subject lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this resume” -- still have employees stumped, experts say.

A survey by Wombat Technologies found that employees were more cautious when receiving “consumer” emails regarding topics like gift card notifications, or social networking accounts, than they were with seemingly work-related emails. A subject line that read, “urgent email password change request,” had a 28 percent average click rate, according to the report.

scam lines chart

“Most people are not going to look really closely to know where that email came from, and they click on it and their machine may be taken over by somebody, or infected,” says Ronald Nutter, online security expert and author of The Hackers Are Coming, How to Safely Surf the Internet.

“Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.

In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.

2. ‘You missed a voicemail!’

Scammers have been trying to install malicious software through emails designed to look like internal voicemail service messages since 2014. Businesses often have systems set up to forward audio files and messages to employees, which is convenient but hard for users to discern as a phishing hoax.

Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,” Sjouwerman says. “They go to their in-box and there is a voicemail, but they missed it and then open the attachment. [Spoofers] can catch practically anyone with that,” and not just the accounting department where invoice scams are sent, he adds.

3. Free stuff

Most employees can’t resist free stuff – from pizza to event tickets to software downloads – and they’ll click on just about any link to get it, phishing experts say.

“Nothing is truly ever free,” Nutter says. “We’re starting to see again where you’ll get a link saying, ‘Here’s free software.’ It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.”

Adding to the danger, “A lot of these download sites are bundling [software], and you also have to download something else that you don’t even want,” Nutter adds. “If it compromises your security setup, now you’ve just opened Pandora’s box.”

He recommends first checking to see if your organization has already licensed the software, or if it’s truly free software, then go directly to the software vendor’s website to download.

4. Fake LinkedIn invitations and Inmail

One of the commonly repeated scams that Proofpoint is seeing involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president and general manager of digital security and compliance.

For instance, someone creates a fake LinkedIn account posing as a known member of a project team or even a company executive. “It looks very legitimate and that person does work for the organization. [The imposter] connects with you, you accept and they start communicating with you,” Redmond says. “As the employee, if it’s an executive account that you’re linked to, you’re happy and excited that this executive is communicating with you, and you start to, unknowingly, give information that’s sensitive or private to the organization.” Meanwhile, the information is being used as a broader campaign to gather sensitive information on the company.

Redmond suggests that if a colleague asks to connect on any social network, then email their legitimate work address and ask if they’ve requested to connect with you. “It’s an easy way to keep yourself out of hot water,” he adds.

5. Social media surfing at work

Employees who surf Facebook, Twitter and a host of other social media sites can potentially open the door for cyber thieves because the scams require less work for them, and it’s also a relatively new area of awareness training for employees.

“Think about that ROI from the bad actors’ perspective,” Redmond says. “Instead of having to send 1,000 emails (to get one hit), I can get them to my page with one post.”

Social media’s cyber risk is still a topic that employees understand the least – with an average of 31 percent of questions missed regarding security awareness on the topic, according to Wombat. However, 76 percent of organizations surveyed enable employees to use social media on their work devices. This puts organizations at significant risk considering the lack of understanding in the area.

“I speculate the reasons why organizations are doing so poorly is it’s still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also seeing a younger workforce. There is a belief in the industry that those employees will just click on anything. I think there is something to that.”

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCSOFacebookMicrosoftProofpointTwitterVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts