<div dir="ltr"><a href="http://www.csoonline.com/article/3121791/social-engineering/five-social-engineering-scams-employees-still-fall-for.html">http://www.csoonline.com/article/3121791/social-engineering/five-social-engineering-scams-employees-still-fall-for.html</a><br><p>
You’ve trained them. You’ve deployed simulated phishing tests. You’ve
reminded your employees countless times with posters and games and
emails about avoiding phishing scams.
Still, they keep falling for the same ploys they’ve been warned about
for years. It’s enough to drive security teams to madness.
</p><p>
According to Verizon’s 2016 Data Breach Investigation Report,
30 percent of phishing messages were opened by their intended target,
and about 12 percent of recipients went on to click the malicious
attachment or link that enabled the attack to succeed. A year earlier,
only 23 percent of users opened the email, which suggests that employees
are getting worse at identifying phishing emails -- or the bad guys are
finding more creative ways to outsmart users.
</p><p>
The consequences of a security breach caused by human error are bigger
than ever. For starters, the No. 1 inflection point for ransomware is
through phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4.
What’s more, a handful of competing cyber mafias “are casting their
nets wider and wider,” with more scams to more users, to attract more
hits, he says.
</p><p>
A single ransomware cyber
mafia was able to collect $121 million in ransomware payments during
the first half of this year, netting $94 million after expenses,
according to McAfee Labs’ September 2016 Threats Report. Total
ransomware increased by 128 percent during the first half of 2016
compared to the same period last year. There were 1.3 million new
ransomware samples recorded, the highest number since McAfee began
tracking it.
</p><aside id="gmail-" class="gmail-nativo-promo gmail-smartphone"> </aside><p>
One look at the top five social engineering scams that employees still
fall for, and it’s not hard to see their appeal. Sjouwerman calls them
the seven deadly social engineering vices that most employees share:
Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and
apathy.
</p><p>
Human nature may be to blame for many security breaches, but there are
ways to help employees shed their bad habits and avoid these scams.
</p><p>
<strong>1.‘Well it <em>looked</em> official’ </strong>
</p><p>
Official-looking emails that appear to be work related – with subject
lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look
at this resume” -- still have employees stumped, experts say.
</p><aside id="gmail-" class="gmail-nativo-promo gmail-tablet gmail-desktop"> </aside><p>
A survey by Wombat Technologies found that employees were more cautious
when receiving “consumer” emails regarding topics like gift card
notifications, or social networking accounts, than they were with
seemingly work-related emails. A subject line that read, “urgent email
password change request,” had a 28 percent average click rate, according
to the report.
</p><figure class="gmail-large">
</figure><p>
“Most people are not going to look really closely to know where that
email came from, and they click on it and their machine may be taken
over by somebody, or infected,” says Ronald Nutter, online security
expert and author of <em>The Hackers Are Coming, How to Safely Surf the Internet</em>.
</p><p>
“Especially when you’re exchanging files with subcontractors or partners
on a project, you really should be using a secure file transfer system
so you know where the file came from and that it’s been vetted.” He also
cautions recipients to be wary of any file that asks the user to enable
macros, which can lead to a system takeover.
</p><p>
In the absence of a secure file transfer system, users should hover
their cursor over email addresses and links before they click to see if
the sender and type of file are legitimate, he adds.
</p><p>
<strong>2. ‘You missed a voicemail!’</strong>
</p><p>
Scammers have been trying to install malicious software through emails
designed to look like internal voicemail service messages since 2014.
Businesses often have systems set up to forward audio files and messages
to employees, which is convenient but hard for users to discern as a
phishing hoax.
</p><p>
Today, “The voicemail is a spoofed Microsoft or Cisco kind of
voicemail,” Sjouwerman says. “They go to their in-box and there is a
voicemail, but they missed it and then open the attachment. [Spoofers]
can catch practically anyone with that,” and not just the accounting
department where invoice scams are sent, he adds.
</p><p>
<strong>3. Free stuff</strong>
</p><p>
Most employees can’t resist free stuff – from pizza to event tickets to
software downloads – and they’ll click on just about any link to get it,
phishing experts say.
</p><p>
“Nothing is truly ever free,” Nutter says. “We’re starting to see again
where you’ll get a link saying, ‘Here’s free software.’ It could be
something that’s actually out there already for free, but they’re
sending you through their website, which means you may be getting
infected or compromised software.”
</p><p>
Adding to the danger, “A lot of these download sites are bundling
[software], and you also have to download something else that you don’t
even want,” Nutter adds. “If it compromises your security setup, now
you’ve just opened Pandora’s box.”
</p><p>
He recommends first checking to see if your organization has already
licensed the software, or if it’s truly free software, then go directly
to the software vendor’s website to download.
</p><p>
<strong>4. Fake LinkedIn invitations and Inmail</strong>
</p><p>
One of the commonly repeated scams that Proofpoint is seeing involves
fraudulent employee accounts on LinkedIn that are being used for
information gathering, says Devin Redmond, vice president and general
manager of digital security and compliance.
</p><p>
For instance, someone creates a fake LinkedIn account posing as a known
member of a project team or even a company executive. “It looks very
legitimate and that person does work for the organization. [The
imposter] connects with you, you accept and they start communicating
with you,” Redmond says. “As the employee, if it’s an executive account
that you’re linked to, you’re happy and excited that this executive is
communicating with you, and you start to, unknowingly, give information
that’s sensitive or private to the organization.” Meanwhile, the
information is being used as a broader campaign to gather sensitive
information on the company.
</p><p>
Redmond suggests that if a colleague asks to connect on any social
network, then email their legitimate work address and ask if they’ve
requested to connect with you. “It’s an easy way to keep yourself out of
hot water,” he adds.
</p><p>
<strong>5. Social media surfing at work</strong>
</p><p>
Employees who surf Facebook, Twitter and a host of other social media
sites can potentially open the door for cyber thieves because the scams
require less work for them, and it’s also a relatively new area of awareness training for employees.
</p><p>
“Think about that ROI from the bad actors’ perspective,” Redmond says.
“Instead of having to send 1,000 emails (to get one hit), I can get them
to my page with one post.”
</p><p>
Social media’s cyber risk is still a topic that employees understand the
least – with an average of 31 percent of questions missed regarding
security awareness on the topic, according to Wombat. However, 76
percent of organizations surveyed enable employees to use social media
on their work devices. This puts organizations at significant risk
considering the lack of understanding in the area.
</p><p>
“I speculate the reasons why organizations are doing so poorly is it’s
still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also
seeing a younger workforce. There is a belief in the industry that those
employees will just click on anything. I think there is something to
that.”
</p><br></div>