[BreachExchange] Five social engineering scams employees still fall for

Wed Sep 21 17:42:07 EDT 2016

http://www.csoonline.com/article/3121791/social-engineering/five-social-engineering-scams-employees-still-fall-for.html

You’ve trained them. You’ve deployed simulated phishing tests. You’ve
reminded your employees countless times with posters and games and emails
about avoiding phishing scams. Still, they keep falling for the same ploys
they’ve been warned about for years. It’s enough to drive security teams to
madness.

According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of
phishing messages were opened by their intended target, and about 12
percent of recipients went on to click the malicious attachment or link
that enabled the attack to succeed. A year earlier, only 23 percent of
users opened the email, which suggests that employees are getting worse at
identifying phishing emails -- or the bad guys are finding more creative
ways to outsmart users.

The consequences of a security breach caused by human error are bigger than
ever. For starters, the No. 1 inflection point for ransomware is through
phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4. What’s
more, a handful of competing cyber mafias “are casting their nets wider and
wider,” with more scams to more users, to attract more hits, he says.

A single ransomware cyber mafia was able to collect $121 million in
ransomware payments during the first half of this year, netting $94 million
after expenses, according to McAfee Labs’ September 2016 Threats Report.
Total ransomware increased by 128 percent during the first half of 2016
compared to the same period last year. There were 1.3 million new
ransomware samples recorded, the highest number since McAfee began tracking
it.

One look at the top five social engineering scams that employees still fall
for, and it’s not hard to see their appeal. Sjouwerman calls them the seven
deadly social engineering vices that most employees share: Curiosity,
courtesy, gullibility, greed, thoughtlessness, shyness and apathy.

Human nature may be to blame for many security breaches, but there are ways
to help employees shed their bad habits and avoid these scams.

*1.‘Well it looked official’ *

Official-looking emails that appear to be work related – with subject lines
such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this
resume” -- still have employees stumped, experts say.

A survey by Wombat Technologies found that employees were more cautious
when receiving “consumer” emails regarding topics like gift card
notifications, or social networking accounts, than they were with seemingly
work-related emails. A subject line that read, “urgent email password
change request,” had a 28 percent average click rate, according to the
report.

“Most people are not going to look really closely to know where that email
came from, and they click on it and their machine may be taken over by
somebody, or infected,” says Ronald Nutter, online security expert and
author of *The Hackers Are Coming, How to Safely Surf the Internet*.

“Especially when you’re exchanging files with subcontractors or partners on
a project, you really should be using a secure file transfer system so you
know where the file came from and that it’s been vetted.” He also cautions
recipients to be wary of any file that asks the user to enable macros,
which can lead to a system takeover.

In the absence of a secure file transfer system, users should hover their
cursor over email addresses and links before they click to see if the
sender and type of file are legitimate, he adds.

*2. ‘You missed a voicemail!’*

Scammers have been trying to install malicious software through emails
designed to look like internal voicemail service messages since 2014.
Businesses often have systems set up to forward audio files and messages to
employees, which is convenient but hard for users to discern as a phishing
hoax.

Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,”
Sjouwerman says. “They go to their in-box and there is a voicemail, but
they missed it and then open the attachment. [Spoofers] can catch
practically anyone with that,” and not just the accounting department where
invoice scams are sent, he adds.

*3. Free stuff*

Most employees can’t resist free stuff – from pizza to event tickets to
software downloads – and they’ll click on just about any link to get it,
phishing experts say.

“Nothing is truly ever free,” Nutter says. “We’re starting to see again
where you’ll get a link saying, ‘Here’s free software.’ It could be
something that’s actually out there already for free, but they’re sending
you through their website, which means you may be getting infected or
compromised software.”

Adding to the danger, “A lot of these download sites are bundling
[software], and you also have to download something else that you don’t
even want,” Nutter adds. “If it compromises your security setup, now you’ve
just opened Pandora’s box.”

He recommends first checking to see if your organization has already
licensed the software, or if it’s truly free software, then go directly to
the software vendor’s website to download.

*4. Fake LinkedIn invitations and Inmail*

One of the commonly repeated scams that Proofpoint is seeing involves
fraudulent employee accounts on LinkedIn that are being used for
information gathering, says Devin Redmond, vice president and general
manager of digital security and compliance.

For instance, someone creates a fake LinkedIn account posing as a known
member of a project team or even a company executive. “It looks very
legitimate and that person does work for the organization. [The imposter]
connects with you, you accept and they start communicating with you,”
Redmond says. “As the employee, if it’s an executive account that you’re
linked to, you’re happy and excited that this executive is communicating
with you, and you start to, unknowingly, give information that’s sensitive
or private to the organization.” Meanwhile, the information is being used
as a broader campaign to gather sensitive information on the company.

Redmond suggests that if a colleague asks to connect on any social network,
then email their legitimate work address and ask if they’ve requested to
connect with you. “It’s an easy way to keep yourself out of hot water,” he
adds.

*5. Social media surfing at work*

Employees who surf Facebook, Twitter and a host of other social media sites
can potentially open the door for cyber thieves because the scams require
less work for them, and it’s also a relatively new area of awareness
training for employees.

“Think about that ROI from the bad actors’ perspective,” Redmond says.
“Instead of having to send 1,000 emails (to get one hit), I can get them to
my page with one post.”

Social media’s cyber risk is still a topic that employees understand the
least – with an average of 31 percent of questions missed regarding
security awareness on the topic, according to Wombat. However, 76 percent
of organizations surveyed enable employees to use social media on their
work devices. This puts organizations at significant risk considering the
lack of understanding in the area.

“I speculate the reasons why organizations are doing so poorly is it’s
still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also seeing
a younger workforce. There is a belief in the industry that those employees
will just click on anything. I think there is something to that.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160921/757483d5/attachment.html>