Top 5 Social Engineering Scams That Employees Fall For!

Posted on by Martin Quinn in Security Blog Leave a comment

By Samantha Woollard (Internet Security Specialist) 13 March 2017

After countless employee security awareness programs, presentations, videos, posters and weekly newsletters, are there still successful social engineering scams running riot in your company?

Last year 30% of phishing emails were opened and 12% of employees clicked and downloaded the malicious attachment. In 2015, only 23% of emails were opened. Does that mean that employees are getting worse at identifying phishing scams? No.

Attackers are becoming evermore creative in how to attract users and sadly, in the end, outsmarting your employees. They prey on people’s curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy; dubbed the seven deadly social engineering sins.

Below are the top social engineering scams that employees are falling for at the moment. So lets make everyone aware to stop this from ruining 2017 for your business.

Offering something for free be it food, devices, concert tickets, it is guaranteed to awaken the greed inside us. Some people will click on just about anything for free pizza. If the email is suggesting free software, it may already be free. Check out the vendors’ websites instead. In general, do not succumb to emails giving away anything for free.

2. Social Media Cramming At Work
Social media has aided hackers in spreading scams into businesses as many employees use their work machine or network to view their Facebook feed or send a daily tweet via Twitter. Messages from friends that contain malicious links is a popular way for an attacker to try to gain your trust. So don’t click anything you are not expecting. Verify with your friend that it is from them so you don’t fall into this trap. For businesses, it is also a new area to introduce in security awareness training. Although, many companies are not aware of the dangers themselves and it is estimated that 76% of businesses allow their employees to use social media on their work machine.

3. Work-Related Email Scams
Official looking emails from hackers can sometimes be one of the reasons employees’ thoughtlessness clicking results in the installation of dangerous malware. Popular email subjects that trick users are “Invoice Attached”, “Urgent Password Change Request” and “Here’s that file you need”. Spying that email subject, it seems important and something you may have requested from a colleague, and within seconds, malware is installed. Another thing to be on the look out for, is if the file you are downloading asks to “Enable macros”; this can lead to a system takeover. If in doubt about a received email, hover over the sender’s email to see if it is legitimate or not.

4. Fake LinkedIn Accounts
The company executive has added you on LinkedIn, and you are excited but nervous about why or what they are going to ask. You add them and he asks you company specific questions and you both begin discussing private information that should not be spoke of outside the company walls. Turns out, the person you are actually divulging all this sensitive information to is not the executive but actually an impostor, a hacker disguising as the executive to accumulate as much of the company’s secrets as possible. It has recently been a popular way used by attackers for information gathering. Always verify colleagues and higher management LinkedIn accounts by email.

5. Missed Voicemails
This is a rather crafty creative idea which is very hard for users to distinguish as a scam. Hackers hide malware in email messages modified to appear like a missed voicemail. The same with other phishing schemes, if the user clicks and downloads the attachment (voicemail) then the malware will be installed.

Relax. Your security is Intact.

Author: Intact Security


Why Your Security Depends On Your Employees

Posted on by Martin Quinn in Security Blog Leave a comment

By Samantha Woollard (Internet Security Specialist) 23 January 2017

It may be a surprise that 59% of breaches within a company happen due to employees. This is not because all your employees are turning against you, (perhaps some), but due to a lack of awareness about information security.

With more than half of employees stating that they connect personal devices to their work computer and one in ten owning up to downloading software onto their work computer, it is easy to see how the percentage of breaches is so high. Connecting devices not related to work and downloading unknown content greatly expands your attack surface which makes your company increasingly vulnerable.

Security awareness within the company involves everyone, including top management, and should be one of the top priorities for all companies. By putting policies and procedures in place, all employees can be informed of their roles within the security of the company. Promoting security in the work place and having regular training sessions, especially for new employees, can help detect threats and avoid any potential consequences of them. Important topics during training sessions are:

Backing up of files
Employees should be involved in preventing loss of information. Even if the information is backed up on a regular basis, it is useful that they too have a daily back up.

Be aware of phishing attacks
Anything that is at all out of the blue, such as links in messages, attachments, emails etc, should not be opened. Even if the sender is known, their machine could have been compromised. Most phishing attempts are sent via email and if clicked on, can result in the installation of malware, redirection to unknown sources etc.

Keeping strong passwords
Passwords should contain at least ten characters, of at least three different types such as upper case, lower case, numbers and symbols. No dictionary words, usernames or names should be used. By using sentences that are easy to remember this can oppose password cracking attempts from attackers. Different passwords should be used for both personal and work accounts and setting up two-factor authentication can also greatly decrease the risk of a compromise.

Keeping a clean machine
Ensure there is a policy on what employees can and can not download. Unknown programs can contain malware which can result in the loss of data, money and open your company to attack.

Physical & desktop security
All file cabinets and desk drawers should be locked in case of theft. When a machine is left for any specific period of time, the screen should be locked. Attackers can install key loggers to track what a user has typed, which can lead to stolen passwords.

Software updating & patching
Having all the correct software, e.g anti-virus and anti-malware, running to protect each machine is a good step in preventing infections. However, it was reported that over half (51%) of employees do not know how to update anti-virus protection, which can result in new variants of malware going unnoticed. Also other software the company uses requires regular updates to patch any recent vulnerabilities that have been fixed.

Stay alert & report strange activity
Encourage employees to speak up about anything peculiar happening on their machine and flag any suspicious behaviour such as phishing emails.

Training sessions can be performed in various ways, such as class-like lectures, videos and Q&A discussions. To make the process of educating employees beneficial and ensuring the information was absorbed, have mini quizzes after each session. Try to not bombard them with too much, as this can have the opposite affect to what you intended.

Security awareness is a critical element to your company’s security, and if implemented correctly, can prevent and protect your systems from potential attacks.

Relax, your Security is Intact.

Author: Intact Security