By Samantha Woollard (Internet Security Specialist) 13 March 2017
After countless employee security awareness programs, presentations, videos, posters and weekly newsletters, are there still successful social engineering scams running riot in your company?
Last year 30% of phishing emails were opened and 12% of employees clicked and downloaded the malicious attachment. In 2015, only 23% of emails were opened. Does that mean that employees are getting worse at identifying phishing scams? No.
Attackers are becoming evermore creative in how to attract users and sadly, in the end, outsmarting your employees. They prey on people’s curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy; dubbed the seven deadly social engineering sins.
Below are the top social engineering scams that employees are falling for at the moment. So lets make everyone aware to stop this from ruining 2017 for your business.
1. FREE STUFF
Offering something for free be it food, devices, concert tickets, it is guaranteed to awaken the greed inside us. Some people will click on just about anything for free pizza. If the email is suggesting free software, it may already be free. Check out the vendors’ websites instead. In general, do not succumb to emails giving away anything for free.
2. Social Media Cramming At Work
Social media has aided hackers in spreading scams into businesses as many employees use their work machine or network to view their Facebook feed or send a daily tweet via Twitter. Messages from friends that contain malicious links is a popular way for an attacker to try to gain your trust. So don’t click anything you are not expecting. Verify with your friend that it is from them so you don’t fall into this trap. For businesses, it is also a new area to introduce in security awareness training. Although, many companies are not aware of the dangers themselves and it is estimated that 76% of businesses allow their employees to use social media on their work machine.
3. Work-Related Email Scams
Official looking emails from hackers can sometimes be one of the reasons employees’ thoughtlessness clicking results in the installation of dangerous malware. Popular email subjects that trick users are “Invoice Attached”, “Urgent Password Change Request” and “Here’s that file you need”. Spying that email subject, it seems important and something you may have requested from a colleague, and within seconds, malware is installed. Another thing to be on the look out for, is if the file you are downloading asks to “Enable macros”; this can lead to a system takeover. If in doubt about a received email, hover over the sender’s email to see if it is legitimate or not.
4. Fake LinkedIn Accounts
The company executive has added you on LinkedIn, and you are excited but nervous about why or what they are going to ask. You add them and he asks you company specific questions and you both begin discussing private information that should not be spoke of outside the company walls. Turns out, the person you are actually divulging all this sensitive information to is not the executive but actually an impostor, a hacker disguising as the executive to accumulate as much of the company’s secrets as possible. It has recently been a popular way used by attackers for information gathering. Always verify colleagues and higher management LinkedIn accounts by email.
5. Missed Voicemails
This is a rather crafty creative idea which is very hard for users to distinguish as a scam. Hackers hide malware in email messages modified to appear like a missed voicemail. The same with other phishing schemes, if the user clicks and downloads the attachment (voicemail) then the malware will be installed.
Relax. Your security is Intact.
Author: Intact Security
