The 4 Social Engineering Techniques Your Employees Are Still Falling For
10 August 2017 09:47
Security awareness training? Covered. Poster campaigns? Everywhere. Simulated phishing? Done. So how come employees are still falling for the same old social engineering techniques? These are some of the cunning scams that are still fooling your workforce
Last year, 30% of phishing emails were opened by their intended target and 12% of users proceeded to click on malicious attachments that allowed attackers the opportunity to breach an organisation. But social engineering isn't just a problem that's sticking around -- it's a growing threat.
In 2015, only 23% of users were reported to have opened a phishing email, suggesting that employees are now more susceptible to these attacks. So what techniques are employees still falling for?
We've put together four of the main social engineering techniques facing your employees.
#1 Falling for freebies
Take a look through your endless inbox of marketing emails and you'll find a host of free stuff or 'special offer' discounts. While many of us are sceptical of just how 'special' these offers are, most employees can't resist the temptation of freebies. Problem is -- nothing is ever truly free.
That's exactly why we're still seeing the old social engineering trick of 'Free Software' being wielded around, and employees still falling for it. The software being downloaded could actually be something that is out there for free. The risks, however, come with visiting the harmful website, which could result in a user downloading infected or compromised software.
Your employees can be even more at risk when visiting sites that are offering 'bundling' software, which means that they may have to download added software that they don't even need, just to acquire the one they want.
Encourage your employees to check if your company has already licensed the software. If not, then visiting the software vendor's website is a simple yet effective way of making sure that they are indeed offering this software, and that you're downloading from a legitimate source.
#2 "But it looked real?!"
Perhaps the more obvious one (yet one that is still fooling employees far too often) are work-related emails that look real or official. Subject lines can be crucial to these emails, with lines such as "Attached Invoice", "Here's the file you needed" and "Look at this CV" being some of the more successful types.
Although fraudulent work-related emails are tricky to spot, 'consumer' emails regarding topics like card notifications, or social networking accounts, can be just as harmful to your company. If an employee is to click on an email asking to reset their password for a personal account, chances are that they won't look closely at where the email came from, which can potentially result in their computer being infected or taken over.
A quick and easy method of checking the authenticity of an email is for the user to simply hover their cursor over the email address of the sender before clicking on any link.
The risk of an employee exchanging sensitive information as a result if this type of social engineering can also be avoided with the use of a secure file transfer system, so you know where the file has come from and whether it has been vetted. Also, users should be made aware that any file asking the recipient to enable 'macros' should be reported, as this can lead to a system takeover.
- Learn the ins and outs of social engineering here
#3 Surfing social media during work
The door can be widely opened for cyber criminals when employees choose to browse Facebook, Twitter and other social platforms during work. One of the main reasons for this is that many employees are unaware of the potential risks that come from what is, for most of us, a daily activity. Add to that the lack of security awareness training focusing on social media use, and you have a recipe for a successful attack.
The rising trend of mobile workforces has also seen an increase in the use of social platforms on company devices, resulting in a further increase in significant risks to an organisation.
#4 Accepting fake LinkedIn invitations
One of the most recent scams growing in popularity is the introduction of fraudulent employee accounts on LinkedIn, which are used for information gathering. For instance, someone creates a fake LinkedIn account posing as a known member of your organisation (usually, somebody within a project team or company executive). The fraudster connects with a user in your organisation, then starts to communicate via message.
For an employee, having a company executive connect with them and ask for company-related details, can mean that any suspicions are overshadowed by this perceived sense of importance and urgency. The danger here is that the employee is unwittingly handing over sensitive information to a cyber criminal, which is then used in a broader campaign to target the company through potential spear-phishing.
Through the high volume of connection requests we get via LinkedIn, it can be difficult to avoid accepting fake accounts. One step that can be taken is to encourage employees to email the work address of the person they have connected with in their organisation (should that individual be asking for information).