Blame it on pandemic fatigue, remote work, or simply too much information, but employees seem to be letting their guard down when it comes to spotting social engineering tricks. According to Proofpoint, attackers were more successful in their social engineering schemes last year than a year earlier.
According to a survey of 3,500 experts, in 2021, more than 80% of organizations were subjected to a successful email phishing attack. This is 46% more than in 2020, writes the CSO publication.
"A lot of people, especially today, when it's easy to get distracted by ambient noise, operate on autopilot just by performing movements," says Kevin Beaver, chief consultant at security firm Principle Logic. The bad guys know they have the upper hand."
A study conducted by researchers from Stanford University found that about 88% of all data leaks are caused by employee error. Almost half of employees (45%) identified distraction as the main reason for phishing, and 57% of remote employees admit that they are more distracted when working from home. The main reasons for clicking on phishing emails are the perceived legitimacy of the email or the fact that it appears to have come from a senior executive or a well-known brand.
In 2021, Proofpoint detected about 15 million phishing messages containing malware that were directly linked to later-stage ransomware. According to Sophos, the average total cost of recovering from a ransomware attack in 2021 reached $ 1.85 million.
Why do employees still fall for the same old tricks? In 2016, KnowBe4 CEO Stu Showerman called them seven deadly social engineering vices, and most employees still share them: curiosity, politeness, gullibility, greed, frivolity, shyness, and apathy.
5 old social engineering tricks
Security experts say employees are still falling for these five old social engineering tricks, and they warn of four new scams that add a twist to these old tricks.
1. Official email
Who can resist opening an email purportedly sent by your company's CEO with the subject line "You were mentioned in this document" and a link to "Employee Promotions and Promotions in 2022"? "Yes, people are still coming across these official-looking emails where the messages appear to have been sent by a legitimate source or a person you know," says John Wilson, Agari senior research fellow for threat research at HelpSystems. Wilson recently encountered a phishing attempt, but he was prepared for this development.
In such attempts, "the bad guys try to phish credentials," he says. In this case, to open the document, " it wants you to log in again using your Office 365 credentials. If they make it juicy enough, people will open it."
Regardless of the bait offered, the lesson here is: "There's no good reason why you'll have to log in again to open something," he says. Wilson also suggests using a password manager that will only apply your credentials if you are on a genuine website.
2. "Here's a free flash drive"
In January, the FBI warned U.S. businesses about fake emails sent through the U.S. Postal Service and UPS, which in some cases posed as the Department of Health and Human Services and offered information about COVID-19, and in others as Amazon. Both included a USB drive with malicious software.
According to the FBI, if the USB drive had been inserted into the computer, it could have given the hacker group access to the organization's network to deploy the ransomware. It's unclear if any of the firms were compromised as a result of the incidents, but it's a reminder that old social engineering techniques persist.
3. Office Gift Card Fraud
One of the most common, if not the most effective, social engineering techniques that are still circulating is gift card fraud, when it seems that an email comes from a company executive asking for help. Usually, the story goes like this: a manager needs gift cards to encourage staff, "and it's a surprise, so don't tell anyone," says Wilson. The goal is to get an employee to buy cards, scrape off the silver coating that covers the codes, and then email a photo of the back of the cards.
"I would say that 1 in 100 [employees] will respond the first time. It's unclear if anyone will go and get a gift card, " says Wilson, but his team has logged about 10,300 incidents since January 2019 and sees hundreds of such phishing attempts in data across its customer base every day. "It's still happening, so someone is falling for it," he says.
4. "You have a voice message"
Internal voice messages with malware sent via email have resurfaced in recent months, Wilson said, and some employees are still succumbing to them. "It goes on forever. It's just a good bait because you want to get your email out, "he says." The effectiveness of this depends on who is on the receiving end and on their department. The engineer won't answer your voicemail, but if you're in sales and you think the voicemail might be an order or a potential customer, you can open it."
Recipients should ask themselves if their company uses a system that sends voice mail via email. If this is the case, always hover over the email address to make sure it's from a known sender, says Wilson.
5. "There was a problem with the delivery of the parcel"
Fake parcel delivery notifications have evolved and flourished for more than 15 years, says Chester Wisniewski, chief research officer at Sophos. These phishing attempts come in many variations, but are designed to charge you for fees or customs duties, while others are simply phishing attacks designed to get you to "log in using your email to track a parcel" and steal your credentials. "This will often adapt to the recipient's region and will spoof global logistics brands like DHL, UPS or FedEx," he adds.
4 new pitfalls of social engineering
There's never a shortage of new social engineering scams waiting to be exploited, but here are four of the most common, egregious, or dangerous new tricks based on old vices.
1. "Here are your legal documents from DocuSign"
A popular social engineering technique, especially with the onset of the COVID-19 pandemic, is malware disguised as a request to sign legal documents via DocuSign. "Presumably, more and more legal forms are being digitally signed these days," Wisniewski says. "They will prompt you to install some kind of plugin, which is actually computer malware, to continue viewing the intended document."
2. Fraud with "account obsolescence reports"
In this scam, an employee who usually handles accounts receivable receives an email purporting to be from a company executive. The message says that he or she wants to conduct research on our outstanding accounts receivable, and asks the recipient to "please send our latest AR aging report,"which includes a list of all customers who owe money and the number of late payments. The attackers then create and register a domain name that looks like a domain name, and attack everyone on that list, Wilson says.
"The attackers know how much is due, when it is due, the terms of payment, and then say: "We will only accept ACH payments to this account number in the future." Unfortunately, since all the information matches, the customers agree." By all accounts, this trick was quite effective, says Wilson. "Fraud is especially dangerous because it's not your company that's being harmed, but all of your customers."
3. "You have a problem with your bank account. Click here to resolve the issue"
Cybercriminals use phishing emails to convince the target that there is a problem with their bank account, email account, or other important account. The email contains a link that will help the target person solve an urgent problem. Clicking on the link opens a web browser window, which then takes them to the login page for that account. Then the victim enters their credentials, receives the expected message requesting the MFA code, which the victim also enters. The victim sees nothing wrong with the account, thinks that the problem message was an error, and closes the browser window or tab that they used to log in.
"This is a new and complex way to bypass improved security features (such as multi — factor authentication) and use the old reliable techniques of social engineering," says Erich Krohn, security specialist at KnowBe4. Many organizations have learned to identify the reverse proxy servers used for this, which makes the work of cybercriminals more difficult, adds Krohn. "However, cybercriminals have fought back."
4. Phishing on the phone
There are new types of phone fraud. The malware, known as BazarLoader, impersonates brands like Amazon to convince you that you are being charged hundreds of dollars for a subscription. If you want to cancel, you need to call the phone number to talk to a representative. Criminals run real call centers, where they instruct you over the phone how to download malware and run it on your computer. Other variations of this include similar decoys to cancel streaming video services or magazines.
"These attacks will never go away, we just need to try to remain vigilant and alert others when we detect fraud making a detour," says Wisniewski. Security services should make it easier for employees to report that they were cheated, "and make it clear that employees have no problems."
Author: Stacy Collett
According to a survey of 3,500 experts, in 2021, more than 80% of organizations were subjected to a successful email phishing attack. This is 46% more than in 2020, writes the CSO publication.
"A lot of people, especially today, when it's easy to get distracted by ambient noise, operate on autopilot just by performing movements," says Kevin Beaver, chief consultant at security firm Principle Logic. The bad guys know they have the upper hand."
A study conducted by researchers from Stanford University found that about 88% of all data leaks are caused by employee error. Almost half of employees (45%) identified distraction as the main reason for phishing, and 57% of remote employees admit that they are more distracted when working from home. The main reasons for clicking on phishing emails are the perceived legitimacy of the email or the fact that it appears to have come from a senior executive or a well-known brand.
In 2021, Proofpoint detected about 15 million phishing messages containing malware that were directly linked to later-stage ransomware. According to Sophos, the average total cost of recovering from a ransomware attack in 2021 reached $ 1.85 million.
Why do employees still fall for the same old tricks? In 2016, KnowBe4 CEO Stu Showerman called them seven deadly social engineering vices, and most employees still share them: curiosity, politeness, gullibility, greed, frivolity, shyness, and apathy.
5 old social engineering tricks
Security experts say employees are still falling for these five old social engineering tricks, and they warn of four new scams that add a twist to these old tricks.
1. Official email
Who can resist opening an email purportedly sent by your company's CEO with the subject line "You were mentioned in this document" and a link to "Employee Promotions and Promotions in 2022"? "Yes, people are still coming across these official-looking emails where the messages appear to have been sent by a legitimate source or a person you know," says John Wilson, Agari senior research fellow for threat research at HelpSystems. Wilson recently encountered a phishing attempt, but he was prepared for this development.
In such attempts, "the bad guys try to phish credentials," he says. In this case, to open the document, " it wants you to log in again using your Office 365 credentials. If they make it juicy enough, people will open it."
Regardless of the bait offered, the lesson here is: "There's no good reason why you'll have to log in again to open something," he says. Wilson also suggests using a password manager that will only apply your credentials if you are on a genuine website.
2. "Here's a free flash drive"
In January, the FBI warned U.S. businesses about fake emails sent through the U.S. Postal Service and UPS, which in some cases posed as the Department of Health and Human Services and offered information about COVID-19, and in others as Amazon. Both included a USB drive with malicious software.
According to the FBI, if the USB drive had been inserted into the computer, it could have given the hacker group access to the organization's network to deploy the ransomware. It's unclear if any of the firms were compromised as a result of the incidents, but it's a reminder that old social engineering techniques persist.
3. Office Gift Card Fraud
One of the most common, if not the most effective, social engineering techniques that are still circulating is gift card fraud, when it seems that an email comes from a company executive asking for help. Usually, the story goes like this: a manager needs gift cards to encourage staff, "and it's a surprise, so don't tell anyone," says Wilson. The goal is to get an employee to buy cards, scrape off the silver coating that covers the codes, and then email a photo of the back of the cards.
"I would say that 1 in 100 [employees] will respond the first time. It's unclear if anyone will go and get a gift card, " says Wilson, but his team has logged about 10,300 incidents since January 2019 and sees hundreds of such phishing attempts in data across its customer base every day. "It's still happening, so someone is falling for it," he says.
4. "You have a voice message"
Internal voice messages with malware sent via email have resurfaced in recent months, Wilson said, and some employees are still succumbing to them. "It goes on forever. It's just a good bait because you want to get your email out, "he says." The effectiveness of this depends on who is on the receiving end and on their department. The engineer won't answer your voicemail, but if you're in sales and you think the voicemail might be an order or a potential customer, you can open it."
Recipients should ask themselves if their company uses a system that sends voice mail via email. If this is the case, always hover over the email address to make sure it's from a known sender, says Wilson.
5. "There was a problem with the delivery of the parcel"
Fake parcel delivery notifications have evolved and flourished for more than 15 years, says Chester Wisniewski, chief research officer at Sophos. These phishing attempts come in many variations, but are designed to charge you for fees or customs duties, while others are simply phishing attacks designed to get you to "log in using your email to track a parcel" and steal your credentials. "This will often adapt to the recipient's region and will spoof global logistics brands like DHL, UPS or FedEx," he adds.
4 new pitfalls of social engineering
There's never a shortage of new social engineering scams waiting to be exploited, but here are four of the most common, egregious, or dangerous new tricks based on old vices.
1. "Here are your legal documents from DocuSign"
A popular social engineering technique, especially with the onset of the COVID-19 pandemic, is malware disguised as a request to sign legal documents via DocuSign. "Presumably, more and more legal forms are being digitally signed these days," Wisniewski says. "They will prompt you to install some kind of plugin, which is actually computer malware, to continue viewing the intended document."
2. Fraud with "account obsolescence reports"
In this scam, an employee who usually handles accounts receivable receives an email purporting to be from a company executive. The message says that he or she wants to conduct research on our outstanding accounts receivable, and asks the recipient to "please send our latest AR aging report,"which includes a list of all customers who owe money and the number of late payments. The attackers then create and register a domain name that looks like a domain name, and attack everyone on that list, Wilson says.
"The attackers know how much is due, when it is due, the terms of payment, and then say: "We will only accept ACH payments to this account number in the future." Unfortunately, since all the information matches, the customers agree." By all accounts, this trick was quite effective, says Wilson. "Fraud is especially dangerous because it's not your company that's being harmed, but all of your customers."
3. "You have a problem with your bank account. Click here to resolve the issue"
Cybercriminals use phishing emails to convince the target that there is a problem with their bank account, email account, or other important account. The email contains a link that will help the target person solve an urgent problem. Clicking on the link opens a web browser window, which then takes them to the login page for that account. Then the victim enters their credentials, receives the expected message requesting the MFA code, which the victim also enters. The victim sees nothing wrong with the account, thinks that the problem message was an error, and closes the browser window or tab that they used to log in.
"This is a new and complex way to bypass improved security features (such as multi — factor authentication) and use the old reliable techniques of social engineering," says Erich Krohn, security specialist at KnowBe4. Many organizations have learned to identify the reverse proxy servers used for this, which makes the work of cybercriminals more difficult, adds Krohn. "However, cybercriminals have fought back."
4. Phishing on the phone
There are new types of phone fraud. The malware, known as BazarLoader, impersonates brands like Amazon to convince you that you are being charged hundreds of dollars for a subscription. If you want to cancel, you need to call the phone number to talk to a representative. Criminals run real call centers, where they instruct you over the phone how to download malware and run it on your computer. Other variations of this include similar decoys to cancel streaming video services or magazines.
"These attacks will never go away, we just need to try to remain vigilant and alert others when we detect fraud making a detour," says Wisniewski. Security services should make it easier for employees to report that they were cheated, "and make it clear that employees have no problems."
Author: Stacy Collett
Last edited:
