Blame pandemic fatigue, remote work, or just too much information, but employees seem to let their guard down when it comes to detecting social engineering tricks. According to Proofpoint, the attackers were more successful with their social engineering schemes last year than they were a year earlier. According to a survey of 3,500 professionals, more than 80% of organizations experienced a successful email-based phishing attack in 2021. This is a 46% increase over 2020.
“So many people, especially today with all the distractions and noise in the world, use autopilot, just making the motions,” says Kevin Beaver, principal consultant at security firm Principle Logic. “Their subconscious has taken control of what are often critical decisions. The bad guys know they have the upper hand. “
A study by Stanford University researchers found that approximately 88% of all data breaches are caused by employee error. Nearly half of employees (45%) cited distraction as the main reason for falling into a phishing scam, and 57% of remote workers admit to being more distracted when working from home. The main reasons why phishing emails are clicked are the perceived legitimacy of the email or the fact that it appeared to come from a senior executive or a well-known brand.
The consequences of a breach caused by human error are greater than ever. Proofpoint identified nearly 15 million phishing messages in 2021 with malware payloads that were directly linked to ransomware at a later stage. And the average total cost of recovery from a ransomware attack reached $ 1.85 million in 2021, according to Sophos.
Why do employees keep falling into the same old tricks? KnowBe4 CEO Stu Sjouwerman called them the seven deadly vices of social engineering in 2016, and most employees still share them today: curiosity, courtesy, gullibility, greed, recklessness, shyness and apathy.
5 old social engineering tricks
Security awareness experts say employees keep falling in love with these five old social engineering tricks and warn of four new scams that add a twist to these old but goodies.
1. Official looking email
Who could resist opening an email that appears to come from your company’s CEO with the subject “You’ve been mentioned in this document” and the email contains a link titled “Employee Increases and Promotions 2022 “? Yes, people keep falling in love with that official-looking email, where the message appears to come from a legitimate source or from a person you know, says John Wilson, a threat researcher at Agari at HelpSystems. Wilson recently received the same phishing attempt, but he knew about the bait.
In attempts like these, “the bad guys are trying to phishing credentials,” he says. In this case, to open the document, “he wants you to log in again with your Office 365 credentials. If they make it juicy enough, people will open it.”
Regardless of the bait offered, the lesson here is, “There’s no good reason you should log in again to open anything,” he says. Wilson also suggests using a password manager that will only enforce your credentials if you are on an authentic website.
2. “Here’s a free USB stick”
The FBI warned U.S. companies in January of fake letters sent via the U.S. Postal Service and UPS impersonating the Department of Health and Human Services in some cases offering information about COVID-19 and Amazon in others. Both included a USB stick with malicious software.
If inserted into a computer, the USB stick could have allowed the hacker group to access an organization’s network to distribute ransomware, the FBI said. It is unclear whether any of the companies were compromised in the incidents, but it is a reminder that the old social engineering tricks remain.
3. The Office Gift Card Scam
One of the most prolific, if not the most effective, social engineering tricks still out there is the gift card scam, in which an email appears to come from a company executive asking for assistance. The story usually goes: The executive needs gift certificates to reward staff, “and it’s a surprise, so don’t tell anyone,” Wilson says. The goal is to get the employee to buy the cards, scrape off the silver lining covering the codes, then email a photo of the back of the cards.
“I’d say 1 in 100 [employees] will answer the first time. What is unclear is whether anyone is going to get the gift card, “says Wilson, but his team has logged around 10,300 incidents since January 2019 and sees hundreds of these phishing scams every day in their customer base data.” It’s still going, so someone is falling in love with it, “he says.
4. “You have a voice message”
Malware-filled internal voice messages sent by email have resurfaced in recent months, and some employees continue to fall in love, Wilson says. “It has always been going on. It’s just a good bait because you want to get your email, ”she says. The effectiveness of this depends on who is on the receiving end and on her department. “An engineer won’t answer your voicemail, but if you’re in sales and you think the voicemail might be an order or a potential customer, you might want to open it.”
Recipients should ask themselves if their company also uses a system that sends voice messages via email. If so, always hover over the email address to make sure it’s from a known sender, Wilson says.
5. “There is a problem with the delivery of the package “
Fake package delivery notices have evolved and flourished for more than 15 years, says Chester Wisniewski, principal investigator at Sophos. These phishing scams come in many variations but are designed to charge you a duty or customs fee, while others are simply phishing scams designed to get you to “log in with your email to track a package” and your credentials are stolen. “These are often customized based on the recipient’s region and will falsify global logistics brands such as DHL, UPS or FedEx,” he adds.
4 new social engineering tricks
There’s never a shortage of new social engineering scams waiting to be exploited, but here are four of the most common, flagrant or dangerous new tricks based on old vices.
1. “Here are your legal documents from DocuSign”
A popular social engineering trick, especially since the start of the COVID-19 pandemic, is malware disguised as requiring you to sign legal documents via DocuSign. “Presumably more legal forms are being digitally signed these days,” says Wisniewski. “They will ask you to install some sort of plug-in, which is actually computer malware, to proceed with viewing the alleged document.”
2. The “Aged Account Report” scam.
In this scam, an employee, usually in Accounts Receivable, receives an email claiming to be from a company executive. The message says that he wants to do a research on our outstanding credits and asks the recipient to “send our latest AR aging report” which includes a list of all customers who owe money and the amount of time overdue. Next, the bad actors create and register a similar domain name and hit everyone on that list, Wilson says.
“The bad guys know how much is due, when it is due, the payment terms and then they will say, ‘We will only accept ACH payments on this account number in the future.’ Unfortunately, because all the information matches, the customers get along. ” By all accounts, the trick was pretty effective, Wilson says. “The scam is particularly dangerous because the damage is not for your company, but for all your customers”.
3. “There is a problem with your bank account. Click here to solve the problem ”
Cybercriminals are using a phishing email to convince a target that there is a problem with their bank account, email account, or other high-value account. The email contains a link that will help the person concerned resolve the urgent problem. Clicking the link launches a web browser window, which then takes them to a login page for that account. The victim then enters their credentials, receives the expected message requesting an MFA code, which the victim also enters. The victim sees nothing wrong with the account, thinks the problem message was an error, and closes the browser window or tab she used to log in.
“This is a new and complicated way to bypass improved security controls (such as multi-factor authentication) to devise old and reliable social engineering tricks,” says Erich Kron, security awareness advocate at KnowBe4. Many organizations have become good at detecting the reverse proxy servers used for this, making it more difficult for cybercriminals to execute, adds Kron. “The cybercriminals reacted, though.”
4. Phishing by phone
New scams have emerged using the telephone. Malware known as BazarLoader impersonates brands like Amazon to convince you that you are being charged hundreds of dollars for a subscription. If you wish to cancel, you must call a phone number to speak to a representative. Criminals run real call centers where they instruct you over the phone on how to download malware and run it on your computer. Other variations of this include similar lures to cancel streaming video services or magazines.
“These attacks will never go away, we just have to try to remain vigilant and alert others when we detect a scam lying around,” says Wisniewski. Security teams should allow employees to easily report when they have been duped “and make it clear that employees are not in trouble.”
Copyright © 2022 IDG Communications, Inc.