You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails about avoiding phishing scams. Still, they keep falling for the same ploys they’ve been warned about for years. It’s enough to drive security teams to madness.
According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of phishing messages were opened by their intended target, and about 12 percent of recipients went on to click the malicious attachment or link that enabled the attack to succeed. A year earlier, only 23 percent of users opened the email, which suggests that employees are getting worse at identifying phishing emails -- or the bad guys are finding more creative ways to outsmart users.
The consequences of a security breach caused by human error are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4. What’s more, a handful of competing cyber mafias “are casting their nets wider and wider,” with more scams to more users, to attract more hits, he says.
A single ransomware cyber mafia was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses, according to McAfee Labs’ September 2016 Threats Report. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.
One look at the top five social engineering scams that employees still fall for, and it’s not hard to see their appeal. Sjouwerman calls them the seven deadly social engineering vices that most employees share: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.
Human nature may be to blame for many security breaches, but there are ways to help employees shed their bad habits and avoid these scams.
1.‘Well it looked official’
Official-looking emails that appear to be work related – with subject lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this resume” -- still have employees stumped, experts say.
A survey by Wombat Technologies found that employees were more cautious when receiving “consumer” emails regarding topics like gift card notifications, or social networking accounts, than they were with seemingly work-related emails. A subject line that read, “urgent email password change request,” had a 28 percent average click rate, according to the report.
“Most people are not going to look really closely to know where that email came from, and they click on it and their machine may be taken over by somebody, or infected,” says Ronald Nutter, online security expert and author of The Hackers Are Coming, How to Safely Surf the Internet.
“Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.
In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.
2. ‘You missed a voicemail!’
Scammers have been trying to install malicious software through emails designed to look like internal voicemail service messages since 2014. Businesses often have systems set up to forward audio files and messages to employees, which is convenient but hard for users to discern as a phishing hoax.
Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,” Sjouwerman says. “They go to their in-box and there is a voicemail, but they missed it and then open the attachment. [Spoofers] can catch practically anyone with that,” and not just the accounting department where invoice scams are sent, he adds.
3. Free stuff
Most employees can’t resist free stuff – from pizza to event tickets to software downloads – and they’ll click on just about any link to get it, phishing experts say.
“Nothing is truly ever free,” Nutter says. “We’re starting to see again where you’ll get a link saying, ‘Here’s free software.’ It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.”
Adding to the danger, “A lot of these download sites are bundling [software], and you also have to download something else that you don’t even want,” Nutter adds. “If it compromises your security setup, now you’ve just opened Pandora’s box.”
He recommends first checking to see if your organization has already licensed the software, or if it’s truly free software, then go directly to the software vendor’s website to download.
4. Fake LinkedIn invitations and Inmail
One of the commonly repeated scams that Proofpoint is seeing involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president and general manager of digital security and compliance.
For instance, someone creates a fake LinkedIn account posing as a known member of a project team or even a company executive. “It looks very legitimate and that person does work for the organization. [The imposter] connects with you, you accept and they start communicating with you,” Redmond says. “As the employee, if it’s an executive account that you’re linked to, you’re happy and excited that this executive is communicating with you, and you start to, unknowingly, give information that’s sensitive or private to the organization.” Meanwhile, the information is being used as a broader campaign to gather sensitive information on the company.
Redmond suggests that if a colleague asks to connect on any social network, then email their legitimate work address and ask if they’ve requested to connect with you. “It’s an easy way to keep yourself out of hot water,” he adds.
5. Social media surfing at work
Employees who surf Facebook, Twitter and a host of other social media sites can potentially open the door for cyber thieves because the scams require less work for them, and it’s also a relatively new area of awareness training for employees.
“Think about that ROI from the bad actors’ perspective,” Redmond says. “Instead of having to send 1,000 emails (to get one hit), I can get them to my page with one post.”
Social media’s cyber risk is still a topic that employees understand the least – with an average of 31 percent of questions missed regarding security awareness on the topic, according to Wombat. However, 76 percent of organizations surveyed enable employees to use social media on their work devices. This puts organizations at significant risk considering the lack of understanding in the area.
“I speculate the reasons why organizations are doing so poorly is it’s still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also seeing a younger workforce. There is a belief in the industry that those employees will just click on anything. I think there is something to that.”