Security awareness training? Covered. Simulated phishing? Done. So how come employees are still falling for the same old social engineering techniques?
Last year, 30% of phishing emails were opened by their intended target and 12% of users proceeded to click on malicious attachments that allowed attackers the opportunity to breach an organisation. But social engineering isn't just a problem that's sticking around -- it's a growing threat.
In 2015, only 23% of users were reported to have opened a phishing email, suggesting that employees are now more susceptible to these attacks. So what techniques are employees still falling for?
We've put together seven of the main social engineering techniques facing your employees.
1.Falling for freebies
Take a look through your endless inbox of marketing emails and you'll find a host of free stuff or 'special offer' discounts. While many of us are sceptical of just how 'special' these offers are, most employees can't resist the temptation of freebies. Problem is -- nothing is ever truly free.
That's exactly why we're still seeing the old social engineering trick of 'Free Software' being wielded around, and employees still falling for it. The software being downloaded could actually be something that is out there for free. The risks, however, come with visiting the harmful website, which could result in a user downloading infected or compromised software.
Your employees can be even more at risk when visiting sites that are offering 'bundling' software, which means that they may have to download added software that they don't even need, just to acquire the one they want.
Encourage your employees to check if your company has already licensed the software. If not, then visiting the software vendor's website is a simple yet effective way of making sure that they are indeed offering this software, and that you're downloading from a legitimate source.
2. "But it looked real?!"
Perhaps the more obvious one (yet one that is still fooling employees far too often) are work-related emails that look real or official. Subject lines can be crucial to these emails, with lines such as "Attached Invoice", "Here's the file you needed" and "Look at this CV" being some of the more successful types.
Although fraudulent work-related emails are tricky to spot, 'consumer' emails regarding topics like card notifications, or social networking accounts, can be just as harmful to your company. If an employee is to click on an email asking to reset their password for a personal account, chances are that they won't look closely at where the email came from, which can potentially result in their computer being infected or taken over.
A quick and easy method of checking the authenticity of an email is for the user to simply hover their cursor over the email address of the sender before clicking on any link.
The risk of an employee exchanging sensitive information as a result if this type of social engineering can also be avoided with the use of a secure file transfer system, so you know where the file has come from and whether it has been vetted. Also, users should be made aware that any file asking the recipient to enable 'macros' should be reported, as this can lead to a system takeover.
3. Surfing social media during work
The door can be widely opened for cyber criminals when employees choose to browse Facebook, Twitter and other social platforms during work. Social media is the most common ingredient for a social engineering attack, one of the main reasons for this is that many employees are unaware of the potential risks that come from what is, for most of us, a daily activity. Add to that the lack of security awareness training focusing on social media use, and you have a recipe for a successful attack.
The rising trend of mobile work forces has also seen an increase in the use of social platforms on company devices, resulting in a further increase in significant risks to an organisation.
4. Accepting fake LinkedIn invitations
One of the most recent scams growing in popularity is the introduction of fraudulent employee accounts on LinkedIn, which are used for information gathering. For instance, someone creates a fake LinkedIn account posing as a known member of your organisation (usually, somebody within a project team or company executive). The fraudster connects with a user in your organisation, then starts to communicate via message.
For an employee, having a company executive connect with them and ask for company-related details, can mean that any suspicions are overshadowed by this perceived sense of importance and urgency. The danger here is that the employee is unwittingly handing over sensitive information to a cyber criminal, which is then used in a broader campaign to target the company through potential spear-phishing.
Through the high volume of connection requests we get via LinkedIn, it can be difficult to avoid accepting fake accounts. One step that can be taken is to encourage employees to email the work address of the person they have connected within their organisation (should that individual be asking for information).
5. Fake IT Support
Another commonly used social engineering tactic is posing as IT Support. If successful this can drastically impact a network. This type of attack is so successful because it can give the attacker physical access to network computers.
it can only take a matter of seconds for someone to compromise a computer with physical access. One of the most common tools for a a social engineer to use is a USB thumb drive, there very small, easy to conceal and can easily be loaded with different types of payloads depending on the task that needs to be done.
6. Changing Passwords
This type of social engineering relies on calling up the help desk support of a business and asking them to change the password of the person they are posing as. As this is is a method of vishing it is very difficult to determine whether the person is legitimate or not, people can easily be manipulated over the phone simply because you can hear their voice.
More often than not the social engineer will pose as a senior level employee such as a manager or a CEO. After all they are the ones with the access to the most important thing a business has, money and data. Once they get the password changed they can access what they want, but the actual employee can't which makes it even more difficult to regain access and terminate the social engineers.
7. The name-drop
This method of social engineering is very difficult to spot, simply because of a trusted colleague name being mentioned in an email. You would assume if an email contains someones name it would not be from a social engineer.
Just like every social engineering scam this one relies on your emotions, once you trust someone you will do what ever they ask. Even if it means giving away your credentials or password. The problem is you have no idea who is sat behind there screen sending you that email.
It could be a colleague!
Or it could be a cyber criminal!