3 Reasons Email Scams Still Work
With the help of movies and other media, our image of the email scam artist has evolved in the past 10 years.
We used to picture some greasy guy, still living in his mother’s basement, with a thirst for dirty money.
Now, when we think of email scam artists, we think of young 20-something’s (still living in their parents’ basement), doing it just because they can.
And this image is somewhat correct – for the common con artist. If you’re lucky, this is the one that has you in their sites, and the product is of some dubious quality.
The CyberCriminals of today that let loose the mass email scams are organized, skilled, and informed. They use family deaths, holidays, or any other ‘in’, where the potential victim may be more vulnerable.
To separate you from your money, or your information (which eventually lands them money).
These CyberCriminals may be behind phishing emails, pretext calling, and emergency queries, all of which are designed to appear normal, and intend for you to take action on them. The action is designed to appear ‘simple’ and ‘innocent’, such as clicking a link, answering a question, or providing access to something.
The technology that can stop them is just one part of the equation. Your employees can unravel the most secure technology, with a simple answer, a click of the mouse, or other action.
3 Reasons Why Scam Emails
and Other Social Engineering
Remains a Threat to All Companies:
1. We Are Helpful By Nature.
One of the most successful social engineering techniques is the “Request for Help”. Whether it’s on the phone, in person, or email. The person engaging your employee may be posing as another employee, a customer, vendor, or member of the media. They are asking for assistance. They always throw in some urgency, for effect. Whichever method they contact your employee, they never allude to, or throw any suspicion on the harmful effect your employee’s assistance may have on the company.
For example, a person could pose as the Senior Vice President of the company, call the switchboard (or random employee), and create a situation that elicits a feeling of urgency, and wanting to help, and wanting to impress your senior:
“My laptop crashed, and I am operating off my tablet, which isn’t configured for the corporate VPN. So, I can’t get to my corporate email, but I desperately need to reach out to my team. Would you be so kind as to forward the employee director to my personal email? I need to contact them right now, my meeting with an important client is in an hour.”
What would your employee do? Would they deflect? Have you prepared them for the false escalation that would accompany a denial? Such as demands for their name, their supervisor’s name and contact information to ensure punishment of the employee?
Have you prepared senior management for this situation? What if this really does happen to them? What is the protocol? Do they know it?
What if a man shows up at the side door of one of your company buildings. He’s wearing a jacket with the company logo and, to the casual observer, appears to be an employee heading into the office via the side entrance. He’s wearing an ID tag that may, or may not be, real. What he doesn’t have is the building’s PIN codes or an ID with a valid near-field communication capability to get through the card swipe. He simply adjusts his pace, or loiters so he may enter behind an employee with legitimate access. Once inside, he wanders around and collects laptops, smart cards, hard drives, and papers.
How would your employees address someone following them through the door? Would they hold the door closed, and demand that they swipe their badge or enter their PIN code? Or would they be polite and hold the door open and go about their daily business?
2. We Are Curious By Nature.
Curiosity is encouraged from the time we are in diapers. We are encouraged to ask questions, try new experiences, read new things and stay current. The social engineering professionals (and yes, they are professionals), attempting to set their technological hook into your company-issued devices and, by extension, the network, are crafting their emails and social networking posts to entice your employees to act, and click. They use everything from natural disasters, epidemics, economic concerns, elections, tax time, famous deaths, family deaths, or any absurdity, all designed to pique your employees’ curiosity, so that they will take action, and click.
How would you implement a “No-Click Policy”.
3. We Are Multi-Taskers By Nature.
In this always-connected, always-on world of virtual meetings and engagement, employees may be talking on the phone and scanning their inbox at the same time. Social engineering pros are counting on your partial-attention, when they begin to conduct surveillance prior to mounting an attack. Multiple innocuous queries can be made across the enterprise via pretext calls about bring-your-own-device policies, or accessing social networks via company networks. In every instance, the information gleaned, is the base upon which a scam package is created, which appears to be normal and within company policy to the recipient.
How Do You Combat Email Scams
and Other Social Engineering?
1. If you are using a data loss prevention system, you already know that you have to invest both time and energy to implement a data classification regime, which assists in tuning out the noise or false positives.
2. You must ensure adherence to the philosophy of least-privileged access (need-to-know).
3. Include a robust security information and event management process to ensure knowledge of attempts to access information and successful out-of-pattern access to information.
These foundational elements need to be coupled with a comprehensive Security Awareness Program that is provided continuously.
You can’t stop CyberCriminals from targeting your company or employees.
But you can be prepared for their arrival, and have full shields up.