3 Reasons Employees Fall for Phishing Attacks


3 Reasons Employees Fall for Phishing Attacks
A phishing attack is one of the most common types of cyber security threats. Phishing is the use of bait information to trick the recipient into opening, clicking on, or responding to a fraudulent email, phone call or message that is often crafted to look legitimate. Commonly, phishing messages will incorporate the branding, and look and feel, of household names, such as large banks, online services, or other e-commerce sites. Phishing attacks use deception and manipulation to get the victim to give up confidential or private information, such as passwords or account details.
Spear phishing is an attack variant where the cyber criminal targets a precise individual. Usually, this person may be in control of a sensitive computer system or company financial resources. Senior executives and their administrative staff are often targeted. Department heads are also commonly victims, especially if they are in IT, HR or Finance.
With spear phishing, the attacker will rely on several different tactics to lure the victim into their trap. Let’s review the three most common reasons employees fall prey to phishing attacks.
1. Social Engineering
Social engineering is the art of exploiting human trust to get someone to divulge confidential or private information. Social engineering is often used in cyber crime, because it is generally easier to get someone to divulge a piece of information, such as a password, than it is to crack a password with technical means.
Social engineering involves leveraging people’s innate trust in brands, colleagues, or friends. It can happen over email, on the phone, or in person. Cyber criminals will sometimes visit an office location to case out the scene and discover vulnerabilities or social connections between various employees.
In other cases, the attackers may exploit employee trust by “tailing” or shadowing an employee to gain physical entry to the perimeter of office building. Many times an employee with a authorized security badge will gain entry and let people behind follow them into the building, if the person looks like a fellow employee. All too often, people are reluctant to confront a stranger to ask to see their badge or force them to swipe their badge to gain entry.
Similar tactics are used over the telephone to get employees to reveal company secrets or other insider knowledge to a cyber criminal posing as a colleague. As the attacker gains more and more insights into the organization and the people, their ability to impersonate staff improves. Abundant information on social media further enables social engineers to build trust and impersonate staff.
2. Urgency
In many phishing attacks, the cyber criminals will exploit a person’s sense of urgency. People hate to be late to meetings, deliver a project behind schedule, or pay a vendor late. In many phishing attacks, the cyber criminal will create a false sense of urgency around the need to pay a vendor. The social engineer will ask the victim to wire money, use a credit card, or other form of electronic payment because some dire consequence will result if they payment is made late.
A very common attack involves the impersonation of an executive officer or business owner, asking a subordinate to urgently wire or pay a particular vendor. They also will frequently ask for the employee to purchase gift cards they need to “give someone they are meeting with right now”. The attacker will use a fraudulent email that looks deceptively similar to the CEO’s and will ask for urgent action from their subordinate. They may become mad or testy if they don’t get immediate action, thereby ramping up the stress and urgency on the victim. Far too many people fall victim to this pressure and end up wiring money or paying an unfamiliar vendor, without asking questions or double checking the authenticity of the request or the recipient.
3. Scare Tactics
Phishing attacks will often exploit the chain of command or people’s respect for authority. In some cases, the attackers will pose as government agents from an important agency, such as the social security administration, FBI, or IRS. Whether a realistic concern or not, no one wants to be audited or arrested. Therefore, the attackers will prey on people’s fear of authority and ask them to comply by giving up various forms of information such as addresses, dates of birth, or social security numbers. In step wise fashion, the attacker may up the ante and go for more and more information if the victim is compliant. In no time, the attacker will be able to build a portfolio of highly sensitive information that can be used in other forms of attack, such as accessing financial accounts or performing identity theft and opening fraudulent accounts.
In the workplace, social engineers will exploit people’s respect for authority and the chain of command. Generally, people follow orders from senior executives without question. If employees with access to sensitive systems or financial services fail to detect the deception, they may be asked to give up sensitive information or wire money to criminal organizations.
Unfortunately, situations like this happen all the time and it is astounding to see how many folks are afraid to pick up the phone and merely double check the authenticity of a suspicious request or order sent via email. Companies can defend against these attacks with checks and balances, duplicate verification approaches (for example, email and phone), or code words. Most importantly, it is vital to cultivate a “trust but verify” culture where employees are trained to spot suspicious activities and double check requests even from above, without fear of repercussions.
Combating phishing requires a multipronged approach, involving cyber security technology along with building a culture of security in an organization. Protek encourages new and existing clients to conduct periodic cyber security assessments and set up phishing testing to detect your organization’s ability to confront the threat of phishing attacks.
Eric is the owner and CEO of Protek Support and is a CISSP (Certified Information Systems Security Professional). He graduated from Utah State University with a Bachelors of Science degree in Business with an emphasis in Information Technology (IT). He is an IT Services expert in a variety of technology related fields. Some of these fields include document management software/hardware, enterprise level networking and VoIP phone systems, as well as large scale software implementation projects and the setup of small business networks.