5 old social engineering tricks employees still fall for, and 4 new gotchas

Blame it on pandemic fatigue, remote work or just too much information, but employees appear to be lowering their guard when it comes to detecting social engineering tricks. Attackers were more successful with their social engineering schemes last year than they were a year earlier, according to Proofpoint. More than 80% of organizations suffered a successful email-based phishing attack in 2021, according to a survey of 3,500 professionals. That’s a 46% jump from 2020.

“So many people, especially today with all the distractions and noise of the world, are on autopilot – just going through the motions,” says Kevin Beaver, principal consultant at security firm Principle Logic. “Their subconscious mind has taken over making what are often critical decisions. The bad guys know they have the upper hand.”

A study by researchers at Stanford University found that about 88% of all data breaches are caused by an employee mistake. Nearly half of employees (45%) cited distraction as the top reason for falling for a phishing scam, and 57% of remote workers admit they are more distracted when working from home. The top reasons for clicking on phishing emails are the perceived legitimacy of the email, or that it appeared to have come from a senior executive or a well-known brand.

The consequences of a breach caused by human error are bigger than ever.  Proofpoint identified nearly 15 million phishing messages in 2021 with malware payloads that have been directly linked to later-stage ransomware. And the average total cost of recovery from a ransomware attack reached $1.85 million in 2021, according to Sophos. 

Why do employees still fall for the same old tricks? KnowBe4 CEO Stu Sjouwerman called them the seven deadly social engineering vices in 2016, and most employees still share them today: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.

5 old social engineering tricks

Security awareness experts say employees still fall for these five old social engineering tricks, and they warn of four new scams that add a twist to these oldies but goodies.

1. Official-looking email

Who could resist opening an email that appears to come from your company’s CEO with the subject line, “You’ve been mentioned in this document” and the email contains a link titled, “Employee Raises and Promotions 2022”? Yes, people still fall for that official-looking email, where message appears to be coming from a legitimate source or person you know, says John Wilson, senior fellow of threat researcher at Agari by HelpSystems. Wilson recently received this same phishing attempt, but he was familiar with the bait.

In attempts like these, “bad guys are trying to phish credentials,” he says. In this case, to open the document, “it wants you to log in again with your Office 365 credentials. If they make it juicy enough, people will open it.”

Regardless of the bait offered, the lesson here is: “There is no good reason why you would have to log in again to open anything,” he says. Wilson also suggests using a password manager that will only apply your credentials if you are on an authentic website.

2. “Here’s a free USB stick”

The FBI warned U.S. businesses in January about fake letters sent through the U.S. Postal Service and UPS that impersonated the Department of Health and Human Services in some cases offering COVID-19 information, and Amazon in others. Both included a USB stick laced with malicious software.

If inserted into a computer, the USB stick could have given the hacking group access to an organization’s network to deploy ransomware, the FBI said.  It’s unclear if any of the firms were compromised in the incidents, but it’s a reminder that old social engineering tricks linger.

3. The office gift card scam

One of the most prolific, if not most effective social engineering tricks still circulating is the gift-card scam, where an email appears to come from an executive at the company asking for assistance. The story usually goes – the executive needs gift cards to reward staff, “and it’s a surprise so don’t tell anybody,” Wilson says. The goal is to get the employee to purchase the cards, scratch off the silver coating covering the codes, then email back a photo of the backs of the cards.

“I would say 1 out of 100 [employees] will reply that first time. What’s unclear is if anybody goes and gets the gift card,” Wilson says, but his team has logged roughly 10,300 incidents since January 2019 and sees hundreds of these phishing attempts each day in data across its customer base. “It’s still going, so somebody is falling for it,” he says.

4. “You have a voicemail”

Malware-laced internal voicemails sent through emails have resurfaced in recent months – and some employees still fall for them, Wilson says. “It’s been going on forever. It’s just a good lure because you want to get your email,” he says. The effectiveness of this depends on who is on the receiving end and their department. “An engineer won’t answer your voicemail, but if you’re in sales, and you think that voicemail might be an order or a prospect, you might open it up.”

Recipients should ask themselves if their company even uses a system that sends voicemail through email. If it does, then always hover over the email address to make sure it’s from a known sender, Wilson says.

5. “There’s a problem with your package delivery”

Fake parcel delivery notices have evolved and flourished for more than 15 years, says Chester Wisniewski, Sophos principal research scientist. These phishing attempts come in many variations but are designed to charge you a fee for duties or customs, while others are simply phishing attacks designed to have you “login with your email to track a package,” and credentials are stolen. “These are often customized to the region of the recipient and will spoof global logistics brands like DHL, UPS or FedEx,” he adds. 

4 new social engineering gotchas

There’s never a shortage of new social engineering scams waiting to be exploited, but here are four of the more common, flagrant or dangerous new tricks based on old vices.

1. “Here are your legal documents from DocuSign”

A popular social engineering trick, especially since the beginning of the COVID-19 pandemic, is malware disguised as a request to sign legal documents via DocuSign. “Presumably more legal forms are being signed digitally these days,” Wisniewski says. “They will prompt you to install some sort of plugin, which is really computer malware, to proceed with viewing the purported document.”

2. The “aging accounts report” scam

In this scam, an employee, usually in accounts receivable, gets an email claiming to be from a company executive. The message says he or she wants to do research into our outstanding receivables and asks the recipient to “please send our latest AR aging report” that includes a list of all customers who owe money and the amount of time past due. Next, the bad actors create and register a lookalike domain name and they hit up everybody on that list, Wilson says.

“The bad actors know how much is owed, when it’s owed, payment terms, and will then say, ‘We’re only accepting ACH payments to this account number going forward.’ Unfortunately because all information matches, the customers go along.” By all accounts, the trick has been fairly effective, Wilson says. “The scam is particularly dangerous because the damage isn’t to your company, but to all your customers.”

3. “There’s a problem with your bank account. Click here to resolve the issue”

Cybercriminals are using a phishing email to convince a target that there is a problem with their bank account, email account or other high-value account. The email contains a link that will help the targeted individual resolve the urgent issue. Clicking on the link launches a web browser window, which then takes them to a login page for that account. The victim then enters their credentials, receives the expected message requesting an MFA code, which the victim also enters. The victim sees nothing wrong in the account, thinks the message about the problem was an error, and closes the browser window or tab that they used to log in.

“This is a new and tricky way to get around improved security controls (like multifactor authentication) to pull off old, reliable social engineering tricks,” says Erich Kron, security awareness advocate at KnowBe4. Many organizations have become good at spotting the reverse proxy servers used for this, making it tougher for the cybercriminals carry out, Kron adds. “Cybercriminals have fought back, though.”

4. Phishing by phone

Newer scams have emerged using the telephone. Malware known as BazarLoader impersonates brands like Amazon to convince you that you are being charged hundreds of dollars for a subscription. If you want to cancel, you need to call a phone number to speak to a representative. The criminals operate real call centers where they instruct you over the phone how to download the malware and run it on your computer. Other variations of this include similar lures to cancel streaming video services or magazines.

“These attacks will never go away, we just need to try and remain vigilant and warn others when we detect a scam making the rounds,” Wisniewski says. Security teams should make it easy for employees to report when they’ve been tricked, “and make it clear that employees are not in trouble.”