Even though companies are putting more efforts into training staff to be wary of social engineering scams, people are still falling for them time and time again. On top of this, cybercriminals are always busy creating new scams.
The issue is that employees just aren’t paying attention like they should be when it comes to knowing they may be becoming a victim of a scam like this. In 2021, attackers were much more successful with these scams when compared to 2020, and shocking 80% of all organizations out there had some type of phishing attack in 2021. That’s 46% more than in 2020.
One of the reasons why this is happening is that people are just distracted by other things...they are essentially going through the motions of life, and their subconscious mind is taking over to make decisions that it shouldn’t make. Unfortunately, scammers know this.
A Stanford University study found that 88% of all data breaches that occur actually happen because of an employee mistake. When asked, almost half of employees who have caused these breaches said that it happened because they were distracted by something else. When you add the fact that more people are working from home than ever before, and that it is proven to be more distracting to work at home, we have a big issue on our hands.
The consequences of data breaches are also growing bigger than ever. In 2021, more than 15 million phishing emails sent out, and the total cost for a company to fix it hovered around $1.85 million.
Why do people fall for these scams, though? Mostly, it’s the same reasons they have always fallen for them including thoughtlessness, gullibility, curiosity, courtesy, and apathy.
5 Old Scams People Still Fall For
Security experts say that there are five social engineering scams that people are still falling for. Here is a reminder for you about what these scams are about:
An Official Looking Email
Scammers know that if someone gets an email from someone important...like a company CEO...they are going to open it. They also know that people are going to click on links in emails that look official, especially if the link is labeled something like “Proposed Employee Wage Increases for 2022.” The problem is this --- the emails might look like they are coming from someone important, but they are actually coming from a scammer --- and if you click that link, you could be initiating a company-wide data breach...or worse!
What you need to look for here is anything strange in the email – typos, grammar errors, or odd URLs are all signs that the email could be a scam. You should also look at the actual email address and not just the name on the email. A scammer can change the name on an email address at any time.
The Free/Lost/Dropped USB Stick
Another common scam that people still fall for is the free or lost or dropped USB stick also known as the “Bad USB” scam. In fact, just in January, the FBI sent out a warning to US businesses about fake letters from the Department of Health and Human Services, and all of them included a “free USB stick.”
However, when this USB drive was inserted into a computer, it could transfer software into the network, which allowed hackers to set off ransomware attacks.
The Gift Card Scam
If there is one scam out there that could be called the most effective scam, it’s this one. The gift card scam here is a type of social engineering scam that begins with a hacker sending a fake email or text to staff that appears to come from a company executive. In the email, the exec asks the recipient to go out and buy a bunch of gift cards, and then send the codes back to him/her. The hacker makes sure to create a sense of secrecy, saying that it’s a “surprise” for the recipients of the cards.
Since January of 2019, there have been thousands of these attempts, and hundreds of them go out each day. If hackers are still sending these emails, we can be sure that people are still giving them the information they are asking for.
The Voicemail Scam
Internal voicemails sent via email has been a thing for a while, but hackers are taking advantage of it by sending fake ones that are littered with malware. This is a good scam for hackers because everyone wants to check their email, and depending on who you are, you might want to check that voicemail, too. For instance, this works well for people in sales or who work on commission, as any message could be a lead for a new client. If you work for a company that does this type of voicemail distribution, make sure that it’s legitimate before clicking on the message...and if your company doesn’t do it, it’s probably best to delete it.
The “Problem with Your Delivery” Scam
Over the past two decades, the way and frequency we get packages and deliveries have certainly changed. We get notified of and can track packages via email, and with more people ordering things online than ever before, and getting several packages a week, it wouldn’t seem totally out of the ordinary to get an email notifying you of an issue with a delivery.
There are a number of ways that these scams come through; some of them want payment for delivery or others want you to put your email address in to track a package. The hackers often use fake tracking numbers and delivery days and times, but they always use the logos we are familiar with, including UPS and FedEx.
Four More Social Engineering Scams to Watch Out For
So far, we have talked about social engineering scams that have been around for a while, and you might have seen them before. However, there are always new ones or new spins on old ones coming out, and here are some that you definitely want to keep an eye out for:
The DocuSign Scam
This is a popular scam that started being more prolific at the beginning of the COVID-19 pandemic. Essentially, a person is getting a notification from DocuSign asking them to sign some legal forms. This is pretty common to sign forms online, but in this case, it is a scam that will install a plugin containing malware onto your computer and/or network.
The “Aging Accounts Report” Scam
This is a new scam, too, which is primarily focused on people in accounting. In this case, they get an email that looks like it is coming from an executive in the company. The message says that he or she wants to take a look at the outstanding receivables, and then asks the victim to send a report that includes customers who owe money and how long the account is overdue.
Once the scammer has this information, they can create a fake email or website, reach out to those people, and remind them of their bill. Since the hacker now has all of the information necessary to look legitimate, they quickly can convince the payer to send an ACH payment to a different account number. Because this scam is so good and convincing, plus it’s not actually the company in danger...but customers...this can be a dangerous and devastating scam.
The Bank Account Problem Scam
Another cybercrime is when a criminal uses a specific type of phishing email to convince a victim that there is an issue with an important account, like a bank account. The message will have a link that the recipient can click on to resolve an urgent issue like a bank account issue. The site will look just like the bank’s website, though if you look, the URL will be different, and then the person can enter in their credentials.
The problem is, now the hacker can get into a bank account and see the information in a matter of minutes. Though banks and other agencies are working hard to make sure it’s tougher than ever to pull a scam like this off, as with many things, the hackers seem to be right at their heels.
The Phone Phishing Scam
Finally, we still have the old phone scam, but with a modern twist. In this case, BazarLoader, a type of malware, can impersonate another brand, like Amazon, for instance. The scam is that the hacker convinces a person that they are being charged a lot of money...usually a few hundred dollars...for a subscription. However, if they want to cancel, they can call a phone number to speak to a customer service rep. If the victim calls this number, the hackers will literally take them step by step into installing malware and running it on their computer.
There are some variations of this scam, too, such as when a person is charged a ton of money for a streaming service or even a magazine.
We know that these types of hacks are here to stay, so the best course of action against them is to remain highly vigilant and aware that these scams are out there. Report any that you might come across, and keep an eye out for new scams as they come through.
Please share this.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.