Social Engineering Scams by Role

One way to get employees’ attention regarding cyber security is to show them how they may be socially engineered based on their role in the organization. Here are some ideas to use as examples.

HR

Malware-laden document disguised as a resume arrives via email, LinkedIn, or other job board.

Back in 2015, Craigslist users were hit with a wave of malware when scammers began to respond to job postings with resumes containing Trojan viruses. More recently, LinkedIn’s reputation as a legitimate employment networking site has caused many to be victimized by similar resume-related scams.

Not your average resume

Accounts Payable

Urgent request from the boss to pay a vendor through wire transfer.

An employee from Coastal Carolina University wired $1M to a scammer posing as a vendor. The scammer had a highly sophisticated plan, providing what appeared to be official documents with the company logo, tax ID numbers, and names of vendor officials – all of which were probably collected online!

Payroll

Request from the boss during tax season to send all W-2s.

In January 2017, a Tipton County Schools employee fell for a phishing scam and emailed the W-2 forms of employees to someone posing as the director of schools. This scam required very little effort, perhaps only a few minutes to create a fake email address, and had a huge payoff for the scammer.

Software Team

Your account is in violation… phishing e-mail.

In a recent scam, hackers phished Chrome extension developers for their login information. This is known as a supply chain attack. By compromising developers’ logins, hackers are able to spread their malicious code and steal user information at a much greater rate–over 4.8 million people were affected by this scam.

Information Technology

“We’re from [internet service provider] here to service your [technology]. You don’t have to hang around all day. It’ll be hours…”

Anyone claiming to be a vendor should have their credentials validated and should be accompanied by an employee at all times.

Welcome Desk

“Please please please print this document from my USB stick. My printer broke this morning and I need to have these slides for an important meeting with the executive team.”

Never connect an unknown USB to your computer. The device may contain malware that could spread throughout the network.

You can turn these kinds of scenarios into an exercise by the workforce. Run a contest where employees create scenarios in which they personally may be fooled or socially engineered into opening a malicious attachment, revealing too much information, or supplying their username and password. Consider a random drawing for a $25 gift card to get the creative juices flowing. Allow a bonus entry for anyone who also supplies how they may thwart a social engineering attempt. Bringing this awareness to your workforce may help prevent an attack on YOUR organization!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s