Manipulation tactics that you fall for in phishing attacks
It’s 6 p.m. on a Friday. Just as you finish packing up for the day, an email from your boss pops up on your phone asking why an urgent payment didn’t go out earlier in the week. He’s tied up in a business dinner, so he needs you to wire payment to a specific vendor immediately and send him a confirmation email here once you’ve done so. Eager to help (and get out of the office for the weekend) you transfer the money and email your boss. He thanks you for going above and beyond.
Come Monday morning, you’re pulled into an emergency meeting. The company has lost $157,000.
No matter which attack scheme they use, cybercriminals understand one simple fact: all human beings are vulnerable. More than any other method of attack, malicious actors prey on a company’s workforce – often using common psychological tactics to manipulate people into sending money, providing access, or divulging confidential information.
Here are three common cyber-crime techniques people fall for:
1. An urgent deadline
A criminal impersonates a C-level or senior executive and makes a demand that requires a quick turnaround. Common schemes include closing a sales deal or paying a pending vendor invoice. Hackers capitalize on the deferential relationship between executives and their direct reports, counting on their victims’ eagerness to complete time-sensitive directives from company executives.
W-2 scams are another common social engineering attack that lead to large-scale data breaches. A “CEO” requests personnel records to facilitate changes in payroll software or to answer board-level inquiries, but he or she is speaking at a conference and can only communicate via email – a fact that attackers can confirm on social media and then use in planning their attacks. This type of breach hurts not only the business, but also its employees since criminals can leverage the W-2 information to file fraudulent credit applications or tax returns.
Some criminals use aggressive scare tactics to perpetrate scams. While these schemes take several forms – personal blackmail, fraudulent lawsuits, or threatening to shut down a paid service – the end-goal is always the same: pressuring victims into wiring money or divulging sensitive information.
Learn to recognize the most common examples:
Tax Scams: The criminals impersonate IRS agents and claim that an individual or company owes back taxes. They threaten to take legal or criminal action if the money is not wired by a certain time.
Business Service Impersonation: Hackers spoof well-known email or file sharing services and say there are “issues with your account” that need to be resolved quickly – perhaps an account will be suspended due to limited storage space or an expired credit card.
Earlier this year, several businesses and universities fell victim to an attack campaign disguised as a FedEx notification. The emails urged recipients to resolve an issue with package delivery by clicking on a verification link. These simple, transactional requests for link clicks are the reason that consumers fall for attacks like these that impersonate global brands like Amazon, PayPal, and Bank of America.
Credential theft attacks like these can have more far-reaching business impacts. For example, HR-level login details to a company’s ADP account provides direct access to payroll and financial data, infrastructure-level access to an organization’s Microsoft Azure or Amazon Web Services accounts allows hackers to bring down business operations, and visibility into a company’s Google Drive or Office 365 SharePoint directory exposes confidential information and intellectual property.
3. Flattery and politeness
This tactic is the most novel of the three. Cybercriminals add legitimacy to their requests by using polite terms or insincere praise from esteemed figures or the target’s contemporaries (e.g. “I love your work and would love for you to read a recent article I wrote”).
Iranian hackers used this tactic to steal more than 31 terabytes of data from over 300 universities around the world. Instead of relying on urgency or intimidation, the cybercriminals preyed upon the vanity of the professors they targeted. The spear phishing emails often indicated that the sender had read an article recently published by the professor, and expressed interest in other linked articles that actually led victims to malicious websites.
While these are among the first reported incidents of criminals ditching intimidation in favor of weaponized flattery, they surely won’t be the last.
Getting better at identifying phishing attempts
Cybercriminals depend on the human instinct to help others and resolve problems. They play upon our trust in email communications – despite training and warnings to the contrary – to trick victims into clicking on malicious links, giving away credentials, or unwittingly installing malware and ransomware.
It’s unrealistic to expect that employees will correctly identify phishing attempts 100 percent of the time. However, by combining phishing-aware email solutions that provide in-mail user training with periodic security awareness that helps them recognize common cybercriminal attack tactics, you’ll help your users remember what to do when presented with a real-time security alert on a sophisticated, real-life attack.