July 13, 2016

Email Fraud: Would Your Employees Recognise These Red Flags?

Training employees to recognise social engineering dangers is one of the most important ways to protect confidential information in the workplace today.

Information thieves use social engineering such as phishing and pre-texting to trick people into giving out confidential information and/or installing malicious software.

  • Scams can occur over the telephone but most frequently, they arrive in a fake email.

  • Many data breaches are thought to have started with a simple social engineering scam.
Anti-Phishing Working Group

According to Verizon’s 2015 Data Breach Investigation Report, phishing attacks have been a factor in more than two-thirds of cyber-espionage incidents for the past three years. The study showed that more than 23% of recipients open phishing emails while 11% open the attachments.

Globally, computers continue to be infected with malware at a high rate. The Anti-Phishing Working Group (APWG) reported that the global infection rate was around 33% for most of 2015.

For protection, an organisation should have a comprehensive information security program as well as technology that intercepts incoming emails such as firewalls, antivirus software, and content filtering. There should be a multi-level approval process for any financial transfers. Some companies utilise social engineering phishing tests to identify workforce vulnerabilities and solutions.

Employee knowledge about engineering scams is just as important as these other safeguards – so employees can delete or ignore scams.  

In security awareness training, teach employees about the risks involved in sharing personal and business information online. Also, use workplace reminders (posters, notices in employee newsletters, etc.) to keep phishing awareness top-of-mind.

Here are some Social Engineering Red Flags to be aware of:
  • Sender: It’s a red flag if the sender is not a recognised person or organisation. But keep in mind that cyber criminals are increasingly using social media platforms to launch attacks. For example, they create fake LinkedIn profiles in order to target employees at a specific company
     
  • Subject: How relevant is the subject line? It should make sense or match the content. If there’s reference to a request that wasn’t actually made by the recipient, consider it a red flag too.  
     
  • Other Recipients: Being copied on an email with one or more people who are not personally known is a red flag.
     
  • Content: Spelling mistakes, unusual phrases, bad grammar, and provocative content are all red flags. A scam request to install antivirus software may actually be a malicious programme.
     
  • Attachments: A scam email may direct the recipient to open an attachment in an unusual way. Consider whether the attachment was expected or the ‘sender’ would normally send these types of attachments.
     
  • Hyperlinks: Directing the recipient to click on a link is a red flag. One way to check the link is to hover over the hyperlink with the mouse to see if the address is for the correct website.  

Make sure you and your employees are aware of social engineering dangers.