"The most obvious scenario would be to spoof an internal call from the voicemail system, asking employees to confirm their voicemail password and maybe prompting for an emergency cell phone number or something similar."
Prevention: Never act on incoming robocalls, experts say, and don't trust the name on Caller ID. One telltale sign of the robocall scam — it will refer to the message from "your credit card company" but doesn't say the actual name.
3. Healthcare records for spear-phishing attacks
With massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records — including healthcare records.
For instance, a bogus email looks like it's coming from your employer and its healthcare provider announcing that they've made some changes to your healthcare program. They're offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer's web page.
"Because the email is loaded with the reader's personal information, there's a high likelihood of one click — and that's all it takes" to infiltrate company systems, Sjouwerman says.
4. Phishing with funerals
Perhaps a new low - social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home's website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy's server.
Hadnagy confirms that this social engineering scam is sad, but true. "There are a few stories of this being used successfully. People click and get loaded with exploit kits or the scammers harvest credentials."
At the bogus site, the bad guys quickly drop a piece of malware that over time pulls down a boatload of keylogger and other information. It also drops a Trojan, and the computer has just become a zombie able to carry out nefarious acts such as attacking other computers and sending spam.
Bottom line — think before you act on emotion, Greaux says.
"Typically the [scammers'] motivator is fear, greed or curiosity. If you send out 10 emails [or calls,] chances are 1 out of 10 of the recipients is going to be motivated by the emotion that they're trying to use."
Sign up for CIO Asia eNewsletters.