“Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.
In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.
2. ‘You missed a voicemail!’
Scammers have been trying to install malicious software through emails designed to look like internal voicemail service messages since 2014. Businesses often have systems set up to forward audio files and messages to employees, which is convenient but hard for users to discern as a phishing hoax.
Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,” Sjouwerman says. “They go to their in-box and there is a voicemail, but they missed it and then open the attachment. [Spoofers] can catch practically anyone with that,” and not just the accounting department where invoice scams are sent, he adds.
3. Free stuff
Most employees can’t resist free stuff – from pizza to event tickets to software downloads – and they’ll click on just about any link to get it, phishing experts say.
“Nothing is truly ever free,” Nutter says. “We’re starting to see again where you’ll get a link saying, ‘Here’s free software.’ It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.”
Adding to the danger, “A lot of these download sites are bundling [software], and you also have to download something else that you don’t even want,” Nutter adds. “If it compromises your security setup, now you’ve just opened Pandora’s box.”
He recommends first checking to see if your organization has already licensed the software, or if it’s truly free software, then go directly to the software vendor’s website to download.
4. Fake LinkedIn invitations and Inmail
One of the commonly repeated scams that Proofpoint is seeing involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president and general manager of digital security and compliance.
For instance, someone creates a fake LinkedIn account posing as a known member of a project team or even a company executive. “It looks very legitimate and that person does work for the organization. [The imposter] connects with you, you accept and they start communicating with you,” Redmond says. “As the employee, if it’s an executive account that you’re linked to, you’re happy and excited that this executive is communicating with you, and you start to, unknowingly, give information that’s sensitive or private to the organization.” Meanwhile, the information is being used as a broader campaign to gather sensitive information on the company.
Sign up for CIO Asia eNewsletters.