Users Are Still Being Fooled by Online Scams

According to a recent article in the online publication DarkReading, despite all the money being spent on security, users are still getting fooled by old fashioned phishing (bogus e-mails that try to send you to malicious websites) and social engineering techniques.

The full text for the article can be found here.

Below, I’ve pulled some excerpts from the article:

“Researchers confirm that phishing – those fraudulent emails that deliver malware or lead users to the wrong websites – is on the rise again. According to RSA’s May 2012 Online Fraud Report, instances of phishing were up 86 percent in April, reaching their highest level since Sept. of 2011.”

“The driver behind this growth is simple: people are much easier to fool than computers. While software vulnerabilities or weaknesses in security systems are becoming more difficult for cybercriminals to find and exploit, a single gullible user can introduce a world of trouble into an organization with a single mouse click. Major breaches at RSA,, Sony, and many other organizations have been launched with a single successful targeting phishing attack.”

“We have spent the past decade deploying a large number of security controls and investing in protecting servers and applications — for right now, the user is the easiest target,” says Mike Murray, managing partner at MAD Security, a security firm that focuses on modifying the behavior of end users to make client organizations more secure.”

“Why is security awareness training so ineffective? A lot of it is because the training programs themselves are ineffective,” Hadnagy explains. “They’re impersonal, boring videos or [computer-based training] given mandatorily in classrooms where people spend the whole time texting or IMing. The [employees] are not engaged. They’re not learning anything. And so they make the same mistakes over and over.”

“Tim Rohrbaugh, vice president of information security at identity theft protection company Intersections Inc., agrees. “Despite a lot of talk about security and breaches, the typical user is as unaware and unconcerned as they’ve always been,” he says. “There are user education programs, but the incentives aren’t there to get users to really change their behavior. People are still not very good at filtering what’s real and what isn’t.”

“When we do social engineering testing, one of the things we find is that employees behave better in companies that really care about security,” Hadnagy says. “In a lot of cases, there is a direct correlation between the amount of money the organization spends on security and how their users fare in social engineering tests. When the organization cares about security and is willing to invest in it, then their employees usually do, too.”

“The key, experts say, is to make security awareness part of everyday business operations, rather than something that is done in a classroom. Just as employees are rewarded or punished for appropriate handling of company funds or personal files, they can also be indoctrinated into a corporate culture that rewards and punishes for appropriate use of computers and data.”

“We fail repeatedly to work with our users to actually modify their behavior,” Murray says. “We try to ‘train’ them by giving them information and hoping that it will change behavior — unfortunately, humans don’t work that way.”

“The first part, of course, is perennial security awareness,” Jaquith says. “Teach your employees what they need to know, what they need to look out for, what’s good, what’s bad. Phishing resistance is the second thing. So run your own fake email campaigns. Try and spoof yourself. You can use any of the marketing tools like Constant Contact. We use something called Hubspot, really good for blasting things out for customer communication.”

For the full article, see: