This is possibly the most counter-intuitive article title I have used. Thank you for clicking on it anyway.
What persuaded you to click was most likely some form of social proof: it was on the Infosecurity website, or it was tweeted from an editor’s Twitter account. It means that you do really want to know who falls for scams and I will do my best to compress many years of learning into around 800 words.
Stupid People
There is no shying away from the fact that some scams and phishing items are constructed specifically to filter out people that may be resistant to the next step in a scam. Email messages with typos, websites that are not built quite right – these are not always unintentional. Sometimes they are an effective way of ensuring that only the most susceptible potential victims progress to the next stage.
Desperate or Vulnerable People
We are living through a time when the term unprecedented is used several times in almost every communication. In ISACA’s COVID-19 study, nine in 10 respondents expected threat actors to increase cyber-attacks during this period. There is no easier set of environmental conditions for any criminal to operate in than when traditional conventions have to be set aside and survival relies upon people taking leaps of faith.
You want large stocks of face masks? Bottles of hand sanitizer? Cheap (or free) remote working tools? How about some free money from your government or some allegedly benevolent billionaire? Each of these items has legitimate sources and the criminals are out there infiltrating or faking their way into those supply chains.
Executives
Most people could build a plausible argument that many executives might already fit into one (or both) of the first two categories – but there is no denying that the people with decision-making power are usually the most lucrative targets.
Hopefully your senior managers are not stupid – but psychological factors such as the Dunning-Kruger effect suggest that the people most likely to be taken-in by scams are the ones filled with the highest-levels of self-assurance that they are too wise to fall for them. To some extent, we all think we are better at detecting scams than we really are.
Everyone Else
The hardest truth is that no matter how good any of us are at detecting and defeating scams, there is always a way through. The trick (from the scammers’ perspective) is to make the scam at least as convincing (if not more so) than the legitimate actions or transactions we make every day.
Social proof, infiltration into a legitimate supplier, takeover of a valid account and even the acquisition of deep, personal information are just some of the tools that can be used to take even the most robust security-savvy experts in. I know. It has happened to me – and the way it happened used a route that was even more convincing than most of my everyday transactions.
What did it cost me? One computer rebuild. A comparatively small price to pay, thanks to the security measures I had in place. (In this instance, it was segmentation of the work domain and effective backup and recovery that saved the day).
Defeating Scams
The good news is that scams and scammers can be relatively easily defeated. We have a range of tools at our disposal. Training, security technologies and processes: In these unsettling times, remember that these items are your best assets against cyber-criminals.
Training
Make sure your staff and suppliers know how to easily detect scams:
- Offers that are too good to be true almost certainly are too good to be true.
- An unexpected situation with seemingly dire consequences and time pressure will in over 99% of cases turn out to be a scam.
- If a situation creates any doubt in your mind about its authenticity, just stop and investigate – or better still, report it to the security team.
Security technologies
If your organization has effective firewalls, anti-malware, up-to-date software, securely configured devices and applications, regular (secure) back-ups of data, data-loss prevention and other technical security measures in place, the risk of scams operating is greatly reduced.
Processes
However, there is always one exploitable vulnerability that is targeted more than any other: the person who has the power or control to carry out substantial actions. It might be the power to make a bank transfer or to grant administrative access.
There is one rule when it comes to any and all privileged access inside any organization: ensure that any big action requires a minimum of two people to action it. Separation of privileges or segregation of duties is not about mistrusting a person. It is about adding a layer of security to actions or transactions that could have significant consequences.
Can I defeat every scam? No. Not at first, anyway. Many of the scams I get to see are so good they look more convincing than things that are not scams.
However, what we can all do is to help ensure that the probability of a scam being successful is minimized and that the few scams that find some way in can never get quite as far as they hoped to.
Because, when it comes down to it, there is nothing more disappointing to a scammer than expending a huge amount of effort and getting no return at all.