How over-eager young workers are being duped

Scammers use social engineering to target newly hired employees.

The first few days at a new workplace are usually full of team meetings, trainings, induction sessions for new staff and so on. Into these processes, the new employee often enters with a limited understanding of exactly what is going on. At the same time, there are certain “rituals” that employees engage in in the first few days after being hired – one of the most well-known being posting on social media (usually, but not exclusively, LinkedIn) about starting a new job. Often, the companies themselves announce there how happy they are to welcome a new member to the team. And this is the moment when the new employee attracts the attention of fraudsters.

social engineering

Typically, these social media posts give the names of both the employee and the company, as well as the job title. This is usually enough for someone to recognize the manager of the newly hired person (via the same social network or company website). By knowing the names, a fraudster can find or guess the email addresses. First, there are many email search tools that can help with this. Second, many companies simply use the employee's first or first and last name as email usernames, so all you need to do is check which system is being used to be able to find the email address. And after the scammer finds the right e-mail, then the social engineering (social engineering).

First task: Transfer money to scammers

For the first days in a new job, the employee is likely to be not quite informed, but he would like to be seen as such in the eyes of his colleagues and superiors. And this can reduce his vigilance: He rushes through every task without stopping to think about where it comes from, whether it sounds reasonable or whether it is his duty. Someone wants it done, so it has to be done. This is especially true if the directive comes from their immediate supervisor or even one of the company's founders.

Fraudsters take advantage of this to trick new employees. They send an email purporting to be from the supervisor or someone higher up (but using a non-corporate email address) asking the employee to perform a task “immediately”. With the embarrassment of the first time, the new employee is, of course, willing to perform it. The task can be, for example, transferring funds to a sponsor or purchasing a gift certificate of a certain value. And the message makes it clear that "speed is of the essence" and that the money "will be returned to you by the end of the day" (of course!). Scammers emphasize urgency so as not to give the employee time to think or check the message with another co-worker.

The manager has an air of authority and the employee wants to be helpful. Therefore, he takes no time to question the logic or why he has been specifically chosen to perform this task. The victim transfers the money to the specified account without hesitation and reports it to the “supervisor” at the same email address — still not noticing that the domain name looks suspicious.

The scammer continues to play the role of the big boss: He asks for documents confirming the transaction and, after receiving them, praises the employee and says that he will forward the documents to the person responsible for the order (which adds a sense of legitimacy). To complete the sense of a normal workplace interaction, the attackers also say they will get back in touch if more is needed from the employee-victim.

Only after some time can the employee either start to question why he was assigned this task, or locate the non-company email address, or report the incident during a conversation with his actual supervisor. Then the sad truth is revealed: It was a scam.

Aggravating circumstances

Like other work-related scams, this scheme has benefited from the mass shift to remote work. Even small companies have started hiring from around the world, which means some new employees may not only not know what their boss looks and sounds like—but also have no way to quickly clarify with a colleague, even if they wish, if the task falls under the obligations of their level.

Additionally, if the supervisor and most of the other employees work in different countries, a request to transfer money to someone in their area could seem very reasonable. Domestic wire transfers are always easier and faster than international wire transfers, which lends a veneer of normality to the fraud request.

Finally, smaller companies, which seem to be common targets, tend to have less formal money-handling processes — no form-filling or financial auditors: "Just send it now, put it in your expenses, and you'll get it back in a little while." ». This is another factor that legitimizes email fraud.

How employees can avoid the trap

The most important thing for a new employee is not to lose his head trying to be useful to the company.

  • It is important to carefully examine the email addresses from which messages arrive via e-mail or Messenger. If the sender seems unfamiliar to you, then increase your vigilance.
  • Feel free to ask a colleague if such a request is standard practice. If something seems odd, it's better to ask now than to regret it later.
  • If you receive a seemingly unusual request from within the company, clarify the details with the sender using a different communication channel. Have you been asked to buy gift certificates by your boss via e-mail? Check in with him via a Messenger app.

How companies can protect their employees

The most important thing an employer can do is to properly configure the company's mail server. It can be configured to flag emails from non-corporate addresses. Google Workspace, for example, is popular with companies as it marks messages as “External” by default. And when you try to reply to such an email, it clearly warns: “Be careful sharing sensitive information.” These notifications really help employees to know whether they are chatting with a corporate colleague or not.

In addition, we recommend the following:

  • Conduct information security training for employees on their very first day. The session should introduce its concept Phishing (in case it is new), as well as giving instructions on which practices are used in the company and which are definitely not.
  • Create an information security guide for new employees with key rules and precautions against major threats. Watch this post for details about what to include.
  • Conduct regular safety awareness trainings for all employees.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.096 registrants.
social engineering

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).