Phishing attempts are more successful when targets are caught off balance — when their Spidey sense is interrupted, disengaged, or not fully developed. Any time you find yourself in a new situation, your chance of falling for an online scam increases because you just don’t yet know what the norms of that environment are.
For example, phishing scams that target homebuyers have been a problem in real estate for many years. Targets are in the middle of a complicated and stressful process that require them to navigate paperwork from several unfamiliar sources. When they get an email giving them new instructions for transfer of funds, they’re likely to think of it as part of the ordeal rather than recognize it for the scam it is.
Or if you try selling something on CraigsList or Etsy for the first time, you will probably quickly be presented with a lot of very promising opportunities to make money — opportunities that a veteran on those platforms would immediately recognize as scams. But since you don’t yet know the conventions of those communities, you’ll be much more susceptible to making mistakes.
Congratulations on your new job!
Along the same lines, we often see people receive targeted phishing attempts during their first week or even their very first day at a new job. An email that asks the new hire to log in to a new online service, or an email that appears to be from the boss asking them to purchase gift cards, would look suspicious to a company veteran, but someone just starting a new job won’t see the warning signs.
A new employee is not yet settled into an organization’s rhythms, standards, practices, or chain of command. They may have a number of new services to sign in to — so what’s one more? They might not yet know whether their CEO sometimes sends emails from their personal email account, and they are ready to accommodate requests in order to make a good first impression.
That’s why it’s important for cybersecurity training to be part of a new employee’s initial onboarding. And if you’re a supervisor responsible for that onboarding, make sure to give your new employee permission to ask as many questions as they need!
How did they know?
More than once, a client has alerted us that their systems must have been hacked — how else would a scammer know that someone started a new job today?!
As with most scams, it’s not that complicated. There’s a good chance the new hire posted to LinkedIn about their new job. We forget that social media is not a private conversation between friends. LinkedIn is constantly used by headhunters, and marketers to find an audience for their services. Scammers are no different — they can scrape LinkedIn for “First day!” posts, find out a little bit about that company to make a good guess at the person’s new email address and who their supervisor is, and start the scam.
Macktez Cybersecurity Awareness Management
Macktez can help set up your organization with engaging cybersecurity training material, and simulated phishing campaigns for ongoing threat awareness. By educating employees on the importance of cyber hygiene, the latest threats, and how to respond to incidents, cybersecurity training is a key component in building a secure work environment.