Wendy Tran discovered this year that hackers had filed fraudulent tax returns on her behalf, hoping to pocket a refund.
Her tax data and that of her colleagues at Seagate, the California-based hard drive maker, had been sent to cyber criminals by an HR employee. The HR member of staff, seeing an email request that purported to be from someone authorised to view the data, attached the US W-2 tax forms and sent them off by email.
The device maker’s chief financial officer wrote to workers: “This mistake was caused by human error and lack of vigilance, and could have been prevented.”
Ms Tran and a number of other colleagues have filed a lawsuit which details their case against Seagate. The company did not respond to a request for comment.
Seagate is one of a growing number of organisations where hackers have launched so-called phishing attacks that trick staff with fake emails, with results that include loss of sensitive data, locking down of computers with malicious software that demands a ransom and even the transfer of funds to criminals’ bank accounts.
Many boards are allocating extra funds for cyber security technology but experts warn that humans are the weak point when protecting companies from attack.
Rod Rasmussen, vice-president of cyber security at Infoblox, a US network security company, says there has been a rise in these kinds of attacks — particularly against smaller businesses — because the hackers find that they work.
“Phishing is an online manifestation of an age-old problem. Confidence schemes and other kinds of fraud have been around for centuries — like the Spanish Prisoner,” Mr Rasmussen says. He is referring to a 16th century trick to persuade people to send funds, in the hope of a reward, to have a wealthy person released from jail.
“With the internet, instead of having to case the victim directly, to physically research them and then send the request by post, you can now literally blast out emails to millions of potential victims,” says Mr Rasmussen.
Hackers understand human psychology and play on greed, fear and curiosity. They usually use a company’s own website, or recruitment sites such as LinkedIn or Glassdoor, to discover who a target’s manager is and send them an email pretending to be from that person.
“It can be something like ‘we’ve seen there’s this upcoming conference you might want to check out,’ ‘this invoice doesn’t look right, can you take a look?’ or ‘can you see what’s going on with this bill?’” says Mr Rasmussen, who is a member the Anti-Phishing Working Group, an industry trade group.
The recipient clicks on a link or downloads an attachment and their computer is infected. If the tricksters fool a privileged user, such as an account administrator, they can suddenly speed around the network. Or they may target an accountant with a request that is apparently from a harried chief executive with no time to speak. Eager to please a boss, the employee sends money to an account they think belongs to a supplier.
Phishing is the first entry point into a network for many serious cyber attacks, with one in 10 leading to a data breach, according to Verizon’s latest annual report on such break-ins. The median time for recipients to open an attachment is less than five minutes after it is sent, says the report.
There are other ways, known as “social engineering”, that hackers play on human weakness to gain access to networks. Karl Sigler, threat intelligence manager at cyber security specialist Trustwave, says many people are tempted out of curiosity to plug in USB sticks left lying around in the workplace or even devices that appear to have been sent as presents. “Social engineering is basically when criminals are using psychological tricks to force behaviour on another human being,” he says.
Trustwave’s penetration testers, who act like hackers to show companies where their vulnerabilities lie, shipped modified keyboards to employees in an organisation, pretending they were rewards. “They are these huge, really decked out keyboards, all back lit, they stand out,” he says. Five computers were compromised by three keyboards, suggesting one or two people were “stealing” them from their colleagues, he says, implying that envy or greed as well as pride were at play.
Stu Sjouwerman founded a company, KnowBe4, that trains employees to be more wary of potential cyber crime. One test is to send fake phishing emails to an entire workforce to see how many fall for them. Employees then take an online course to learn what to watch out for, knowing they will be tested with spoof emails in the future.
“The old style security awareness training where once a year you herd everyone in the break room and keep them awake with caffeine and sugar through death by PowerPoint doesn’t hack it any more,” he says. “Employees need to be trained within an inch of their lives to truly look again before they click.”