Social Engineering Attacks on New Employees

Opportunistic cybercriminals increasingly opt for psychological manipulation over technical hacks to gain entry points into networks. Many personnel – employees, business partners, vendors and contractors – potentially have access to IT resources and are worth targeting with social engineering attacks.

Among the many possible targets, new hires are particularly vulnerable to being duped by a convincing email, phone call or text message. Read on to learn more about the problem of social engineering attacks on new employees and what to do about it.

Why Are New Hires More Susceptible to Social Engineering?

Social engineering attacks are more targeted than ever. Here are some reasons that social engineering attacks on new employees might be more likely to succeed.

The Information Treasure Trove of Job Posts and Social Networking

Each day, thousands of advertisements about new positions with various companies appear on websites like Indeed and Monster. These job postings provide a veritable social engineering database to threat actors about which companies are hiring and for what job positions. In some cases, the job post even mentions by name who the new employee will work directly under.

It’s not a stretch to find out exactly who lands these new positions with companies, and this simplicity is partly due to the fact that people are willing to share good news. On LinkedIn especially, new hires often tag their new employer and describe their elation at landing a new job. Or, in many cases, the company takes the time to write a LinkedIn post welcoming the new employee.

By watching out for company mentions or posts, threat actors don’t exactly need world-class detective skills to piece the facts together and determine who has landed what job and who their manager is. This information already provides a solid baseline to craft a convincing email masquerading as the boss or other colleague of the new employee. The more authoritative the apparent source of a social engineering attack, the more the victim is likely to get tricked.

Not Aligned Yet with Company Policies

It’s not just the ability to study websites and create easy target profiles that makes social engineering attacks on new employees more likely to succeed. Another factor is how new hires typically aren’t yet fully aligned and familiar with their employer’s policies and processes within days of landing a new job.

This lag in knowledge as new hires get onboarded can take several days as people learn about how things are done at their new employer’s organization and how to use various technology solutions. Unfamiliarity here can lead to confusion about who should approve electronic transfers, invoice approvals, or how to securely sign into applications with multifactor authentication. Malicious actors are more than happy to exploit any confusion here.

For new hires who have never received any level of cybersecurity awareness training, this knowledge lag becomes even more problematic. Unfamiliarity with the various social engineering techniques that threat actors deploy further increases their susceptibility to clicking a link or visiting a malicious URL without thinking twice about the authenticity of the source.

Eagerness to Impress

Another psychological element at play is that new hires are eager to impress at their new roles and demonstrate their capabilities. Unfortunately, this eagerness to impress can create a security weak link for new employees because red flags in emails from superiors get ignored in favor of doing what gets asked promptly. Often, social engineering attacks on new employees use a pretext based on urgency.

Expert cybercriminals prey on this urgency to increase the probability of achieving their aims. New hires are likely to respond to emails and complete tasks (e.g., downloading an attachment, sharing a password with the IT helpdesk or visiting a link) without noticing the subtle details of the email that might usually raise suspicions.

One frequently encountered subtle detail is a slightly misspelled company domain name from a spoofed domain. Other signs of phishing include generic greetings in emails and buttons containing hyperlinks to external unfamiliar domains.

Fear of Consequences

A final point to consider here is the fear of negative consequences. It’s not just a desire to impress that makes new hires ample targets for social engineering. Part of the psychological manipulation involved is a fear of what happens if a new hire opts not to perform a task or fulfill a request immediately.

Without knowing much about the roles and personalities of different colleagues, it’s easy to get duped by Sarah in Finance’s urgent email about paying a vendor because she’s currently boarding a plane for a business trip. The fear of not paying and causing the company to lose its long-standing partnership with a now disgruntled vendor can be enough on its own to make social engineering attacks work.

Protecting New Hires from Social Engineering

With one survey reporting that 60 percent of IT professionals cited new hires as being high-risk targets for social engineering, here are some ways to reduce the risks.

• Build a cybersecurity culture—integrating cybersecurity into your company’s culture means ensuring that security is so central to the company’s mission and ethos that it’s always top of mind. Instead of relegating security to the realm of an annoying box to tick, companies with a strong culture communicate this to new employees who quickly adapt to the required attitudes, assumptions and norms around security.
• Curtail information sharing—exercising caution about what information ends up online is another helpful way to mitigate these attacks. Start by altering the company policy so that you don’t post on LinkedIn when welcoming new people to their jobs. In a similar vein, it’s worth urging new employees not to share too much information about their new role online, and at the very least, limit any posts to people they both know and trust.
• Social engineering training as early as possible—given the risks involved, there’s a strong argument to include social engineering training for new hires as a central element in the normal onboarding process. Familiarity with phishing, smishing and other social engineering techniques from the outset makes a big difference. Also, ensure cybersecurity training and awareness is ongoing rather than an annual session after which many people quickly forget what they’ve learned.