Gone are the days when cybercriminals relied on those Nigerian Prince email scams to try to con victims into handing over their hard-earned cash. Cybercrime is now big business and the methods that attackers use to trick their victims are now more sophisticated than ever and even security conscious individuals could be ensnared. Yet, people are still made to feel embarrassed when they do fall for malware scams. This is making the problem worse, according to Symantec security expert Nick Savvides.
Ashamed businessman image from Shutterstock
Organised cybercrime is what the world has to deal with now and hackers are even selling their illegal services professionally, offering great a customer experience and quality assurance. Cybercriminals have evolved over the year and has been continuously gaining experience to make even more convincing scams to trap victims, such as malware or ransomware email campaigns.
These kind of scams used to be easy to spot, usually in the form of crudely constructed emails with bad grammar and strange language trying to convince recipients to transfer money somewhere or to download a file that contains malware. Nowadays, you’ll find attackers using email templates that imitates legitimate companies so well that it’s difficult to tell that it’s a fake.
“The quality of attacks that are conducted have significantly improved,” Savvides told Lifehacker Australia. “There are now high-quality phishing emails to trick users into running malware on their devices. Attack vectors have also changed and we’re seeing legitimate websites being compromised to drop cryptomalware on people’s devices.
“Even users who aren’t silly and opening fishy emails – even those users can fall victim to this type of attack.”
Yet, Savvides said there is still a culture of shame around people who do get hit by these computer scams. Australia is a popular target for cybercriminals and one of the biggest problems he sees locally is victims don’t want to report that they fell for a phishing campaign or any other attack.
“The careless do fall victim to these things, but so do people who are normally cautious; it’s to do with human nature, not how smart you are or what station in life you are in,” Savvides said. “This is about the bad guys exploiting human nature. They are more sophisticated and some even have toolkits to profile users quickly to send in-context emails with malware.
“People who are victims shouldn’t feel embarrassed.”
I certainly can relate to what he said. A few weeks’ back I had a ransomware scare on my work PC and I’m very careful about what emails I open and websites I visit. ‘How could I be so stupid to let this happen? Where did I fuck up?’ I thought to myself. Turned out it was a false alarm but I remember the feeling of wanting to bury my face in hands out of shame.
Companies are becoming more security conscious and doing the right thing in training their staff to be more savvy when it comes to getting caught in phishing and malware email campaigns. While Savvides praised their efforts, he noted that often these companies will train staff to be more careful by using fake phishing emails to see who takes the bait.
“Some of these campaigns work by shaming the users and that makes the problem worse,” he said. “Victims should not be ashamed to own up to falling for these attacks, in their personal and work life.
“That a real problem we are facing today.”
Comments
5 responses to “Why We Shouldn’t Make Malware Victims Feel Ashamed”
The problem in my workplace is the number of automatically generated emails from various internal systems that look dodgier than the external phishing emails. It’s really hard to train staff to discern good from bad when the employer is not leading by example. Services outsourced to other agencies compound the problem as they contact colleagues with external URLS linked to internal IDs.
I don’t know, if they are repeatedly getting scammed it might suggest they need to be shamed into getting with the effin’ program. It’s not unheard of for companies or individuals who have had security issues to temporarily up their game only to fall back into bad habits down the line and get owned again.
“Gone are the days of the Nigerian prince scam…”
I wish this was the case – https://www.scamwatch.gov.au/news/australians-lose-45-million-to-scams-in-2015
It all comes down to how organisations tackle user awareness. Until we incentivise the non-opening of these emails (i.e. how do you encourage people to want to “beat” others at this “game”?) the old HR models will still play a major role.
Can we start treating security as a safety issue? Would people become more aware like they are of other hazards? At the end of the day, new solutions are needed to this problem.
Also not helped that emails from legitimate organisations and companies still contain links.
Paypal are especially bad at this. Laughably, they even include a footer to the effect of “If you’re worried this is a phish/scam, just click this link ….”
PayPal also send out instructions referring to deprecated UI so you may be forgiven for thinking that you’ve hit a fake site.