Employees: Security Helpers or Not?


It’s not new news that the pandemic ushered in a surge of online crime. The Federal Trade Commission (FTC) recently released 2020 data on identity theft and the numbers are alarming – 1.4 million cases reported – just about double the number in 2019.


As remote work and the shift to online platforms for everyday activities continue to be the norm, there is no end in sight for the cyber-crime wave that began in 2020. Given this climate, a recent Harris Poll of U.S. workers revealed some interesting attitudes about online security. The good news is that almost 80 percent of the respondents said they take some personal responsibility for their company’s overall security BUT 70 percent think it is their company’s responsibility to make sure their work accounts are safe from hackers. Mid-management level respondents were more concerned about their personal accounts than business applications. Can we engage employees to be a better front-line defense against cyber-crime?


When committing online crime, perpetrators often rely on a few key tactics. Criminals using social engineering thrive in a climate with heightened anxiety and a sense of urgency because people don’t question things the way they normally do. The pandemic has served scammers well in this regard. There has been a surge of pretexting, where a perpetrator impersonates an authoritative source or concocts a scenario with the goal of convincing the victim to do something. For example, a fraudster may impersonate a HR executive in an email asking an employee for personal information in order to schedule a COVID vaccine; or someone calls an employee pretending to be IT support working on a password security initiative and asks them to confirm their corporate network access credentials. Social engineering schemes have been around since the beginning of crime but the pandemic has opened the door to many new avenues for exploitation.


The other cyber-crime tactic that is trending is when criminals create a synthetic identity by blending real data with fake data, which is often used to apply for loans or credit cards. Legitimate data like full name, email and home address is combined with a fake social security number, making the composite significantly more challenging to prove false. The use of AI-generated faces is an emerging concern in synthetic identity fraud.


Related to identity theft are account takeovers (ATOs), which have become a key attack vector of concern. Many fraudsters focus on stealing payment information and rewards points stored in e-commerce accounts. It was reported that in 2020, ATOs were up a staggering 72 percent over 2019 (this number does not include corporate accounts). And there has been much written about the avalanche of phishing attacks last year, which shows no sign of abatement.


Between social engineering, synthetic identities, ATOs and phishing, it is no wonder that the FTC reported $3.3billion in total fraud losses last year. That’s billion with a “B” and that figure does not cover unreported corporate losses. While last year’s online crime wave was initially driven by thieves targeting government-issued unemployment and pandemic relief funds, employees and the companies they work for must stay vigilant, which circles back to the Harris Poll. Almost 65 percent of the workers surveyed believe that good cyber-security hygiene is important. But what does that require? Start with two key things.


Manage Passwords

Almost half of the Harris Poll respondents say they use their memory to manage passwords. This is music to hackers’ ears. Weak passwords are low hanging fruit for access to all kinds of data—both business and personal. Progressive companies are offering a personal password vault for employees as part of their enterprise password keeper, and they require employees to use multi-factor authentication across devices.


Train and Test on Social Engineering and Phishing

Nothing replaces ongoing training to raise security awareness and gain voluntary compliance and employee buy-in to practice good cyber-security hygiene. Training doesn’t have to be dry either; games and pop quizzes engage employees and senior management alike. Advanced companies run mock phishing attempts on a routine basis to ensure everyone stays current on the latest scams. It takes continual training and testing to build confidence to recognize a suspicious link, text or document.


As the cyber threat landscape continues to evolve, businesses and employees can work together to maintain good online hygiene and keep both company information secure and personal data out of the hands of hackers and fraudsters.


Insite can help. Click here to learn more about our Information Protection Program. We benchmark employee cyber-security awareness and have successfully trained employees to help reduce the attack surface related to social engineering, phishing and identity theft. This program builds a more resilient and secure organization and a more confident workforce.