Cybersecurity Scams are Targeting Busy Employees

The pace of the workplace has accelerated in recent years, leaving many employees hurried and harried as they attempt to get through their ever-growing to-do list. To make matters worse, bosses can often add to the list with little to no warning, reaching out via text or email with an urgent impromptu assignment or request.

When faced with such an unexpected interruption, many employees will quickly address the boss’s needs so they can get back to focusing on their workload. What many employees don’t suspect is that the message is not from the boss, but from a scammer who knows a busy employee is an easy target.

“Cybercriminals know workdays are hectic for most employees, full of demands and priorities that keep them rushing back and forth like the White Rabbit in the classic tale of ‘Alice in Wonderland’,” says Vinícius Perallis, CEO of Hacker Rangers. “With all of the activity, staying alert for anything suspicious in the messages they receive is difficult. Knowing this, many cybercriminals take advantage of the situation and, through social engineering, pose as legitimate entities to gain unauthorized access to sensitive company data.”

Hacker Rangers makes cyber awareness fun and engaging for organizations worldwide by leveraging the power of gamification. Perallis, who has two decades of experience in IT and cybersecurity, leads the Hacker Rangers team as they develop and deploy innovative gamified training solutions that empower employees to adopt “cybersecure” habits and take a leading role in keeping their companies safe from cyber threats.

Social engineering scams sidestep network security

The type of scam Perallis is referring to is commonly known as “social engineering.” Rather than probing for vulnerabilities in the hardware or software companies use to keep their networks safe, social engineering seeks to gain unauthorized entry through an unsuspecting or careless employee by directly manipulating their emotions and feelings to achieve its goals. Once access is obtained, attackers can steal data or inject malware or other malicious code into networks.

Social engineering has become extremely popular among cyber attackers in recent years. Experts say up to 90 percent of the attacks aimed at companies today involve social engineering.

Phishing, a highly common form of social engineering attack, uses messages that appear to come from legitimate sources to obtain passwords or other sensitive information. They generally convey a sense of urgency, hoping to inspire the recipient to act without thinking. 

A phishing message might say, “I’m in a meeting and I’ve been locked out of the CRM platform. Can you please give me your username/password ASAP so I can answer the client’s questions?” In this way, it explores and manipulates the recipient’s empathy to carry out its attack.

Phishing messages can also be designed to be threatening or intimidating, exploiting employees’ fear by making them feel like they will be punished in some way if they don’t comply. When used in this way, they leverage emotional manipulation to cloud an employee’s thinking through the concept of social engineering.

“A ‘malicious compliance’ scam is one example of a social engineering scam that seeks to cause employees to make costly errors,” Perallis shares. “These scams involve fraudsters impersonating authority figures within the company or regulatory agencies and pressuring employees into taking ‘necessary’ actions that actually result in confidential data or passwords being handed over to cyber criminals.”

Cybersecurity training helps employees identify scams

While defending against social engineering threats has become a priority for cybersecurity professionals, studies show that employees still struggle to avoid the scams. A 2024 study found that Gen Z workers felt especially vulnerable to these scams, with 69 percent saying they didn’t feel confident in their ability to identify a phishing attempt. Additionally, over 70 percent of Gen Z workers say they have opened an unfamiliar link that seemed suspicious while at work.

“These scams are hard to detect because cybercriminals exploit urgency and the victim’s trust,” Perallis explains. “Caught up in their desire to help, employees don’t realize the risk. Convinced by the pressure or apparent authority of the scammer, they hand over access and get on with their work. To reduce the risk of these types of scams, companies must train their teams to recognize warning signs and quickly take the steps necessary to prevent the scams from succeeding.”

The most effective training will start with helping employees to understand what social engineering attacks involve and why they are effective. It will also educate employees on the various forms attacks can take — from phishing to pretexting and piggybacking — as well as the common elements of these attacks. Finally, training should clearly communicate the steps employees should take when they suspect an attack is happening or the company has been breached by an attack.

Falling prey to a social engineering attack is very costly. Recent statistics suggest the average loss to companies that suffer an attack is $130,000. It is also very common, with 83 percent of companies reporting that they have been victims.

Statistics also show that the average company faces over 700 social engineering attacks annually, which means proper preparation is crucial. The best way to prepare is by providing engaging and effective training that empowers employees to understand and address the risk.