I recently wrote a post about the time I spent job shadowing in my employer's Information Security Department (ISD). One of the main objectives of the job shadow program is to allow ISD to introduce their communication, education, and outreach efforts to employees. This department works constantly to make employees aware of trending security threats, especially social engineering, and they have to do it in a way that gets the employees' attention. Creating a security-aware culture is critical because it takes just one employee, just one time, to cause a significant risk event. ISD has found that if they deliver messages in a fun way—such as an annual chili cook-off—more ears are open to hear them.

The Retail Payments Risk Forum follows social engineering trends closely since social engineering presents a major security risk and it directly affects payments. These attacks can easily open a gateway for criminals to access payment systems or any protected information system. Here's a quick review of social engineering: it relies on manipulating human behaviors through direct or indirect communication, and it does not necessarily involve technology. As computer security grows increasingly sophisticated, some criminals have found it can be easier to manipulate an individual than to game a machine. Some reports say that social engineering schemes have cost U.S. businesses nearly $3 billion since 2013. It's no wonder that social engineering is a growing concern.

A common social engineering attack is phishing, which is when the criminal uses an email that appears to be from a legitimate company to get people to respond with personal information such as account credentials. According to one company's report, phishing and pretexting in 2017 represented 98 percent of social incidents and 93 percent of breaches. (Pretexting often involves a scam whereby one individual lies to get personal information from another individual. A pretexter, for example, might pretend to be conducting a survey.) At 96 percent, email continues to be the most common vector. The good news is that 78 percent of people who were phished last year didn't open a single email, according to the same report.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

Psychological manipulation is a powerful tool to try to influence someone to divulge sensitive information. Since social engineer fraudsters need to reel in just one victim, we need to ensure that every single employee hears the message. Promoting security awareness scratches the surface in fighting social engineering, but it needs to be fun and creative constantly.

Look for one more post in this series describing my time in the job shadowing program in my employer's Information Security Department.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed