"People looking for jobs are often willing to divulge [personal] information," says Hansen, who says one of his clients told him about how a hacker used a fake email address from a job-search Web site to pose as a recruiter. He declined to elaborate on this example to protect the client, but it's an example of what he calls the "confused deputy" scenario, where someone claiming to be, say, a recruiter for Monster.com contacts an employee, and the employee believes that the caller is, in fact, a Monster.com recruiter and doesn't ask to verify his credentials. Hansen says it's the same as getting an envelope in the mail -- just because the envelope has a certain return address, it doesn't mean that the contents actually came from that sender.
Companies should use email verification systems that confirm the identity of a sender. These verifications send an email back to the address to confirm the sender's credentials. Some states -- including Texas -- have made it illegal to impersonate someone by email.
5. Employees downloading illegal movies and music
P2P networks just won't go away. In a large company, it's not uncommon to find employees using peer-to-peer systems to download illegal wares or setting up their own servers to distribute software.
"P2P networking should, as per policy, be completely blocked in every enterprise," says Winn Schwartau, CEO of The Security Awareness Company, a security training firm. "The P2P ports should be completely shut down at all perimeters and ideally at the company's endpoints. P2P programs can be stopped through white/black listings and filters on the enterprise servers."
Schwartau tells the story of a financial services firm in New York that had a P2P port running all day, every day in its office. Eventually, it was discovered and found to be a porn file server. Schwartau says the unfortunate truth about what he calls "criminal hacking" is that the thieves are usually drawn to nefarious activities, so one of the first places they might look is a P2P server and any potential security holes.
"Injecting hostile code into P2P files is [not difficult] and can create a beachhead within an organization, depending upon the code design," he says. He suggests a technique called "resource isolation," which essentially controls which applications users are allowed to access based on permission rights. Different operating systems do that in slightly different ways, Schwartau says, but it's worth pursuing in situations where a corporate policy is lacking or isn't followed.
Schwartau encourages IT shops to conduct regular sweeps of all company networks and servers to look for P2P activity and to be vigilant about blocking any P2P activity.
6. SMS text messaging spoofs and malware infections
Another potential attack vector: text messaging on smartphones. Hackers can use SMS text messages to contact employees in direct attempts to get them to divulge sensitive information like network log-in credentials and business intelligence, but they can also use text messages to install malware on a phone.