Stranger danger: Keys to avoiding scams & cyber missteps

Consistent training presented in a variety of formats creates an effective strategy for managing cyber risks.

Social engineering scams have led internet crime complaints for the past four years, as cybercriminals become increasingly savvy. (Photo: JustSuper/Adobe Stock)

While social engineering and fraudulent instruction claims may have been covered by cyber insurers in the past, the steady rise in losses has led some insurers to cease offering the coverage, while others have quietly begun adding language within cyber policies and making it clear that insureds need to prove (i.e., independently verify) requests for payment to outside sources.

Typically, this means the attack victim can’t rely on payment directives within an email alone but must also seek confirmation via an alternative form of communication to verify that the payment request is real.

Don’t trust and definitely verify

Though protecting against ransomware attacks continues to be the focus for most organizations, social engineering scams have led internet crime complaints for the past four years, according to the Federal Bureau of Investigations’ 2022 Annual Internet Crimes Report. And as cybercriminals become increasingly savvy, there is a heightened risk that an organization’s employees will fall victim to a social engineering scheme.

While a variety of social engineering attack methods exist, fraudulent instructions, commonly invented to pay a vendor connected to the organization the employee works at, frequently ensnare employees.

For example, an unsuspecting employee receives an email from what appears to be a known vendor. The fraudulent email may contain the vendor’s actual logo and real contact information for a known employee, and will include instructions for payment. Often, the email looks so real that the harried employee doesn’t bother to question it and issues a payment, only to find out after the fact that they were duped.

Another popular scheme involves an employee receiving what appears to be an email sent by C-Suite staff within the same company, requesting an urgent payment to an outside supplier. The urgency of the request, coupled with an employee who thinks they’re receiving directions from upper-level management, ensures the usual safety protocols won’t be used, leading to a fraudulent payment.

Fraud prevention & awareness matter

It’s simply not enough to install network security software. Even with sophisticated technology to reduce attacks on organizations, a problem still exists if employees aren’t trained in the latest social engineering and email phishing scams.

The added pressure for organizations to show they approved the transaction through an alternative form of communication means they must stay ahead of the crooks. Organizations and their employees must accept that cybercriminals are out to trick them and, as a result, they need to develop skills to spot suspicious emails and red flags like typographical errors, unknown attachments and urgent requests for wire transfers.

A better way to address the issue, rather than singling out an employee’s potentially costly error, lies in reviewing a current organization’s security culture. Because these types of emails are harder to identify as fraudulent and part of a social engineering cyberattack, it’s important for organizations to invest in security awareness training for their employees.

As cybercriminals become more sophisticated (even without help from generative AI like ChatGPT) so too are the emails they create. That’s why it’s vital to implement procedures to verify payments and purchase requests outside of email communications by calling vendors directly or using a verified phone number outside of the information provided within a suspicious email or text.

We’ve found that a comprehensive security awareness program enables our clients’ employees to identify scam emails by examining the sender’s email address for discrepancies, verifying the website address of the company requesting payment, and noting any misspellings or typographical errors within the URL domain name or within communications. This type of training will ensure employees think carefully before clicking on a link in an unsolicited email or text message.

Whenever there is change within an organization, especially when employees suspect they are being tested, some resistance is to be expected. An effective workaround is to highlight the goal of training: to better protect employees from being duped by sophisticated cyber schemes (with potential fallout from identity theft). Placing an emphasis on the knowledge gained and the benefits to the organization and its employees, as well as how added cybersecurity awareness will benefit employees in their personal lives, will greatly assist in improving engagement.

Hands-on coaching, content, testing, metrics, assessments and frequency are all crucial elements of any well-rounded cybersecurity awareness training program.

Education that occurs just once a year, as required by some regulations, is almost the equivalent of never having any training, according to a customer survey we conducted. To keep up on newly developing social engineering and fraudulent instruction trends, the most effective training (in particular, simulation of phishing attacks) is one that is conducted on a monthly, or at the very least, quarterly basis.

Because people learn in a variety of different ways, security awareness training shouldn’t be one-dimensional but consider the role an individual plays, whether technical or even physical, since that will in largely determine how well the program succeeds.

Repetition is key to learning; however, we’ve found security training content should be offered in a variety of formats (including gamification) to maintain continued employee engagement.

As cyber policies evolve and insurers identify high risk losses, equipping employees with information and tools needed to protect themselves and their organization’s assets from loss should be the goal of every successful security awareness training program.       

Stu Sjouwerman (stu.sjouwerman@knowbe4.com) is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 56,000 customers and more than 45 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010.

Related:

CEO scammers are now ‘shipmentlifting’ physical goods

Phishing scams: Watch out for these 4 tell-tale signs

Small, midsize businesses still lack cybersecurity hygiene

Addressing the rising risks in cyber insurance

3 reasons why humans are the strongest link against phishing attacks