Socially-engineering people into opening malicious messages, attachments and links is an effective way for social engineers to bypass many technical security controls. Phishing is a business enterprise, a highly profitable and successful one making this a growth industry.
Just as Advanced Persistent Threats take malware to a higher level of risk, so Business Email Compromise puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate roles to compromise their organizations, for example by making unauthorized and inappropriate wire transfers or online payments from corporate bank accounts to accounts controlled by the fraudsters.
As with ordinary phishing, there is plenty of latitude among the fraudsters behind BEC and other novel forms of social engineering and fraud, and we can expect to see more numerous, sophisticated and costly incidents as a result. Aggressive dark-side innovation is a particular feature of the challenges in this area, making creative approaches to awareness and training even more valuable. We hope to prompt managers and professionals especially to think through the ramifications of the specific incidents described, generalize the lessons and consider the broader implications.
We’re doing our best to make the organization future-proof. It’s a big ask though! Good luck.
The module is intended to:
- Introduce and explain phishing in straightforward terms, illustrated with examples and diagrams;
- Expand on the associated information risks and controls, from the dual perspectives of individuals and the organization;
- Encourage individuals to spot and react appropriately to possible phishing attempts targeting them personally;
- Encourage workers to spot and react appropriately to phishing and BEC attacks targeting the organization, plus other social engineering attacks, frauds and scams;
- Stimulate people to think - and most of all act - more securely in a general way, for example being more alert for the clues or indicators of trouble ahead.
That's what we had in mind when researching and developing the materials. Think about your learning objectives in relation to phishing and BEC. What is your organization hoping to achieve though awareness and training in this area?
A suite of awareness and training materials to bring staff, managers and professionals up to speed on the phishing and Business Email Compromise threats ... and more importantly what to do about them.