As the holiday season approaches, many of us are getting busy with gift wrapping, grocery shopping and travel planning for the holidays. In the midst of all this hustle and bustle, it's easier than ever to rush things that shouldn't be rushed - and cyber criminals are ready to take advantage.
There are a whole range of scams crafted by cyber criminals to specifically target users during the busy holiday season, from fake Christmas promotions to Hanukkah-themed phishing emails. As our inboxes get filled with holiday promotions, last-minute requests before holiday cut-off dates and planning for holiday-themed parties, cyber criminals hope to be able to slip in emails when users are least likely to have the time and patience to exercise their normal good judgment.
How far can you get with technical solutions?
Before you do anything else, it is essential that you have set up the technical safeguards required to keep your users as far away from potential scams as humanly possible. This includes email filters, advanced threat scanning tools and up-to-date anti-virus protection on your user's devices.
Users left to their own devices will often fall behind in updates. That's why an automated patching tool that enforces new security updates on user devices is also an essential part of the technical toolkit to prevent vulnerabilities from being taken advantage of by malware.
Rob checks the time on his last day in before Christmas.
However, technical solutions can't stop every scam. It is only a matter of time before a phishing email breaks through the net - and what's worse, with the hustle and bustle of the holiday season users are more likely than ever to mix up their use of personal and business devices.
What are the benefits of user training?
Users that access their personal emails on a business device, or simply click a well-crafted phishing email on their company account, are a potential entry point into an organisation that allows a cyber criminal to infiltrate and target further employees within your company. Phishing emails can also include malware which, once installed on an out-of-date device, can spread like wildfire through the company network.
To ensure that your users take all precautions necessary to protect themselves, their devices, and your business network, it is essential that they are trained in all core areas of cyber security. This includes keeping work on their business devices, enabling safety features such as VPNs, updating their software whenever a new patch is available, and recognising the most common signs of phishing emails.
Cyberto gloats after successfully scamming Rob.
Users that know how cyber criminals operate, why they use urgency and highly-lucrative promotions to get users to click on emails, and the potential consequences of falling foul to phishing emails, are more likely to detect and stop a phishing email than untrained users. It's essential that training covers the entire workforce - at least all users with access to an email inbox - while users in high-risk positions such as the finance and HR department should receive additional training.
What should all users know about phishing emails?
Before training users on any other aspect of phishing, it's important for them to understand why they are undertaking the training. Many users won't be aware of how widespread phishing attacks are, or that they can target organisations of any size - not to speak of scams that target individual people.
Users that know the methods that cyber criminals use to compromise users are also more likely to be able to apply their knowledge to real-life phishing emails that they encounter. Rather than focusing on the common signs of phishing emails, such as generic greetings and misspellings, you should concentrate your training on the general techniques that cyber criminals institute to craft compelling scams.
These methods include:
- A sense of urgency to make the recipient react as fast as possibly, and ideally before their better judgment kicks in.
- A promise of something valuable that the recipient is willing to divulge details for in order to receive, or a risk of consequences that the user would absolutely want to avoid.
- Linking recipients to pages that look identical to real pages and have nearly-identical URLs, with only one or two characters substituted.
Your fun and engaging 10-minute holiday scams training course for all staff
Training that fails to engage users never works. That's why we at usecure think training should be fun, interactive, and not take up too much of your users' time.
Our holiday scams training video puts your users in the shoes of Rob, a well-meaning employee who fails to exercise proper caution when going through his emails in the hectic lead-up to Christmas. Watch a preview of the video below - and sign up to a free trial of the usecure platform today to enrol your users on the whole course.