October’s security awareness topic is phishing and BEC
Outline and scope
Socially-engineering people into opening malicious messages, attachments and links has
proven an effective way to bypass many technical security controls. Phishing is a business enterprise, a highly profitable and successful one making this a growth industry.
Just as Advanced Persistent T
hreats take malware to a higher level of risk, so Business Email C
ompromise puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate
roles to compromise their organizations, for example by making unauthorized and inappropriate wire transfers or online payments from corporate bank accounts to accounts controlled by the fraudsters.
As with ordinary phishing, there is plenty of latitude among the fraudsters behind BEC and other novel forms of social engineering and fraud, and we can expect to see more numerous
, sophisticated and costly incidents as a result. Aggressive dark-side innovation is a particular feature of the challenges in this area, making creative approaches to awareness
and training (such as NoticeBored!) even more valuable. We hope to prompt managers and professionals especially to think through the ramifications of the specific incidents
described, generalize the lessons and consider the broader implications.
We’re doing our best to make the organization future-proof. It’s a big ask though! Good luck.
Note: given the topic, perhaps we should have removed all the working hyperlinks from this
month’s awareness materials … but instead we hope you and your audiences might think twice before clicking them. Naturally we claim to be entirely trustworthy, ethical and
benevolent professionals with an exemplary record and strong image ... but then we would, wouldn’t we? So proceed at your own risk!
October’s security awareness module aims to:
Introduce and explain phishing and related threats in straightforward terms, illustrated with examples and diagrams;
Expand on the associated information risks and controls, from the dual perspectives of individuals and the organization;
Encourage individuals to spot and react appropriately to possible phishing attempts targeting them personally;
Encourage workers to spot and react appropriately to phishing and BEC attacks targeting the organization, plus other social engineering attacks,
frauds and scams;
Stimulate people to think - and most of all act - more securely in a general way, for example being more alert for the clues or indicators of
Consider your organization’s learning objectives in relation to this topic. Are there specific concerns in this area, or just a general interest? Has your
organization been used as a phishing lure, maybe, or suffered spear-phishing or BEC incidents? Do you feel particularly vulnerable in some way, perhaps
having narrowly avoided disaster (a near-miss)? Are there certain business units, departments, functions, teams or individuals that could really do with a
knowledge and motivational boost? Lots to think about this month!
Contents of the module
Get this module
Subscribe to the NoticeBored service to receive this module, plus further batches of security awareness and training materials, fresh every month. We offer a wealth of top-quality creative content on a market-leading range of information risk and security topics making it easy and economic for you to run
a world-class security awareness and training program.
Email us to set the ball rolling. Find out what it takes to get your security awareness and training program quickly up to speed, for a lot less than you
might think. We’re a small company with a big reputation for quality and innovation.
Tag along with us on NBlog as we work on the next awareness topic. In addition to clues about what’s coming up, we share hints and tips on making
security awareness more effective.