Changing Times: Helping Your Users Understand Evolving Threats

Posted by Chris Zachar—Senior Consultant • 11/


It can be frustrating trying to stay cyber secure. Just when the user thinks they are doing everything they need to stay safe from threats, the bad guys change the playing field.

Social engineers are moving from links to attachments. Attachments don’t have to be executable files to be dangerous. The use of “tiny URLs,” such as and, hide the actual destination of a URL. Malicious actors are using vectors besides email – vishing (voice phishing), smishing (SMS/Text phishing), and media drops – to access information and networks.

But sometimes, simply changing their old methods can create a new opportunity for fraudsters to attack.

Users and security professionals who scoff at those naïve enough to fall for the ancient (in IT terms) “Nigerian Prince” scam may be unaware how that game has changed. Palo Alto Networks reports that Nigerian Prince emails have moved from a plea for temporary funds to a formidable malware delivery system. The emails are now being used to infect machines and networks instead of simply (though often devastatingly) lowering a bank account. The malware may be used to log keystrokes or remote in to a machine.

Many users also don’t understand the threat of sophisticated bogus websites. Instead of downloading malware, the click may direct the user to a site that mimics a well-known organization, such as a bank or retailer. Landing on a site with recognizable logos and layouts can reduce suspicion, prompting the user to attempt to log in to the site – thereby providing credentials to the fraudster.

Even providing detailed information in an Out-of-Office reply can raise the threat level. Instead of only being verification that the address is “live,” social engineers can use the information to develop a “script” to appear familiar with the absent user before contacting named backups. A customer service oriented backup could then provide information or passwords that would not normally be released to an unknown person.  Knowing that an email account is not being monitored gives malicious actors the opportunity to use the account as a “bot” to forward spam – also opening the door to potential blacklisting of your email domain.

How can you avoid complacency risk when working with users who “know it all”?

  1. Keep It Fresh. Instead of repeating the same information the same way, mix it up. Present information through different venues – email, intranet, company newsletters, electronic billboards, lunchroom table cards.
  2. Keep It Easy. All industries have their own jargon and we often forget many people are intimidated by IT and security. Explain threats and what your users need to do in clear and concise terminology without using acronyms or going into too much detail. At the same time, provide enough detail so the user understands the threat and why it is a problem.
  3. Keep It Personal. People are more likely to follow a security protocol if they understand how it impacts them. Let users know that what they are learning can help keep them safe at home, too. People who utilize best practices at home are more likely to use them at work.

The videos and materials PhishLine and our trusted partners offer can help you keep your training content and delivery fresh. Our materials keep it easy, providing clear explanations with minimal time commitments. PhishLine offers testing for the four vectors of phishing attacks. Our extensive catalogs of email lures, logon pages, landing pages, and training keep it personal by putting your users in the same situations used by the bad guys, so we can then teach them how to stay safe from evolving threats.  Contact us to learn more.

Related posts