Your employees have a critical role to play as a first line of defense against cyberthreats. But to be effective, they need to know what those threats are—and stay apprised of how they’re evolving.
A comprehensive security awareness program is the key to helping your users grow their understanding of attackers’ methods and objectives so they can become more proactive defenders. That includes knowing what strategies malicious actors employ to manipulate people so they can use them to enable their campaigns.
The importance of security awareness
It’s well worth taking the time to craft a meaningful and engaging security awareness program. By presenting the right mix of information to your users in a compelling way, you can empower them to help you improve your organization’s security posture as well as create a more robust security culture overall.
The cybersecurity topics that you include in your program should be relevant to your business and industry, of course. Companies face different cyberthreat challenges and regulatory compliance requirements related to data protection and data privacy. That said, there are several subjects that almost any modern business, regardless of its industry, will want to ensure its employees understand.
We list eight of these cybersecurity topics below. They are the go-to approaches and tools that attackers around the world commonly use to compromise users and their accounts, disrupt normal business operations, steal money or data, and do other damage.
Here’s a high-level overview of these eight must-know cybersecurity topics:
1. Social engineering
Social engineering is a collection of techniques malicious actors use to manipulate human psychology. Attackers rely on these strategies to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code and transferring funds. They do this by taking advantage of users’:
- Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong
- Trust, by posing as someone familiar to the user or a trusted brand or authority—such as the Internal Revenue Service (IRS), UPS, Amazon or Microsoft
- Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making
Common social engineering tactics include phishing—which we cover in the next section—and these others:
- Social media reconnaissance. Attackers often turn to social media to gather information about users that they target with their campaigns. These efforts can include direct outreach to users.
- Vishing (voice phishing) and smishing (SMS/text phishing). Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from a trusted brand or authority. With smishing, attackers use text messages to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment.
- Telephone-oriented attack delivery (TOAD). TOAD attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives who then direct the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware. Or they might direct them to a phishing site.
Common sense can go a long way toward preventing a social engineering attack. Make sure to reiterate that if a message seems too good to be true, it’s very likely a scam. And if something doesn’t look or sound right, it probably isn’t.
Phishing is an example of social engineering. Most phishing messages are sent by email. But some attackers deliver these messages through other methods, including smishing and vishing. Here are some typical strategies:
- Malicious links. When a user clicks on a malicious link, it may take them to an impostor website or a site infected with malware. Often, attackers will disguise these links, so they appear to be from a trusted source. Techniques may include using an official company logo or registering email domains that are confusingly similar to those of a trusted brand.
- Malicious attachments. Attachments carrying malware often look legitimate. When malware and ransomware are delivered through phishing attacks, they compromise the device and then easily spread across networked devices—and even to cloud systems.
- Fraudulent requests. These requests are designed to convince the email recipient to share sensitive data, such as login credentials, credit card information and more. They are often presented as a form (for example, from a tax authority promising a refund) to prompt the user to provide sensitive data that attackers can then use for personal gain.
- QR code phishing. This is a new type of phishing threat that is hard to detect. It moves the attack channel from the protected email environment to the user’s mobile device, which is often less secure. With QR codes, the URL isn’t exposed within the body of the email. This approach renders most email security scans ineffective. (See this post for a real-world example of QR code phishing that Proofpoint detected.)
- MFA bypass phishing. Multifactor authentication (MFA) bypass phishing refers to an attack where bad actors work to circumvent MFA requirements so they can gain unauthorized access to a user’s account. One approach is to use an MFA fatigue attack, which is a form of social engineering. It’s designed to wear down a user’s patience so that they will accept an MFA request out of frustration or annoyance. It generally works like this:
- A malicious actor obtains the username and password of their target, such as through a brute-force attack.
- The attacker starts to send MFA notifications to the user continuously, usually via automation, until that individual feels overwhelmed and approves the login attempt just to make the requests stop.
- Once the attacker has unauthorized access to the account, they can steal sensitive data, install malware and conduct other mischief.
- MFA bypass phishing isn’t new, but we are seeing more tools for executing these attacks, such as phishing kits for stealing tokens. And threat actor groups have used this strategy in high-profile attacks targeting companies like Uber and Microsoft.
As part of your security awareness program, consider pointing to a few significant phishing incidents to help underscore how costly these attacks can be. This information can be especially compelling for senior executives, as they are among the users most often targeted or impersonated by attackers in phishing campaigns.
3. Business email compromise (BEC)
Business email compromise is a type of email fraud that has a considerable financial impact. It’s a next-gen phishing threat that doesn’t carry a malicious payload, which makes it harder to detect. The Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) says that businesses lost more $2.7 billion due to BEC in 2022.
In a BEC attack, a cybercriminal will impersonate a trusted source using a spoofed, lookalike or compromised account. The recipient, believing the email is legitimate, then hands over sensitive data or funds directly to malicious actors.
When covering this topic, talk about the four main impersonation tactics that cybercriminals use, which include:
- Display name spoofing. Attackers modify the sender’s name to display someone known to the recipient. Sometimes this can be a person in authority, but it can be anyone the victim trusts (internal or external).
- Lookalike domain. Attackers register domains that are confusingly similar to a legitimate company’s domain to impersonate the brand or a trusted individual. For example, an attacker might swap ‘acompanysdomain.com’ for ‘acompanydomain.com.’ Or, they might replace a letter with a number—for instance, ‘the1argebusiness.com’ instead of ‘thelargebusiness.com.’
- Compromised accounts. Attackers use tactics like phishing to gain access to a user’s email credentials. They then use that compromised account to launch BEC attacks. Attackers may also use a compromised account from a trusted vendor to defraud customers and business partners—thereby turning the supply chain into a threat vector.
Several themes appear frequently in the content of BEC messages. All of them aim to get users to complete a task or provide information. Make sure your employees know about:
- Tasks and lures. Attackers use simple, seemingly benign questions or requests to identify, verify and soften up potential targets. They may seek to dig up more information, confirm that the email address is valid or assess whether the target may be easy prey.
- Payroll redirect. Attackers send an email to the human resources or payroll department posing as an employee and ask to change their direct deposit banking information. This change routes the employee’s pay to the bad actor’s account.
- Invoicing fraud. An attacker impersonates or compromises an internal source or a supplier and requests that payments be routed to a new account. Sometimes, a fake invoice is attached to the email.
Ransomware is a people-centric threat that enables extortion. This malware can lock away critical data, usually by encrypting it, until the victim pays a ransom to the attacker.
Ransomware infections can occur when a user unknowingly downloads the malware onto their computer by opening an email attachment, clicking on an ad, following a link, or even visiting a website that’s embedded with malware.
Usually, the attacker requires a ransom payment in cryptocurrency, such as bitcoin, because it’s hard to trace. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever, the ransom increases, or the attackers publish the data. When dealing with a particularly unscrupulous attacker, the victim may pay the ransom and still lose the data.
One of the most critical messages to communicate to your users about ransomware is that they should move fast to report anything suspicious, even if they sense that they made a security misstep themselves. To guide them, you might provide them with a list of “dos” to help them understand when to alert IT or security. Here are a few:
- You received a suspicious email that you think might be a phishing email.
- You received an email that looks like it’s from a colleague, but it seems suspicious or unexpected.
- You accidentally clicked on a link, filled in your credentials, or downloaded an attachment and then realized it might be malicious.
- You visited a website that seemed legitimate, but then sensed something wasn’t right.
To help businesses develop a ransomware strategy, Proofpoint created a Ransomware Hub with free research and resources to help stop ransomware, reduce risk and protect users.
5. Insider risk
An insider is a person who has some type of working relationship with an organization. Because of their role and privileges, they have (or once had) authorized access to critical data and systems. An insider might be a current or former employee, contractor or business partner who might meet all or some of these criteria:
- They have computer or network access supplied by the company.
- They develop products and services for the company.
- They know about the company’s future strategy.
- They have access to protected data.
In short, an insider is someone who is in a position of trust. These users pose a threat when they act with malicious intent and knowingly use their trusted position for personal gain or benefit. What might not be as obvious is that users who misuse or mishandle their access accidentally can cause just as much harm to the business. The same goes for users whose insider access is compromised and exploited by an outside attacker.
As your employees learn about essential cybersecurity topics through your security awareness program, they may be surprised to discover that they, or someone they work with now or have worked with in the past, could be considered an insider threat.
The terms “insider risk” and “insider threat” are sometimes used interchangeably but they are not the same. Insider threat is a subset of insider risk: All insiders pose risk to an organization given their access to an organization’s data and systems. However, not all insiders will become an insider threat.
Here’s a closer look at the three key types of insider threats:
- Careless. A careless insider is a well-intentioned user who makes poor decisions that can result in the exposure or theft of valuable data. Examples include downloading files to a USB storage device or inadvertently sharing sensitive data externally.
- Malicious. These insiders are motivated by personal gain and seek to harm the organization. Examples include exfiltrating trade secrets or destroying sensitive data.
- Compromised. Compromised users are often Very Attacked People™ (VAPs) with privileged access to information. They have credentials and access that could give threat actors access to a company’s critical systems and data. Attackers use social engineering techniques such as phishing to steal those credentials.
Research shows that insider threat incidents are on the rise—and so is the cost of these incidents. Learn more in this global report.
6. Social media
Social media ranks among essential cybersecurity training topics because it is a favorite playground for attackers. It’s easy to understand why when you consider that nearly 5 billion people worldwide use social media. And because it’s so informal and part of people’s personal lives, many users lower their defenses when using these platforms.
Attackers use social media to achieve several goals, including gaining access to users’ credentials, installing malware on users’ devices, and stealing money from users. Social media threats include:
- Impersonation. Attackers pretend to be someone a user knows or a representative from an institution they trust, such as the IRS or the Social Security Administration. They attempt to prompt the user to take urgent action, like sending money or confirming login or contact information.
- Clickbait. Clickbait scams lure users to click on malicious links with promises of shocking or embarrassing content. Users may receive a private message—often appearing to come from a trusted friend—that suggests the sender has found a lewd or an otherwise compromising photo or video of the recipient. When the user clicks on the link to view the media, they are prompted to update software required to view it and end up installing malware.
- Social media phishing. Phishing in the social media space happens in two main ways:
- Attackers send emails that appear to come from a social media platform. The email explains that the user’s account password has been compromised. The user is instructed to click on a link to maintain account access. The link leads to a fake login page that harvests the user’s credentials.
- Users receive friend requests from people who they appear to know. These accounts, which are either compromised or faked, post content with malicious URLs that lead to fake login pages.
When creating content for this topic, you may also want to cover related scams:
- Romance scams
- Sweepstakes and lottery scams
- Quiz and poll scams
- Remote work and moneymaking schemes
- Healthcare scams
While you may not immediately consider social media one of the security topics to include in a security awareness program, keep in mind that many people today use their personal devices for work. If an employee’s device or accounts become compromised because of a social media threat, it could give malicious actors a foothold to launch an attack within your company.
7. Password management
Last but certainly not least among the essential cybersecurity training topics is password management. Creating strong passwords is critical to keeping personal and professional data safe because weak passwords are easier for attackers to guess or crack.
However, it’s also easy for users to become lax with password practices because they need to create passwords for so many things, and they want them to be easy to remember and fast to type. Research for the latest State of the Phish report from Proofpoint found that only about a third (31%) of working adults manually enter a unique password for each work account.
What should you stress to your employees when covering this topic? First, emphasize that password cracking is one of the most common ways that cybercriminals gain unauthorized access to confidential data and systems. Every company can benefit from these password best practices:
- Creating strong password policies
- Using MFA
- Encrypting, hashing and salting passwords
- Keeping systems up to date
8. Generative AI security risks
Generative AI (GenAI) is a form of artificial intelligence (AI) that involves the use of deep learning techniques to create new content—including text, images, audio and code.
Well-crafted attacks developed with GenAI that employ tactics like deepfakes are creating new security risks by exploiting human vulnerabilities like trust and emotional response. And there are other potential risks related to employees using GenAI, such as privacy compliance issues and intellectual property (IP) leakage.
It’s important to keep users informed about potential risks in the workplace and help them learn how to safeguard data. Setting an acceptable use policy is one step. That might mean requiring users to review and revise the output from GenAI tools—not just copy and paste the information. You might also tell users your company may monitor and record the use of these tools.
Proofpoint can also help you to educate users on the safe use of GenAI with our security awareness kit. (You might also want to consider using GenAI tools to create content for your security awareness program. See this post for ideas and best practices.)
Emphasize the power of reporting to your users
A top takeaway from any training about cybersecurity topics should be that once users know how to spot threats and risks, they should be swift in reporting them. To that end, make sure that your company has a clear and well-documented process for reporting incidents.
Also, consider using tools like a Report Phish button that makes it quick and easy for users to report phishing emails and other suspicious messages. Be prompt in your efforts to recognize and reward users who succeed at reporting real threats. And track your results to measure your overall success.
Keep your program—and cybersecurity training topics—up to date
The threat landscape is always evolving, so you need to evolve your security awareness program continuously, too. Confirm that the cybersecurity topics you cover include the latest threats, in addition to essential security topics like the eight outlined above. Monthly attack spotlights and training on trending alerts are some ideas for keeping your training fresh and relevant—and users engaged.
And remember that a robust security awareness program is not just about preventing cyberattacks, but also creating a culture of security within the organization. Reach out to your employees regularly through multiple communication channels—from internal blogs to email newsletters—to help ensure they keep in focus the security topics most important to your business.
Also, know that you can tap expert resources like Proofpoint as you work to create a strong security culture and change user behavior. With Proofpoint security awareness, you get tailored cybersecurity education online that’s targeted to the vulnerabilities, roles and competencies of your users. Our threat-guided education will help the users know what to do when they face a real threat. Find out more about Proofpoint security awareness training.