As a new year approaches, it is natural to reflect on recent accomplishments. At Proofpoint, we are reflecting on our work to deliver security awareness content and updated features in line with our ongoing goal to drive behavior change.
Proofpoint Security Awareness integrates our rich threat intelligence, which means it taps into current and emerging attacks. Our threat analysts surface threat trends, such as artificial intelligence (AI)-enhanced vishing, malicious QR codes and remote IT support scams. And then we work quickly to release new training features and awareness material to ensure inform security administrators and educate employees about ever-evolving attacks.
In 2023, our content releases focused on three areas:
- Delivering a threat-driven program
- Improving how security awareness administrators work
- Enhancing how people learn
Let’s review the past year and explore how Proofpoint used content releases to respond to the changing threat landscape.
Image from AI Chatbot Threats training (play video).
Quick turnaround for threat trends
Proofpoint Security Awareness alerts customers to threats in two powerful ways—Threat Alerts and Attack Spotlights. It also continuously trains employees with threat-driven training modules.
These weekly releases focus on a specific and current ongoing attack. They explain what the threat is and who it might target. And they describe a specific lure, if applicable.
Each alert is linked to activity that our threat analysts see happening in the wild. We recommend applicable training like simulated phishing and awareness material and include suggested email messaging.
In 2023, we released Threat Alerts on:
- IRS-themed phishing lures for tax season (February, March, April)
- AI-enhanced vishing calls that impersonate loved ones (March)
- Malicious QR codes for credential phishing (May, August)
- Telephone-oriented attack delivery (TOAD) using a Geek Squad PDF lure (July, October)
- Charity donation scams around the Israel-Palestine crisis (October)
- Christmas party lures for credential phishing (November)
These monthly releases cast a wider lens on attack types. They focus on a time-based or reoccurring threat that is expected to trend, typically related to holidays, travel seasons or shopping events. Each spotlight is released a month in advance with a campaign plan, awareness material and training modules, and is available in 12 core languages.
In 2023, Proofpoint published these Attack Spotlight campaigns:
- Smishing with package delivery lures (February)
- Business email compromise (BEC) phishing with requests for quotations (RFQs) (April)
- LinkedIn phishing lures (May)
- Amazon phishing lures (June)
- Remote IT support scams (September)
- Gift card scams (December)
Image from Attack Spotlight video (play video).
These training videos are relevant to the changing threat landscape. They are inspired by our threat intelligence and our team’s threat landscape research. These micro-learning modules are grounded in learning science principles that are designed to drive behavior change.
Each module has a concise and specific learning objective. The delivery of content is tailored to individual factors such as a person’s role, learning style, vulnerability level and preferred language.
In 2023, we covered these topics in our new threat training modules:
- Data loss protection
- AI chatbot threats
- Amazon phishing scams
- Cryptocurrency investment scams
- QR code dangers
- Multifactor authentication (MFA)
Image from Threat Module video (play video).
Staying ahead of generative AI attacks
AI-powered systems are promoted as tools to help us work faster, and they are transforming businesses and industries. This wide-reaching access can create security risks from potential data breaches to concerns over user privacy. Your employees need to be aware of the limitations and risks of using AI-powered tools, especially in the workplace.
Throughout 2023, we stayed ahead of this topic—and way ahead of other security awareness vendors—with our rapidly released collection of AI awareness training, material and news alerts. We covered basic essentials like “What is AI? ” and more advanced concepts like the difference between generative and retrieval chatbots.
The AI awareness topics included:
- Safety guidelines for AI chatbots
- Generative AI chatbot threats
- Generative vs. retrieval chatbots
- AI-enhanced phishing lures
- AI-enhanced vishing calls
- Using AI threats as the phishing lure (that’s a twist!)
Image from the AI awareness training collection.
Make it easy with a full-year campaign plan
Throughout 2023, Proofpoint delivered new resources to streamline and automate how security administrators work. Our goal is to remove stress and manual work so that you can focus on program strategy and learning objectives.
That’s the idea behind our new Yearlong Campaign. Making campaigns for a whole year requires a lot of work—with content to choose and topics to assign. Wouldn’t it be great if you could start with a suggested curated approach for a comprehensive campaign?
The Yearlong Campaign covers a full calendar year around the main theme of “Cybersecurity Heroes.” Each month is focused on a specific topic with a four-week plan, dedicated content, and the ability to work in a modular or sequential way.
The Cybersecurity Heroes campaign includes 12 curated evergreen topics like:
- Insider threats and protecting sensitive information
- Ransomware, such as dangerous attachments
- Account security, like MFA
- Data security, including data handling and data breaches
- Phishing and email security, including spear phishing and data entry
- Physical security, like in relation to remote work
An article from the Yearlong Campaign from Proofpoint.
On a related note, in 2023 Proofpoint published campaign plans in three lengths to add options for program duration and flexibility. A security administrator can choose a time structure that best fits their needs and move faster to incorporate trending and timely topics.
- Short term (one to two weeks). Explains a threat-driven topic in a timely release. For example, we spotlighted Amazon phishing scams in June for Amazon Prime Day in July.
- Medium term (about one month). Get a deeper dive into a security topic, like this year’s Cybersecurity Awareness Month.
- Long term (multiple months to one year). Run the full calendar year with a specific topic each month. (That’s our modular 12-month Cybersecurity Heroes Campaign!)
Early release of Cybersecurity Awareness Month Kit
Let’s talk more about a crucial month for security awareness: October. Last year, our customers said they wanted to prepare as early as possible for Cybersecurity Awareness Month. That’s why, in 2023 we released our full Cybersecurity Awareness Kit for customers in April. And in June, we released the free version.
Our kit focused on cloud and internet security, with the aim of teaching people about safe browsing and social connections. The “Web Browsing Road Trip” theme was designed to be evergreen and reinforced across resources like a weekly activity tracker, short engaging videos and performance badges. We also developed messaging to help businesses run a month-long security awareness campaign with ease.
Infographic from the Cybersecurity Awareness Month Kit from Proofpoint.
New content methods for learning and development
At Proofpoint, we are always investing in new ways for people to engage and learn. In 2023, we expanded this content initiative with short “nano” videos, premium animation and live action, in-the-moment teaching and curriculum paths. As always, the topics are informed by what Proofpoint threat intelligence sees in the current attack landscape.
Our new nano-learning videos are super-quick bites of knowledge. In under 60 seconds, these punchy clips make an impression and reinforce a simple lesson. Nano content is a great way to deliver an impactful message in a short time. We carefully designed the concept, using live actors for visual impact and the reinforcing tagline of “Now you’re a little wiser.”
The 2023 nano series 60 Seconds to Better Security includes:
- AI chatbot threats
- Secure operations
- Supply chain
- IP address
- Search engine optimization (SEO) poisoning
Image from a Proofpoint Threat Module video (play video).
Here’s some other premium awareness content that Proofpoint published in 2023:
- Premium animation videos use a striking upscale stylization. The aesthetic is inspired by classic cartoons while layering in a modern look. We’re quite proud of the Hall of Hackers animated series which explains security topics such as insider threats and ransomware.
- High-end live action videos feature actors and real-life imagery in a new interactive style. The educational content is situational to a particular context and role and is engaging without being comedic or conventional. A great example is the series When Emotions Run High, which covers topics like insider threats and USB drives.
- Training games or gamified learning now include a 360-degree physical security game. Plus our beloved interactive Anti-Phishing Phil module has been updated. These releases demonstrate our continued commitment to the SCORM file format and our alignment, when possible, to WCAG compliance such as keyboard controls and mouse controls.
Image from a premium animation video (play video).
In 2023, we also introduced Phish Hooks. With this just-in-time teachable content, learners see a clear visual explanation of why a phishing simulation was malicious after they click on it and find out they’ve failed. Our Phish Hooks are based on the NIST Phish Scale, which is an academic categorization for the difficulty levels of phishing. This contextual instruction can maximize your educational impact and improve user engagement.
The topics for our first release of Phish Hooks were 2022’s “top abused brands,” analyzed in the Proofpoint 2023 State of the Phish report. Those topics include:
- Amazon gift cards
- Adobe Cloud
- Microsoft Teams
- Microsoft 365
- Google Docs
Example of a Phish Hook.
A final premium push was guided curriculums for general and specific learning paths. Our foundational curriculums help people progress from basic to advanced knowledge in essential topics. The content is available in more than 40 languages. There are also role-specific learning paths that cover compliance and regulations for certain industries.
In 2023, we released new curriculums for:
- ISO/IEC 27002:2022
- Criminal Justice Information Security (CJIS)
The logo for the CJIS.
Short adaptive quizzes to assess learning
How do you know if your security awareness program is effective? Our adaptive learning assessments can help you answer that question. You can use these short quizzes to evaluate employees by topic area, making it easy to gauge their understanding of key learning points. You can assign either pre- or post-quizzes and track real-time results.
These assessments are part of our adaptive learning approach that helps you to motivate your people by providing them with a more personalized experience. In 2023, our new learning assessments included:
- AI chatbot tools for phishing lures
- Malicious insider threats
- Public data vs. non-public data
- Data protection and destruction
- QR code dangers
- Software supply chain attacks
An example of an adaptive learning assessment from Proofpoint.
Threat attacks are always evolving—and Proofpoint Security Awareness is continuously changing, too. Our content is informed by what is happening in the current threat landscape so that you can prepare your employees by highlighting trends and tactics. We design our education to help people adopt better security habits across their daily lives and help them know what to do when they face a real threat.
Find out more about Proofpoint Security Awareness.
Subscribe to the Proofpoint Blog