When considering how to prevent people from falling for social engineering, such as phishing, we must first consider why they would fall for it in the first place. There are several causes, but it all boils down to someone not being aware that not everything is as it would seem.
At least part of it stems from people feeling safe. They are aware that various layers of security are in place to try to prevent bad things from happening, and they believe that anything that remains must be safe. While this is understandable, it is not entirely accurate. What is worse, the nefarious organisations are aware that a large number of people feel this way, and they try to take advantage of it.
Another type of behaviour that criminals like to exploit is that of the newcomer: the person who has only recently started in their role and is unfamiliar with what is normal in their new work environment. For example, if someone gets a new job and updates their LinkedIn profile, that information becomes public knowledge. Criminals target these newcomers with social engineering attacks such as CEO fraud or man-in-the-middle. Because the newcomer has no idea what to look out for, they are far more likely to fall for such a scam.
Worse still, some people are still unaware that phishing emails or other forms of social engineering exist, which can pose a significant threat to an organisation and themselves.
Others are consoled by the thought that "it will never happen to me." These are divided into two camps: those who believe that bad things only happen to other people, and those who believe that they are intelligent enough to detect such things without any training. Needless to say, cyber criminals see both as easy targets.
My final category of people who fall victim to various forms of social engineering is the one that saddens me the most: those who are unable to properly protect themselves, such as the elderly and children. These people should have others looking out for them and doing everything they can to keep them safe. Cybercriminals, on the other hand, do not share this sentiment and see them as easy targets.
The only sure way to keep the rest of humanity from being caught out is to TRAIN THEM. We use KnowBe4 at Brigantia to deliver frequent, regular training and to simulate phishing attacks so that everyone here knows exactly what to look for all of the time. There is a reason why more and more insurance companies insist on training for client companies' employees, and that reason is that training significantly reduces an organization's risk of cyber-attacks.
