Tips for Raising Awareness About Scams

📱⚠️ Just received my first #smishing (SMS phishing) attempt during the holiday season from a #cybercriminal, and it's a classic example of social engineering at work. The text claimed to be from United States Postal Service, stating a package couldn't be delivered due to incomplete address details, and it asked me to confirm my address via a link. Once you click on the link....bad things will happen. You might so to #phishing website designed to steal your username and password or other sensitive info. In the wake of Black Friday, many of us are eagerly awaiting package deliveries, making this scam particularly insidious. While you might not fall for such a ploy, think about your family members who might not be as vigilant. 🧐 #CyberSecure Mindset Tips: Verify Independently: Don’t trust unsolicited texts. Contact the courier or retailer directly through their official website or customer service number. Don’t Click Links: Avoid clicking on links in unsolicited messages. They often lead to fake websites designed to steal your information. Educate Your Circle: Share these tips with friends and family. Awareness is key to prevention. Report Suspicious Messages: Forward these texts to spam reporting numbers or report them to the appropriate authorities. Remember, during my time with the Federal Bureau of Investigation (FBI), I learned that staying safe online requires a community effort. Let’s help each other out and keep our digital space secure. Have you or your loved ones encountered similar scams? Share your stories and let’s spread awareness! #CyberSecurityAwareness #SmishingScams #OnlineSafety #StayAlert #CommunitySafety

How many signs of phishing can you spot in this email? I am getting more and more of this exact type of fake invoice phish. In fact, a lot of them aren't even getting caught by spam these days. So, let's spread the security awareness to help others avoid falling for it. How many signs of phishing can you spot in this image? Alternatively, what common signs do you NOT see, which is likely how it is avoiding spam filters? Here is what I see on this one (SPOILERS): 🔻 From a generic gmail.com account 🔻 No personal greeting - it is all generic 🔻 The ID number in the subject doesn't match any other numbers in the email or the Invoice number in the attached PDF (visible but hard to see here) 🔻 The text is repetitive and very difficult to read 🔻 The PDF says "Norton from Symantec" but the email doesn't contain any branding or contact details Now, here is what I DON'T see which security awareness programs always highlight: 🔹 Call to *urgent* action 🔹 A link to click 🔹 Typos or spelling errors (grammar problems not withstanding) So, what actions can you tell people to avoid falling victim? 🔸 Never trust incoming email, particularly from sources you haven't seen before 🔸 If an email says you paid a bill you don't remember paying, check your bank accounts FIRST. If you don't see the bill, the email is almost certainly spam. 🔸 Never be afraid to forward an email like this to somebody else and ask for a second opinion on it. 🔸 Don't call the phone number or respond to an email like this. Look up the company in Google and call the official support number. #security #cybersecurity #spam #phishing #securityawareness

Phishing Tests Are Failing Us—And Not for the Reasons You Think Let’s talk about why phishing attacks actually work. It’s not because employees are clueless. It’s not because they don’t care about security. It’s because they’re human. I’ve worked with nearly 130 of the Fortune 500 and multiple government agencies. And guess what? Everyone is doing phishing tests. But here’s the problem: Employees aren’t learning. They’re phished out. Why? • They’re constantly being tested—and nobody likes to feel like they’re being set up to fail. • The follow-on training is often awful. Bland, patronizing, and completely disconnected from the realities of their job. • Fear. Anxiety. Stress. These are the exact conditions that real attackers exploit. And what do phishing tests do? Create those same conditions. So, we’re training people to be afraid of security instead of engaged with it. How do we fix this? 1️⃣ Ditch the gotcha game. Stop treating phishing tests like pop quizzes. Make them about learning, not punishment. (Personally, I would prefer you think outside the box, like host a contest where the best employee AI-created phishing wins! You get engagement and they learn just how easy it is to create these!) 2️⃣ Test to teach, not just to track. If someone falls for a phish, give them immediate, meaningful feedback in a way that helps—not a generic video or an eye-roll-worthy module. 3️⃣ Make security part of the culture. (That may mean you need to rewrite and/or reprioritize your cultural values.) If employees feel safe reporting real phishing attempts and other security issues (instead of fearing blame or shame), you’ll get way better engagement. 4️⃣ Address the real enemy: stress. Attackers use urgency and pressure because they work. Instead of just testing, let’s give employees strategies to pause, think, and protect themselves before they click. (And also offer employee assistance programs to help learn HOW to manage stress!) Cybersecurity isn’t about making employees security experts—it’s about making security work for them. Teach them how to protect themselves and their loved ones and they will bring those good cyber hygiene practices back to your workplace and everyone wins. Let’s stop making them feel like they’re failing and start helping them succeed. What’s the worst phishing test experience you’ve seen? Drop it in the comments—I bet we could make a Hall of Shame from some of them. (No names, please, let’s learn but keep it respectful) #phishing #socialengineering #cybersecurity #trainingandawareness #insiderthreat #humanrisk

I mentioned the article below yesterday. I have read it and want to review five key points and maybe present some potential new approaches to Cyber awareness training because it isn’t working as intended. For years, the cybersecurity world, including myself and my friends, has relied on awareness campaigns to combat scams, fraud, and cybercrime, but the hard truth noted in this paper is that most fail to create lasting behavioral change. I think we can all agree, and the paper notes that knowledge is important, but awareness alone can really no longer be considered enough. Cybercriminals exploit human psychology, adapt faster than awareness campaigns, and operate in a system that leaves individuals to fend for themselves. Here are 5 key points from this research on why traditional awareness training falls short—and some ideas, I think, for a potentially smarter, more effective approach: 1. Awareness ≠ Action 🔍 The Problem: Knowing about scams doesn’t mean people take protective steps. Psychological triggers like fear, urgency, and trust bypass rational thinking and awareness is fleeting. 💡 Possible Solution: Shift focus to behavioral change, embedding habits like verifying links, enabling multi-factor authentication, and pausing before reacting emotionally. This will have to include more persistent discussions of the cyber stuff. 2. Cognitive Overload 🔍 The Problem: People are overwhelmed by a flood of warnings and red flags, leading to desensitization and inaction. 💡 The Solution: Use targeted, actionable messaging—not laundry lists. Incorporate nudges, like reminders to update passwords or check account activity. Again, this will require a constant, direct approach that is more than just one-off presentations. 3. Scammers Evolve Faster 🔍 The Problem: Scammers adapt quickly, exploiting new tech and vulnerabilities while awareness campaigns lag behind. (I think we all know this) 💡 The Solution: Integrate real-time threat updates into training programs. Use simulations to help people recognize evolving tactics. But, for the third time, we need more than one-offs. 4. Victim Blaming 🔍 The Problem: Campaigns often imply victims are responsible for their losses, adding shame to their experience and discouraging reporting. This is the research's conclusion. It may not be intentional, but I can see it. 💡 The Solution: Don't victim blame. Honestly, I haven't figured out this one. 5. Short-Term Gains, Long-Term Fade 🔍 The Problem: Training creates short bursts of knowledge, but behaviors revert without reinforcement. 💡 The Solution: See solutions 1-3 The New Way Forward: I honestly am still thinking about how this can work better. The paper discusses a lot more than these 5 areas. If you are interested in working with me on building a better way forward regarding cyber awareness, message me. If your company wants to test drive this new methodology, contact me also. #CyberSecurity #AwarenessTraining https://shorturl.at/BS2Gr