In the past, cyber security training has been seen by some as something solely for the IT department; nothing that the average working person needs to really think about.
After all, we already know not to use “password123” and to stay away from so-called Nigerian princes, so that’s us sorted…right?
Not even close. I’ve been working in IT for around 7 years and I’m still learning. While this is my first cyber security role, I’ve heavily dealt with Cloud Security in the past, so I’m not a novice. So if someone who works with cyber security as part of her job role feels that she still has more learning to do, how must the Average Joe feel?
I fancied myself an investigative journalist on this one so channelling my inner Stacey Dooley, I sat down with three professionals who can tell you exactly why cyber security training will be important for your whole team.
“I thought ‘hold on; I’d better let the other agencies know, because this is sophisticated.’ Someone has put a lot of time and effort into this…”
Gareth Morgan is Founder & CEO at Liberty Marketing Group.
Every marketing agency wants to work with well-known brands. We have all sorts of big and small clients – including banks, law firms and even cyber security companies – and we genuinely love them. But if someone like Nike comes to you…that’s kind of why you get into the game, isn’t it? And that’s what the scammers are counting on.
It starts with a new enquiry. Last year, we had an email that looked like it could legitimately from luxury footwear and accessories brand, Cole Haan. Choosing an established brand which isn’t necessarily a household name is where the scammers are clever; it’s a company not at the level of a global sportswear leader, but is a challenger. So it’s believable that they might reach out to us because we do get genuine inquiries from companies like this, especially when they’re quite specific with their problems and what they need from an agency.
These people told us that they’ve got a brief and other items to send through to us, which is exactly how it normally works. I remember sitting down with my team saying how amazing it was that we instantly had everything that can be quite difficult to get from a client. There was a Tone of Voice document, they had brand guidelines, they had assets for ads – everything you might look at and would make you think that the enquiry is genuine. Then there was a media plan. We opened the Excel document, which instantly told me I would need to download some macros.
Now, previously we’d had a cyber security scare with an enquiry that purported to come from a chain of luxury hotels. So something about this didn’t sit quite right with me, and that’s when I did some digging. I realised that the email address associated with the person who enquired ended with colehaanus.com, not the legitimate colehaan com. Putting that URL into my browser led to a broken link, and that’s when I knew that this was a scam.
Had we downloaded those macros, they could have contained viruses, malware, key loggers – anything. That’s when I thought ‘hold on; I’d better let the other agencies know, because this is sophisticated.’ Someone has put a lot of time and effort into this. And when I did, loads of them started saying that they too had received them before, and some were still getting emails through their website every month.
Something similar happened recently with an enquiry that looked like it could be from Banana Republic, but this time via LinkedIn. I was prepared. The person’s LinkedIn profile looked legitimate but the telltales were a low follower count and an email address that ended benanarepubliceu.com; so very similar, but not exactly the same as the URL of the brand. It turns out that several other agency owners had received the same message and happily, I don’t think anyone fell for it.
We do have cyber security training at Liberty Marketing Group, and I think this highlights why it’s needed. Because instead of scammers sending out the “Nigerian prince” email to a billion people hoping that 1% of them will react, now they’re sending messages out to a thousand people and a lot of them are reacting because it’s talking their language. They’ll tell agencies that do Facebook ads that they need help with Facebook ads, then they want to send a brief and copies of the ads to review. That’s exactly how genuine business would work.
I keep an eye on all incoming enquiries, but these experiences have made me jaded. I don’t trust anything anymore. So we could get a really nice enquiry today and my instant reaction now is “nope”.
“Cyber security training is important for consultants due to the rise of professional phishing”
Julie-Ann Wyatt is a Change Management Specialist at a top financial institution.
I’ve been approached twice on LinkedIn by scammers. The second one was the most convincing and disappointing.
They had got in touch saying they were representing a client who was looking for someone with my skill set, and would I be interested in coming on their books as a consultant? When I looked them up, they were a real business, but the offer almost seemed too good to be true. They sent a series of attachments, but I replied asking for more details before I opened anything.
Because I am also a People and Change coach and consultant, I spend a lot of time networking. I remember once speaking to a recruitment influencer and remarked how nice everyone was. He replied that not everyone is that nice, and that professional phishing and fake jobs are a problem. When he told me to watch out, he said it very seriously. So at the time of this approach, his voice was in the back of my mind. This was part of what was holding me back, so I replied to that contact and asked a few questions.
This person had obviously recognised that I’d caught on, because suddenly they’re not working with that client anymore. Looking back, their profile wasn’t terribly convincing, which could also be part of what made me cautious. I am now wary of profiles that look horribly put together or have very few connections; specifically, if they’re following lots of people, but no one’s following back. That’s a classic. It’s not always easy to remember to be cautious however; I’m always looking to grow my network and genuinely want to speak to people. And an approach on LinkedIn isn’t necessarily something you might view as suspicious; had it been to my work email or even potentially to my personal email, I think I’d have been more likely to clock it as a scam immediately.
And this is why cyber security training is important for consultants; the rise of professional phishing. Had I not met someone who gave me that stark warning, I might never have realised that this sort of scam took place. I literally found out on the off chance. The company I currently work for does have pretty thorough cyber security training, but it doesn’t cover LinkedIn. That’s why my advice for other consultants would be to really educate themselves. Know what red flags to look for, and check their information through multiple data sources, including checking that the company actually exists, that their email address is real, and that their LinkedIn profile looks legitimate. That can’t can’t always keep you safe, but it’s a good place to start.
“Lots of people think that cyber security training isn’t something they need to do. Trust me, it is.”
Ben Beveridge is the Safety Officer for Surface Technology International (STI).
Our company is really hot on cyber security. Not everyone has access to company email – they just don’t need it – but for the people who do, we get phishing tests every 3-6 months. We have a cyber security audit every year as well as cyber security training, so everyone should know at least the basics; if you’re not certain of the sender, don’t open a random email. If you do, don’t click on random stuff in the body of the messages! But the IT team will remind everyone regularly what they should and shouldn’t be doing; it even makes the newsletter!
They’ll send out an email that looks legitimate – I don’t actually know what happens when you click on the link because I’ve never done it – but then they give us a rundown afterwards, letting us know the number of people that followed the procedure, which is to flag it as a suspicious and forwarded to them for inspection. They’ll also share the number of people who have opened and ignored it.
Because STI is a manufacturer within the aerospace and defence industry, it’s doubly important for us because of the nature of the work that we do. A lot of information is sensitive or secret, so we have to have seriously robust cyber security practices – we absolutely have to have those safeguards in place. Nevertheless, lots of people think that cyber security training isn’t something they need to do. Trust me, it is. The single most common point of failure is going to be the person, right? There will always be someone forgetting their password or leaving their laptop open in a coffee shop. It happens; we’ve seen politicians leaving notes on folders and things on trains. So, if it can happen to a politician who gets vetted for this kind of thing, it’s going to happen to the regular person who has worked on the shop floor for 30 years and hasn’t kept up the technology as it’s progressed.
For me, I think it’s more prevalent because I am visible externally as the Safety Officer. I go to various Safety conventions and meet-ups, so my name and email address is out there. It’s not unusual for me to get emails from people who look like they’re a legitimate supplier, even if I can’t remember having heard of them before. So before I look at their attached catalogue, I’ll send it over to the IT team, just to make sure.
Alongside your cyber security training, check out Dracoeye!
Suspicious about that email address, domain name or attachment? Dracoeye can help! th4ts3cur1ty.company’s security analysis tool checks files, domains, IP addresses, email addresses, URLs and file hashes against IOC (indicator of compromise) databases, flagging up any potential threats. That means it cross-checks reports from reputable sources across the internet – such as Threat Fox, Spamhaus, Blacklist Checker and AlienVault – so that you can make an informed decision. Best of all, it’s totally FREE!
Check out Dracoeye here – for free today!
