Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.
The internet is the greatest information source known to humanity, but it’s also fertile ground for deception. Lies masquerading as truth are all too common. From government-sponsored disinformation campaigns to sophisticated scams perpetrated by determined cybercriminals, there’s no end of legitimate-looking falsehoods online.
Whether the intent is to change a mind, incite political discord, collect data or steal money, the same techniques are employed over and over again — they’re just dressed up in different clothes.
Learning how to spot disinformation can equip you with the critical thinking you need to spot a scam.
By teaching your employees to be naturally skeptical, showing them how to properly vet a source and then spot testing them to see what they’ve learned, you can make your business exponentially more secure.
The Rise Of Fake Everything
Anonymity online has always enabled people to misrepresent themselves. Social media is awash with fake accounts. Facebook reports “millions of attempts to create fake accounts every day” and admits that at least 5% of monthly active users are frauds — that’s 130 million accounts.
It’s an all-too-similar story for Twitter, LinkedIn and other social media outlets across the web. Some of these accounts may be so-called sock puppets for hackers or agitators; others may be bots, and many are created by people simply trying to hide their identities. At an individual level, these fake accounts can be used for catfishing or other simple scams, but when organized on a mass scale, they can be incredibly disruptive.
Consider how advanced image manipulation techniques have become. It’s relatively easy to create powerful lures and emotional appeals with false images, audio files and video. Deepfakes take this to a whole new level, and once something fake is released in the cyber world, it’s alarmingly difficult to stop it from circulating and even harder to convince everyone that it’s not real.
Some fake news is so well crafted that it gets picked up and regurgitated by legitimate news outlets.
While the sophistication of fake stories and scams has increased over the years, often embellished with convincing details and images, they still rely on triggering an emotional response in the target that causes them to react without thinking critically. Phishing scams almost always have a sense of urgency to them, but they can use the carrot or the stick. On the one hand, you may see, “Click here now to take advantage of this amazing offer,” and on the other, you may be told, “Act now or your account will be permanently deleted.”
Disguising The Scam
Whether you’re looking at an inflammatory quote from a prominent politician, an email from your bank or even a message from Bob in accounts, all may not be as it seems. Look closer, and you may be able to expose enough telltale signs that the mask slips down and the deception becomes clear. Perhaps that tweet is actually from a parody account, or the bank email has been sent from an unrelated email address. Maybe Bob is referring to an invoice you’ve never heard of.
If you take any of these things at face value and respond as you’re being baited to do, then you’re going to run into trouble. Take a breath. Even though scammers work hard to make it feel like a response is urgent, how often is that the case in real life? No one will ever be annoyed that you took five minutes to confirm a request or validate some information.
To do that properly, you need to consider the source.
Find The Source, Find The Truth
Spotting a fake username, a strange email address or a false document may be easy, but some scams are more sophisticated.
Always focus on identifying the real source or contacting the purported source independently. Never click through the link in an email or respond directly to a message that seems suspicious; instead, phone the bank (or Bob in accounts) directly and ask them. A two-minute call could save you weeks of trouble.
It’s not always easy to identify the source, yet encouraging people not to act without checking the source first is a smart policy. If you can instill this mindset in your workforce, it will make your business much more secure.
There are some excellent resources that can help you debunk fake stories that are circulating. The Washington Post has a fact-checker page and a guide to manipulated video, for example. With phishing scams, a little research will often confirm your suspicion. Most companies have an email address or website where you can report suspect messages. For example, PayPal has a [email protected] address that will confirm whether an email is legitimate.
Train And Test Your Staff
If you expect employees to spot phishing attempts and avoid falling victim to scams, you must educate them about the techniques that cybercriminals use. They also need to know the potential consequences of not taking security seriously enough. Security awareness training is vital. Instead of abstract advice, it gives workers practical experience they can draw on. People are the low-hanging fruit for cybercriminals, so if you can get your employees into the habit of questioning sources before acting, you can dramatically reduce the chances of a data breach or security incident.
Remember that it’s not enough to run a regular training program — you need to test what your employees have learned. Fake phishing campaigns aimed at the whole company, from the exec level down, are a great way to expose gaps in your training. Once it becomes second nature to check the source, your business will be that much more secure.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?