Role-Based Security Awareness Training tailors training materials and delivery mechanisms to fit the role of an employee and reduces the cyber risk associated with that role.
The world is a complex and diverse place and the people within it are a melting pot of abilities, skills, and attitudes. Within a company, this diversity is often put to good use by creating specific roles that leverage these different abilities and skills.
The fact that people work in specific roles in an organisation is not lost on cybercriminals. Fraudsters often tailor their attacks based upon the target. For example, Business Email Compromise (BEC) attacks typically involve a focus on employees in senior roles and in the role of accounts payable. Fraudsters tailor phishing campaigns or other social engineering attacks to reflect the job title of an individual, in doing so, they leverage intrinsic human traits such as trust, to ensure success.
However, if fraudsters use role-based social engineering and phishing to improve the success of their cyber attacks, then two can play that game.
Role-Based Security Awareness Training to Stop Role-Based Phishing
Cybercriminals like to make sure any campaign they design will be a success: they know that the more tailored a phishing email is, the more likely it is the target will believe the email is real and then click a malicious link or act on the email request to change bank and send money urgently, etc.
Spear-phishing is often the weapon of choice when a cybercriminal targets a specific role in an organisation. This form of phishing features highly tailored messaging to manipulate certain types of employees. Typical roles that are subject to spear-phishing attacks are:
- C-level executives and executive assistants
- Finance and accounts payable
- Privileged users
C-Level executives and executive assistants: “Whaling” and BEC (Business Email Compromise) fraud focus on the C-Level executives in a target organisation. The fraudsters may also target the executive assistants, using social engineering and spear-phishing to gain access to the CEO’s email account or other personal information. Compromised or spoof CXO emails are used to initiate the BEC fraud.
Payroll department: fraudsters target payroll employees who manage employee salary payments, to redirect money to a scammer’s bank account. For example, the fraudster may spoof an employee’s email asking for payroll to change their bank account details.
Human Resources (HR): HR resides over highly confidential and personal information. This makes that role at risk of spear-phishing campaigns looking to gain access to data that can then be leveraged in further attacks. HR then becomes part of a more complex, multi-step, fraud attempt, such as BEC and payroll fraud; an HR employee may be duped into revealing information about a C-Level executive or another employee to gain the intelligence needed to carry out the fraud.
Finance and accounts payable: the department that holds the purse strings make an obvious target for cybercriminals. BEC fraud, for example, often ends up at the door of accounts payable. But there are many types of fraud that focus on this role. Accounts payable fraud is widespread and one report found that 50% of small businesses in the UK were exposed to this type of fraud, either from internal or external threats.
Privileged users: cybercriminals target privileged users as they have the ‘keys to the corporate castle’. Privileged users are given access rights to sensitive areas of a network, and as such, they offer a direct route into that network for any cybercriminal that can trick them into handing over their credentials or downloading malware. One report found that 63% of organisations feel privileged users present the highest risk of insider threat.
Simulated Phishing Within Role-Based Security Awareness Training Programs
Simulated phishing is a great way to educate employees about phishing and cyber threats. By tailoring the simulated phishing messages to roles within your workforce you can simulate the same tactics used by cybercriminals when targeting a specific group within an organisation. This makes the phishing simulation more real and specific to that individual’s role.
To perform role-based phishing simulations, a platform must support phishing templates that can be tailored on a per-role basis. For example, role-based phishing titles reflect the types of roles that are often targeted by spear-phishing.
Examples of Role-Based Phishing Attacks
Privileged user target: The Lazarus hacking group is infamous for the WannaCry ransomware attack in 2017. More recently, the group has used targeted phishing campaigns, based on spoof job offers, that focus on privileged users. One of the most recent was the targeting of a cryptocurrency platform system administrator. The system administrator received a phishing document in the guise of a job offer via their personal LinkedIn account.
Accounts payable: Facebook and Google were scammed out of over $100 million by a fraudster who targeted employees at the two tech giants by using spear-phishing emails aimed at certain user roles.
Salary mandate fraud: phishing campaigns that involve the theft of employee paychecks are an ideal feeding ground for financially motivated scammers. Often, fraudsters will send out emails to HR or Payroll staff with a bank account change request. The phishing email often spoofs a real employee and includes their email signature and appears to be from an internal company domain. If the change is made, the employee’s salary is paid to the fraudster’s bank account.
Reasons to Tailor Security Awareness Training
Spear-phishing is a favourite of the role-focused fraudster and is very successful because of the targeted nature of this type of phishing. According to a report from Symantec, spear-phishing is used as the main vector in 65% of cyber attacks. By targeting specific employee roles cybercriminals can create multi-step, complex scams that work.
Role-Based training programs and associated role-based simulated phishing provides a tailored program for education that beats cybercriminals at their own game. Teaching employees about the exact nature of phishing and social engineering scams that specifically targets their role, empowers those employees with the knowledge to carefully scrutinise emails and other communications.