fbpx Skip to content

End-User Education Is the Last Mile of Cyber Security

5 minute read

While we do believe that technology is part of solving the cybercrime puzzle, we know that it can’t help companies that don’t have leaders and end users who understand the technology, and more importantly, the cybercrime realities that make that technology a necessity in today’s business environment.

Bruce Nelson, President at Vertilocity, emphasizes the importance of end-user education. He recently sat down with us on the Cyber Crime Lab Podcast to discuss this and give real-life examples of how lack of end-user education plays out in bad outcomes for organizations.

A Spear Phishing Attack

Spear phishing is an attempt to acquire sensitive information, or access to computer systems, by sending counterfeit messages.

This type of attack often targets a specific person, or group, and will include information known to be of interest to the target, such as financial documents or current events.

Like other insidious forms of attack that use social engineering, this type of attack takes advantage of basic human nature, including:

  • A desire to be helpful.

  • Providing a positive response to those in authority.

  • Responding positively to someone who shares similar tastes or views.

In the example that Bruce shared with us, the threat actor was able to gain access to the email of a third-party project manager who worked between two IT firms that serviced one client. The victim managed projects and made sure that everyone was on the same page. The problem was, he was using a standard Gmail account for all this correspondence.

Don’t Use Personal Gmail for Business

We should note, it’s never a good idea to use a personal Gmail account for business. Apart from signaling a lack of professionalism by having @gmail.com as part of your work email address, you’re also advertising to cybercriminals. You’re letting them know that you’re on a version of Gmail that doesn’t offer much support in case something goes wrong (it is free, after all) and you’re also advertising that you’re not someone who takes cybersecurity that seriously.

Message received: this professional had his Gmail breached and the threat actor was able to read messages between all parties. The threat actor then sent a well-crafted, legitimate-looking email to the controller of Bruce’s client, one of the parties involved.

The email was asking the controller to update banking information. Since the email had come from a familiar Gmail account, it didn’t raise any red flags and the banking information was duly changed.

Almost three months passed before the real vendor called asking if something was wrong as they haven’t received payments for months. The controller was confused and sent over proof of payments…going to the new account. The problem was, of course, that the vendor never changed their banking information. The threat actor got cash and disappeared.

What went wrong? Clearly, the end user was not educated enough in the scams being used today. Instead of following up with a short phone call after receiving the request to update the banking information, they went straight ahead without verification and literally paid the price. As well as user education you can have systems in place to avoid this type of scam. For example, sending a dollar amount, or a type of request that requires secondary verification, a sort of “real life” MFA.

Bruce notes three red flags: the request was unusual (banking information doesn’t often change), impactful (this would affect all payments) and urgent (it needed to be done in a certain amount of time).

Bruce also shares an instance in which those three red lags helped a client avoid a scam. The company in question was in heavy acquisition mode and the CFO received what looked like an email from the CEO “greenlighting” an acquisition. But because two of the three warning signs were present (impactful and urgent), the CFO slowed down and was able to see that a few small things were off about the email, and after phone-verifying with the CEO, they realized it was a scam.

The overarching moral: don’t let team members think they will be penalized for slowing down, especially when it comes to financial issues. Better to be too slow in paying something legitimate than too fast in paying something illegitimate.

Using Our Emotions Against Us

Bruce also shared a story from a conference he attended in which a former FBI agent illustrated just how easy it is for threat actors to target victims. The following is a basic playbook:

  1. Go to LinkedIn and find the CEO of a midsize company and then gather more information that might be available online.

  2. Find out if this person has kids and where they go to school.

  3. Create a legitimate-looking email from that school saying that there’s been a terrible event such as an attack, or a sexual predator has been spotted in the area.

  4. In the email let the parent know that the situation is under control and to learn more, click here and…

You’ve got them. You harnessed the powerful emotions of a parent’s instinct to protect their child and, of course, they click on the unknown link. Note again the three warning signs: something unusual, impactful, and urgent. Those three signs should always cause us to stop and pause before taking action.

Keep It Simple

Bruce shared a simple tactic to help end users get on board with cybersecurity. “Make the secure way also the simplest way. It’s the way to get massive adoption,” he noted. Part of the reason change management is so difficult is not that people resist change in general, but they tend to resist things that take longer, even if they can see the merits of them.

Note the Worst-Case Scenario

It does happen that companies go out of business, or have to take drastic measures to stay alive, after a cyberattack. Employees should note that one wrong click, or following the directions of one wrong email, might cost the company everything, including everyone’s jobs.

If it’s framed as: “all our jobs depend on taking cybersecurity seriously,” team members will be more likely to pay attention.

Have a Plan

Bruce concludes by emphasizing something we hear from nearly all our guests on the podcast. Have a cyber risk assessment done. Have it printed out. Make sure people are designated to lead in the event of an attack.

Cyber risk assessments also have the helpful quality of identifying where the greatest risks lie so that the C-suite can spend the money where it will have the greatest impact (assuming most businesses do not have infinite cybersecurity funds).

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!


Small-to-medium businesses that do not offer IT consulting services to assist in managing the technology and security of other businesses.


IT Consultant businesses (MSP, MSSP, etc.) that manage the technology and security of other businesses.