What if you were told that phishing scams — attempts to steal information or infect devices with malicious software — were actually easy to launch? Not that they should be oversimplified, but all anyone needs is an internet connection and someone’s email address. That’s about it. Of course, there’s a big difference between successful and unsuccessful phishing attempts. The attacker needs to craft a believable message that will convince the recipient to, as an example, divulge their username and password or other personal details. Still, when you think about the steps involved, phishing is not complicated and neither is security.

We can keep it simple by answering three fundamental questions:

What do cybercriminals what?
While many cyberattacks are financially motivated, data theft is also a common goal. Confidential information like full names, addresses, national ID numbers, and other personal details carry a lot of value.

How do they get it?
Behind almost every scam is a simple objective: Gain someone’s trust and use it against them. Attackers create scenarios designed to mislead people and shortcut rational thinking.

Why do they want it?
The money part is obvious. Stolen information also offers additional paths to paydays. For example, with enough personal data, a scammer could open fraudulent accounts in the victim’s name.

Answering these questions helps summarize the simplicity behind many of the threats you might encounter. There are, of course, much more technical attacks used by advanced cybercriminals. In all cases, you can maintain security and privacy by using a combination of awareness, skepticism, and common sense.

Here’s what that combination looks like in practice:

Awareness:
Stay alert and keep your guard up. Remember that scammers hope to catch people when they’re busy or tired, making them more likely to arrive at quick decisions without much thought.

Skepticism:
Any scenario that triggers emotions should also trigger your suspicions. Scammers leverage emotions by using threatening language, pushing a sense of urgency, and offering unrealistic promises.

Common sense:
Albeit a vague concept, common sense matters. Most people would never publicize their bank account information for obvious reasons. Apply that mindset when handling requests for sensitive data or money.

Here at work, remember to always follow organizational policies, and report security incidents immediately!

Article retrieved from Non-Technical and Physical Security by The Security Awareness Company – KnowBe4, Inc. (2023)