Security · January 10, 2024

Cybersecurity Awareness Training for Employees

When it comes to combating fraud and cyberattacks, employees can be a small business's greatest asset—or a potential liability. The difference often comes down to effective cybersecurity awareness training.

According to the World Economic Forum, 95% of all cybersecurity events can be traced to human error—either due to a lack of awareness, inaction or outright negligence. But when employees know how to spot red flags and how to react, they're less likely to make mistakes that may expose your organization to fraud and cyberattacks. In fact, regular cybersecurity awareness training can help employees become a powerful first line of defense.

Fraud awareness training

While criminals are constantly evolving their tactics, most fraud attempts are simply new variations of techniques that have been used for years in scams targeting consumers.

With this in mind, it's a good idea to begin cybersecurity and fraud awareness training efforts by educating employees on the most common threats—phishing, business email compromise and payment fraud.

Phishing attacks

Phishing attacks—when a hacker tries to dupe someone into providing access to information via email, text or telephone—are one of the oldest and most well-known threats targeting businesses and consumers. Criminals typically employ phishing schemes to steal login credentials, harvest sensitive information or deceive employees into installing malware. Information stolen through a phishing scheme is also often used to perpetrate future attacks.

Business email compromise

Business email compromise attacks have become increasingly common in recent years. Fraudsters may pose as vendors or colleagues to deceive an employee into sending them funds. They may also target organizations you do business with, using stolen login information to send emails from an employee's account.

In some cases, a criminal may create an email address that impersonates that of a familiar contact or a company you know—a practice called spoofing. For example, email@firstcitizens.com might be spoofed as email@firstscitizens.com. During a busy workday, the extra letter in the second email address may be easily overlooked.

Infographic with tips on protecting your accounts with stronger passwords
  • An eight-character password consisting of only upper and lowercase letters can be cracked in just 2 seconds.1
  • Dictionary words, number sequences and personal information may make passwords easier to crack.
  • More than 50% of people reuse passwords,2 and weak, reused, or stolen passwords are the cause of 81% of confirmed breaches.3
  • The longer and more complicated your passwords are, the stronger they'll be.

Here's an example:

  • Weak: RockyCat
  • Better: R0ckyCaT2
  • Best: b3stC@tR0C|<Y!

Tips:

  • Make your password easy for you to remember but hard for anyone else to guess.
  • Avoid using actual words or popular phrases.
  • Create a unique password for every account.
  • Enable multifactor authentication.
  • Change your password every 3 months.

Source:

1 Hive Systems 2023 password table
2 Google/Harris Poll Online Security Survey
3 LastPass The Password Exposé

Payment fraud

In addition to educating employees on common cybersecurity threats, your anti-fraud training efforts should also focus on payment fraud. According to the Association for Financial Professionals' annual survey of treasury practitioners, 65% of organizations experienced payment fraud attacks in 2022. By teaching employees how to spot the signs of ACH fraud, wire fraud and check forgery, you can help ensure that your organization is better positioned to combat these common threats.

Establish fraud prevention protocols

When conducting security awareness training, be sure to clearly outline the information your employees need to protect themselves—and your organization.

Identify common red flags

Educate all staff members on red flags that should put them on alert. These may include phone calls, emails or text messages involving requests for:

  • Unexpected or urgent wire transfers
  • The purchase of gift cards
  • Sensitive company information
  • Changes in payment instructions

These requests should serve as red flags even if they come from an internal contact, such as a colleague, manager or senior executive.

Encourage employees to slow down

Criminals often establish an extreme sense of urgency to ensure their target feels pressured to take action before thinking through the request. As a result, one of the most effective fraud prevention tactics small business owners can employ is to encourage employees to slow down, assess the situation and take the time to verify any questionable requests.

Establish a protocol for verifying requests

Provide employees with a list of steps they should take to verify the legitimacy of suspicious requests, like double-checking the sender's email address. Also encourage them to pick up the phone and verify the legitimacy of any message that makes them wary—whether it be from a client, colleague or company executive. Employees should use a known, internally listed phone number for the customer or business partner instead of contact information shared via email. Encourage them to speak to their manager if they're unsure how to handle a request.

Create a system of checks and balances

As part of your fraud prevention efforts, consider establishing a system of checks and balances. If your company has a policy where two employees must review and approve high-risk transactions, you'll have a second set of eyes on the lookout for things like ACH fraud or wire fraud schemes. This system can also help deter some forms of internal fraud, including embezzlement.

Create a reporting system

Training employees to spot red flags is just the first step. It's equally important to teach them how to properly report suspected fraud. Underscore the importance of reporting suspicious emails, transactions or requests to the appropriate parties, whether it be IT, accounting or management. This step is key to preventing further damage.

Hold regular training sessions

Cybersecurity awareness training is more than just a one-and-done exercise. It's an ongoing commitment to keeping your data and finances safe. Ideally, fraud awareness training should be part of every new employee's orientation. Likewise, additional training sessions should be held regularly—at least once every 6 months is ideal.

To keep your anti-fraud training from becoming stale, utilize various methods, from testing employees to sharing fraud prevention resources.

Incorporate a variety of topics

There's no shortage of topics—from using good internet browsing practices to avoiding suspicious downloads—that can be incorporated into training. Including an abundant mix of targeted topics means employees will be better prepared to recognize and avoid a host of threats.

Create a culture of awareness

In addition to formal cybersecurity training sessions, build security awareness into the culture of your workforce by establishing an ongoing dialogue. Add tips and updates to an internal employee newsletter to keep fraud and cybersecurity top of mind.

It's also helpful to post visual reminders about good cybersecurity practices throughout the workplace. You might hang posters that stress password security policies or other best practices. This can be especially helpful for teams that are often targeted by fraudsters, like your accounting department.

Leverage external resources

Also be sure to take advantage of the many fraud prevention resources that are available to small business owners. The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has developed a free cybersecurity training series to help employees identify and prevent cyberattacks. The Federal Trade Commission offers an array of resources for small businesses as well.

Insights

Financial insights for your business

No results found

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.

Third parties mentioned are not affiliated with First-Citizens Bank & Trust Company.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.

First Citizens Bank is a Member FDIC and an Equal Housing Lender icon: sys-ehl.

NMLSR ID 503941