The Ultimate Guide to Credit Cards
Monday, December 2, 2024

KnowBe4 Trains the Financial Services Industry to Safeguard Against Social Engineering Attacks

Knowbe4 Safeguards Against Social Engineering Attacks
Sean Roderick

Writer: Sean Roderick

Sean Roderick

Sean Roderick, Staff Writer

Sean Roderick is a contributing writer for CardRates.com with more than a decade of experience in the corporate world, having worked with companies like Marvel Entertainment. His areas of expertise include eCommerce, corporate investment, and financial literacy. With over 90 finance articles under his belt, Sean’s skilled reporting has helped countless readers keep up with the latest in financial news.

See Full Bio »
Close
Lillian Guevara-Castro

Editor: Lillian Guevara-Castro

Lillian Guevara-Castro

Lillian Guevara-Castro, Senior Editor

Lillian Guevara-Castro brings more than 30 years of editing and journalism experience to the CardRates team. She has worked at The Atlanta Journal and Constitution, Gwinnett Daily News, Gainesville Sun, and The New York Times, where she covered demographics, consumer issues, and the business and financial sectors. Lillian has a degree in journalism and communications from Georgia State University and brings her fact-checking expertise to ensure Digital Brands content is accurate and engaging.

See Full Bio »
Close
Ashley Fricker

Reviewer: Ashley Fricker

Ashley Fricker

Ashley Fricker, Senior Editor

Ashley Fricker has more than a decade of experience as a finance contributor and editor, and has specialized in the credit card industry since 2015. Her credit card commentary is featured on national media outlets that include CNBC, MarketWatch, Investopedia, and Reader's Digest, among many others. She has worked closely with the world’s largest banks and financial institutions, up-and-coming fintech companies, and press and news outlets to curate comprehensive content and media. Ashley holds a bachelor's degree in multimedia journalism from Florida Atlantic University.

See Full Bio »
Close

Our experts and industry insiders blog the latest news, studies and current events from inside the credit card industry. Our articles follow strict editorial guidelines.

In a Nutshell: Cyberattacks are a persistent problem online, and there are always new tactics to be aware of. To safeguard against serious cybersecurity risks, KnowBe4 offers training services and advice to banking institutions, corporations and government entities concerned over potential threats. The training platform provides security education and simulated phishing attack exercises so employees can be well prepared. KnowBe4 is always on the lookout for new threats like browser-in-the-browser attacks, which allow malware to intercept communication on a channel between a browser and a web server.

As a society, people are becoming ever more reliant on internet capabilities, whether it be for shopping, traveling, connecting with friends, or working from home. This only raises the stakes of potentially becoming victims of cybercrimes.

These crimes can be highly sophisticated and are carried out using professional level tactics. Naturally, many people are ill-equipped to deal with cyber deception and become easy prey.

The ultimate goal of these types of attacks is to induce social engineering. In cyber terms, social engineering is the art of manipulating, influencing, or deceiving users to gain control over computer systems.

Criminals can use a number of methods to achieve illegal access either by phone, email, traditional mail or direct personal contact. Criminals can exploit points of weakness online through impersonation, diversion, and many other tactics.

Interestingly, one of the oldest methods is still highly prevalent. Phishing is an attempt to acquire sensitive information, including usernames, passwords, and credit card information, by pretending to be legitimate representations. By using the same tactics used by email marketers to evade spam filters, cybercriminals will send emails claiming to be from recognizable social websites, banks, or IT administrators to gain access to a user’s sensitive information.

KnowBe4 logo banner

To mitigate these threats, security firms are hard at work to help people become better prepared for the unexpected. KnowBe4 is a platform that provides educational resources and phishing simulation training to major institutions like banks, corporations and government entities.

Erich Kron, KnowBe4’s Security Awareness Advocate, said that, while cybercriminals mainly focus on ways of acquiring money, they are also known for stealing intellectual property as part of international espionage schemes. And they’re even going after people’s personal information, which also holds monetary value.

Kron said that financial institutions need to be wary because, whether the accounts being targeted are small or large, cybercriminals are always looking for ways to gain access.

A bank’s reputation rides heavily on customer trust, so when data breaches occur, the level of reputational damage can be far more harmful than lost assets. While some may find it burdensome to continuously add layers of protection, the cost benefit of heightened security measures is a net gain overall.

Prior to joining KnowBe4, Kron was the security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere, and he knows very well the complexities of developing phishing simulation training.

He said that, overall, it’s better to have a company like KnowBe4 create the simulation training because it would take far more time and knowledge for clients to attempt to do it themselves.

Security Awareness Training Helps Avoid Human Error

Most of the time, security compromises occur due to human error. People may create weak passwords, forget to follow compliance protocols, or simply get fooled by malicious attacks they lack the training to recognize.

Kron said people underestimate how skilled these cyber criminals are. They’re not some basement-dwelling kids. They are professionals.

For those reasons, KnowBe4 focuses its strategy on addressing and improving the human element of cyber threats. “We provide a security awareness training and simulated phishing platform and services for companies to basically educate their people…so they get a chance to practice before it gets serious,” said Kron.

Photo of Erich Kron, Security Awareness Advocate at KnowBe4
Erich Kron, Security Awareness Advocate at KnowBe4

While the education and simulated training modules are its key features, KnowBe4 also offers a KCM GRC platform for compliance and risk management. The company is currently offering its new Vendor Risk Management module to help streamline third-party vendor risk assessments and ongoing risk monitoring.

Organizations can choose between Silver, Gold, or Platinum levels set at varying prices. The prices also depend on how many employees are in the company and the number of issued user licenses.

Getting back to the human element, Kron said that people need to be aware of their emotional responses to potential scams.

“If you have a strong emotional reaction to a text message, an email, or even a phone call, take a deep breath and look at it more critically, because a lot of times what they’re trying to do is get us upset,” said Kron. “And then we miss those things.”

“If you’re in a rush to do something and you don’t look into that, they play with your emotions. Most of this stuff starts with emotions,” he said.

Simulated Phishing Attacks Test for Vulnerabilities

KnowBe4 provides one of the most renowned Security Awareness Training systems, with over 50,000 organizations using its phishing simulations. It offers the best module training preparation companies need when dealing with urgent threats like social engineering, spear phishing and ransomware attacks.

Pricing for the Security Awareness Training is split into Silver, Gold, Platinum, and Diamond levels comprising three levels of training access and increasingly powerful features.

Customers can request one-year or three-year service quotes, and the overall cost depends on the number of seats selected.

According to the 2022 KnowBe4 Phishing by Industry Benchmarking Report, before participants start their training, their average initial baseline phish-prone percentage is 32.4%. After three months, that average drops to 17.6%, and after one year of training, the average goes down to 5%.

Kron said that sometimes, when KnowBe4 starts working with an organization, it may perform an unannounced simulation, and in many cases, it doesn’t even let people know that they were tested.

He also wanted to emphasize that the intention is not to make people feel bad about their failures. The purpose is to train and teach them how to spot these issues so they can be fully prepared when it happens in real life.

“It’s not to make them so diabolical, that people fail them all the time,” said Kron. “We really want to help educate people and get them used to spotting it.”

When using KnowBe4’s service, companies can set up the training for different departments, and then prepare them for simulated phishing attacks. With thousands of email templates grouped by different categories, companies can either have an AI select which ones to send people, or management can just grab a category and send them out randomly to a particular group.

Staying Ahead of the Newest Threats

KnowBe4 is always looking at new cyber trends and how to detect and collect information on newer threats. In particular, new methods of penetrating multifactor authentication are on the rise.

One of the ways KnowBe4 stays on top of things is through what Kron calls a sub-tool that can take real phishing emails someone has received and that they have submitted into the system, and “defang” them by taking out the bad link.

The defanged phishing emails can then be turned into templates and sent out to everyone in an organization so they are well prepared for any similar threats.

“There’s a couple of things that are really changing and have changed over the last few years,” said Kron. “The complexity of some of these attacks has really gone through the roof.”

One of the cleverest newer tactics is called a browser-in-the-browser attack. It allows malware to intercept communication on a channel between a browser and a web server, where users essentially get tricked into thinking they have opened a browser page when, in fact, what they have opened is a web portal that allows the hacker to see everything the users are doing.

“It takes you to a login page, maybe for a financial institution, but what it’s really done is open up a remote session on the attacker’s computer, and you’re seeing their screen on your web browser, but you have no idea this is going on,” said Kron.

Users then type in their handles, passwords and multifactor authentication codes completely unaware of what has just happened.

As cybercriminals keep devising more deceptive ways of trapping their victims, security companies like KnowBe4 will continue to innovate and share awareness with those who need it the most.