KnowBe4 Trains the Financial Services Industry to Safeguard Against Social Engineering Attacks

In a Nutshell: Cyberattacks are a persistent problem online, and there are always new tactics to be aware of. To safeguard against serious cybersecurity risks, KnowBe4 offers training services and advice to banking institutions, corporations and government entities concerned over potential threats. The training platform provides security education and simulated phishing attack exercises so employees can be well prepared. KnowBe4 is always on the lookout for new threats like browser-in-the-browser attacks, which allow malware to intercept communication on a channel between a browser and a web server.

As a society, people are becoming ever more reliant on internet capabilities, whether it be for shopping, traveling, connecting with friends, or working from home. This only raises the stakes of potentially becoming victims of cybercrimes.

These crimes can be highly sophisticated and are carried out using professional level tactics. Naturally, many people are ill-equipped to deal with cyber deception and become easy prey.

The ultimate goal of these types of attacks is to induce social engineering. In cyber terms, social engineering is the art of manipulating, influencing, or deceiving users to gain control over computer systems.

Criminals can use a number of methods to achieve illegal access either by phone, email, traditional mail or direct personal contact. Criminals can exploit points of weakness online through impersonation, diversion, and many other tactics.

Interestingly, one of the oldest methods is still highly prevalent. Phishing is an attempt to acquire sensitive information, including usernames, passwords, and credit card information, by pretending to be legitimate representations. By using the same tactics used by email marketers to evade spam filters, cybercriminals will send emails claiming to be from recognizable social websites, banks, or IT administrators to gain access to a user’s sensitive information.

To mitigate these threats, security firms are hard at work to help people become better prepared for the unexpected. KnowBe4 is a platform that provides educational resources and phishing simulation training to major institutions like banks, corporations and government entities.

Erich Kron, KnowBe4’s Security Awareness Advocate, said that, while cybercriminals mainly focus on ways of acquiring money, they are also known for stealing intellectual property as part of international espionage schemes. And they’re even going after people’s personal information, which also holds monetary value.

Kron said that financial institutions need to be wary because, whether the accounts being targeted are small or large, cybercriminals are always looking for ways to gain access.

A bank’s reputation rides heavily on customer trust, so when data breaches occur, the level of reputational damage can be far more harmful than lost assets. While some may find it burdensome to continuously add layers of protection, the cost benefit of heightened security measures is a net gain overall.

Prior to joining KnowBe4, Kron was the security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere, and he knows very well the complexities of developing phishing simulation training.

He said that, overall, it’s better to have a company like KnowBe4 create the simulation training because it would take far more time and knowledge for clients to attempt to do it themselves.

Most of the time, security compromises occur due to human error. People may create weak passwords, forget to follow compliance protocols, or simply get fooled by malicious attacks they lack the training to recognize.

Kron said people underestimate how skilled these cyber criminals are. They’re not some basement-dwelling kids. They are professionals.

For those reasons, KnowBe4 focuses its strategy on addressing and improving the human element of cyber threats. “We provide a security awareness training and simulated phishing platform and services for companies to basically educate their people…so they get a chance to practice before it gets serious,” said Kron.

While the education and simulated training modules are its key features, KnowBe4 also offers a KCM GRC platform for compliance and risk management. The company is currently offering its new Vendor Risk Management module to help streamline third-party vendor risk assessments and ongoing risk monitoring.

Organizations can choose between Silver, Gold, or Platinum levels set at varying prices. The prices also depend on how many employees are in the company and the number of issued user licenses.

Getting back to the human element, Kron said that people need to be aware of their emotional responses to potential scams.

“If you have a strong emotional reaction to a text message, an email, or even a phone call, take a deep breath and look at it more critically, because a lot of times what they’re trying to do is get us upset,” said Kron. “And then we miss those things.”

“If you’re in a rush to do something and you don’t look into that, they play with your emotions. Most of this stuff starts with emotions,” he said.

KnowBe4 provides one of the most renowned Security Awareness Training systems, with over 50,000 organizations using its phishing simulations. It offers the best module training preparation companies need when dealing with urgent threats like social engineering, spear phishing and ransomware attacks.

Pricing for the Security Awareness Training is split into Silver, Gold, Platinum, and Diamond levels comprising three levels of training access and increasingly powerful features.

Customers can request one-year or three-year service quotes, and the overall cost depends on the number of seats selected.

According to the 2022 KnowBe4 Phishing by Industry Benchmarking Report, before participants start their training, their average initial baseline phish-prone percentage is 32.4%. After three months, that average drops to 17.6%, and after one year of training, the average goes down to 5%.

Kron said that sometimes, when KnowBe4 starts working with an organization, it may perform an unannounced simulation, and in many cases, it doesn’t even let people know that they were tested.

He also wanted to emphasize that the intention is not to make people feel bad about their failures. The purpose is to train and teach them how to spot these issues so they can be fully prepared when it happens in real life.

“It’s not to make them so diabolical, that people fail them all the time,” said Kron. “We really want to help educate people and get them used to spotting it.”

When using KnowBe4’s service, companies can set up the training for different departments, and then prepare them for simulated phishing attacks. With thousands of email templates grouped by different categories, companies can either have an AI select which ones to send people, or management can just grab a category and send them out randomly to a particular group.

KnowBe4 is always looking at new cyber trends and how to detect and collect information on newer threats. In particular, new methods of penetrating multifactor authentication are on the rise.

One of the ways KnowBe4 stays on top of things is through what Kron calls a sub-tool that can take real phishing emails someone has received and that they have submitted into the system, and “defang” them by taking out the bad link.

The defanged phishing emails can then be turned into templates and sent out to everyone in an organization so they are well prepared for any similar threats.

“There’s a couple of things that are really changing and have changed over the last few years,” said Kron. “The complexity of some of these attacks has really gone through the roof.”

Watch on

One of the cleverest newer tactics is called a browser-in-the-browser attack. It allows malware to intercept communication on a channel between a browser and a web server, where users essentially get tricked into thinking they have opened a browser page when, in fact, what they have opened is a web portal that allows the hacker to see everything the users are doing.

“It takes you to a login page, maybe for a financial institution, but what it’s really done is open up a remote session on the attacker’s computer, and you’re seeing their screen on your web browser, but you have no idea this is going on,” said Kron.

Users then type in their handles, passwords and multifactor authentication codes completely unaware of what has just happened.

As cybercriminals keep devising more deceptive ways of trapping their victims, security companies like KnowBe4 will continue to innovate and share awareness with those who need it the most.