From Stories to Security: A New Approach to Phishing Protection with Emotional Firewalls

I admit, I have a sweet tooth. And so does my son. But we have been committed to replacing sugar with natural organic food. It has been going really well so far, except for the occasional side effects when mommy craves sugar or when the offspring throws a tantrum because he needs something sweet, like right now.

Yesterday, we decided it was okay to reward ourselves with ice cream. Life is not only about being deprived of sweet food but is all about moderation and balance. At least that is what I tell myself to justify it.

So off we went and bought our ice cream in a pot. We took a couple of spoons, and the rest was hidden in the freezer.

This morning, my son barged into my bedroom with the one ask he knows I will say NO to.

“Mom, can I have ice cream!?”

My mornings are sacred. I need time to wake up and realize I am alive and well before I start my daily routine of preparing my offspring for school and cleaning out the rabbit poo of my non-human offspring.

My son obviously threw a tantrum, and I tried to explain that sugar in the morning will make him feel tired. Moreover, he had his sports day today with school, so he needs all of his energy.

He did not listen and instead used some of my sarcasm against me.

“Please keep your moral lessons to yourself; I don't need your EQ coaching right now. I want ice cream!"

Thirty minutes later, I prepared him a wonderful homemade smoothie with natural sugars and a lot of love. He calmed down in the meantime and enjoyed his breakfast. Now he was receptive and even felt excited to start preparing for his sports day at school.

I took the opportunity to tell him a story.

.

.

.

"Imagine, son, if you have all this energy throughout the day to excel in your sports activities. How would you feel?"

“Like a champion, mom!"

Exactly! And processed sugar in ice cream will make you feel like a loser. That's why you can't have ice cream in the morning.

.

.

.

He got the message, he accepted the message, and he acted upon the message.

That's the power of storytelling, and that's the power we can use when raising awareness about cybersecurity.

Especially on phishing attacks, which are the number one challenge in enabling cyber threats across businesses globally.

The most targeted industries are organizations that operate in the critical infrastructure services sector, such as the financial industries.

The FBI's Internet Crime Complaint Center (IC3) reported in its 2022 Internet Crime Report that Business Email Compromise (BEC) caused losses exceeding $2.4 billion. The report discusses different cyber crimes and their financial effects, pointing out BEC as one of the most costly. -Source

Beware the Hook: How Phishing Attacks Reel in Banks

The other day, I was explaining phishing attacks to a friend, and she initially wondered why I was talking about catching fish.

Definitions are important, and being as specific as possible is key for people to move from awareness to understanding. However, once they understand what phishing attacks mean, they also need to care about changing their behaviors and developing new habits.

To form new habits, people must be motivated to change. It's not just about rewards or punishments, or following orders.

If we wait until the cost of not changing exceeds the cost of incentives to change, people may already be tired of the constant changes.

Before we discuss using stories and emotional intelligence to encourage habit changes, let's look at some examples of common phishing attacks and their effects.

1. Spear Phishing:

Spear phishing is a well-planned and personal attack. The attacker pretends to be someone you trust to trick you into sharing information.

Impact?

If successful, spear phishing can cause huge financial loss, steal valuable data, and lead to serious data breaches.

2. Whaling:

Whaling is a type of spear phishing that targets high-ranking people in a company. The attacker pretends to send important messages to trick the targets.

Impact?

If successful, whaling can give attackers high-level access, which can lead to huge financial losses and damage to the company's reputation.

3. Business Email Compromise (BEC):

In BEC attacks, criminals pretend to be company executives or important employees to trick others into transferring money or sharing sensitive data.

Impact?

These attacks can result in direct financial loss and could get the company into legal trouble. They can also damage trust within the company.

4. Clone Phishing:

In clone phishing, attackers copy a legitimate email and replace the original content with harmful links or attachments. This fake email is then sent to the same or new recipients.

Impact?

Clone phishing can spread harmful software across the company's computer network. This can disrupt operations, compromise sensitive data, and require costly repair efforts.

5. Smishing and Vishing:

Smishing and vishing use text messages and voice calls to trick people into sharing personal information. The attacker usually pretends to be from a bank or government agency.

Impact?

Smishing and vishing can lead to identity theft, financial fraud, and additional security breaches. These methods take advantage of people's trust and can easily bypass traditional security measures.

According to a 2022 report by Verizon on data breaches, about 96% of phishing attacks come through email. The report highlights email as the main way these attacks happen. This shows how well it works and why we need to be careful. - Source

From Instinct to Action: How Emotional Firewalls Can Save Your Day

The concept of emotional firewalls is based on the emotional intelligence framework, the EQ-i 2.0 model that has 15 competencies divided into five composite scales: self-perception, self-expression, interpersonal, decision-making, and stress management. Here’s how these can be leveraged to mitigate phishing threats:

Recognizing Your Inner Strengths: The First Line of Defense

Self-Perception

Trust Your Instincts: Recognizing Legitimate Requests and Warnings Imagine a scenario where you receive an urgent email from your CEO that requires immediate action. In such situations, trusting in your own self-regard and instincts can serve as your initial line of defense against potential phishing attacks. It's crucial to remain alert and rely on your intuition.

Emotional Awareness: Taking a Moment to Pause Before You Act As you read through the email, you might notice a buildup of stress and anxiety. If you find your emotions escalating, it's a clear sign that you need to pause. Emotional self-awareness is a key skill that can help you avoid making hasty or impulsive decisions that you might regret later.

Commit to Careful Decision-Making: Embrace the Growth Mindset Make a conscious effort to strive for personal growth and fulfillment. This commitment to self-actualization is not only beneficial for your personal development but also enhances your vigilance against fraudulent and suspicious requests. Adopting a growth mindset encourages careful decision-making and helps you stay protected against potential threats.

Speaking Up for Security: The Power of Clear Communication

Self-Expression

Speak Up: The Importance of Communicating Concerns If you ever find yourself feeling uneasy about an email or communication you've received, it's crucial to express your concerns. By doing so, you can help prevent potential fraudulent activities from taking place. This also encourages an open dialogue, fostering a sense of trust and honesty within the team.

Challenge Suspicious Requests: The Power of Assertive Actions Being assertive can be a powerful tool in your arsenal, especially when it comes to dealing with suspicious or unusual requests. This is true even when these requests come from your superiors. By questioning these requests, you are actively safeguarding yourself and your organization against potential phishing attempts.

Independent Judgment: The Role it Plays in Making Responsible Decisions Never underestimate the importance of relying on your own judgment. Rather than blindly following directives, it's vital to use your own assessment of the situation. This independence ensures that your actions are responsible and in the best interests of the company.

Building Strong Connections: The Foundation of Collective Security

Interpersonal

Building Strong Relationships: The Power of Collaborative Security Fostering an environment where everyone feels comfortable communicating is crucial for strengthening collective security measures against harmful phishing threats. Open dialogues can lead to the early detection of these threats, making it easier to stop them before they cause significant damage.

Empathy in Action: The Importance of Protecting Your Team Understanding and empathizing with the potential impact of phishing attacks on your team members can motivate the implementation of serious protective measures. Recognizing the potential stress and harm these threats can cause encourages a more vigilant approach to security.

Duty to Protect: The Ethical Responsibility to Ensure Security Adopting a sense of social responsibility within your organization can drive everyone to be more vigilant about verifying and reporting suspicious activities. This ethical duty to protect not only affects the individual but it also helps in fostering a secure and safe environment for the entire team.

Strategic Thinking in Action: Navigating Security Challenges

Decision-Making

Analyze and Act: Developing Problem-Solving Skills When confronted with a suspicious email, your problem-solving skills play a crucial role. They help you differentiate between genuine communications and fraudulent attempts to steal your information. By critically analyzing the content and sender of the email, you can effectively identify and avoid potential threats.

Validate Before Acting: The Importance of Reality Testing Received an unusual request? Don't rush to action. Instead, consider the importance of reality testing. Cross-verify the facts and ensure the legitimacy of the request before you act. This approach can prevent you from falling into phishing traps set up by cybercriminals who aim to exploit your trust.

Pause and Reflect: The Need for Impulse Control In our fast-paced digital world, the urge to react instantly can be strong. However, controlling this impulse is paramount. Taking a moment to pause and reflect allows you to conduct a thorough assessment of the situation. This avoids rushed, costly decisions that could compromise your online security and privacy.

Staying Resilient Under Pressure: Managing Stress for Better Security

Stress Management

Maintaining Composure in Stressful Situations: The Importance of Stress Tolerance The ability to manage high-pressure situations is crucial in the modern workplace. It ensures clear thinking and prevents harmful compliance with fraudulent requests. This trait not only helps in maintaining the quality of work but also keeps one's mind alert to potentially harmful situations.

Ability to Adapt and Evaluate: Demonstrating Flexibility in Action In the ever-evolving world of communication, the ability to adjust to unexpected changes is a valuable skill. It promotes critical evaluation of situations, which is a key to safeguarding against phishing attempts. Being flexible does not mean being gullible, but it enables one to be vigilant and aware of the changing dynamics of communication.

Maintaining a Positive Outlook: Cultivating a Resilient Mindset Having a positive mindset is not just about being happy or optimistic. It's about fostering resilience and taking proactive measures against potential phishing or fraudulent communications. A resilient mindset can help one bounce back from difficult situations and stay vigilant against potential threats.

According to the 2022 CyberEdge Cyberthreat Defense Report, 85% of organizations faced a phishing or social engineering attack last year. This report collected views from IT leaders worldwide across different industries, giving us a sense of the cybersecurity problems they deal with. - Source.

Story Time for Security: Engaging and Educating using Emotional Intelligence

Security awareness training, particularly in the field of cyber security, often struggles to capture the interest of its audience. It's commonly viewed as dull, irrelevant, and burdensome. This raises the question: how can we transform security awareness into stories that resonate with people's experiences?

Let's explore this further!

1. Spear Phishing

Imagine receiving a personalized invitation to a surprise birthday party for a close friend. At first glance, the email appears authentic, originating from another friend within your circle. It's filled with specific details, anecdotes, and intimate knowledge exclusive to your group, adding to its credibility.

However, as you read on, you notice that crucial information like the location and time of the party is vague. This oddity piques your curiosity, but what truly raises suspicions is the next part of the email. It requests that you RSVP by providing your banking details to contribute to a birthday gift. The need for such personal information for an RSVP is a red flag, suggesting things may not be as they appear.

Like in this scenario, spear phishing uses familiar, personalized information to lure you. Using Emotional Self-Awareness, acknowledge the emotional excitement such an invite creates and how it could cloud judgment.

Reality Testing, another EQ skill, encourages you to verify the invite directly with your friends, avoiding the emotional manipulation attempt.

2. Whaling

Imagine you're the owner of a highly acclaimed restaurant, a city landmark. Your routine is disrupted one day by a notification. It's an urgent email from your trusted supplier, but it contains an unusual request. They claim there's an urgent need for a large order for an elite event. This high-profile gathering could bring great publicity and profit to your restaurant. But there's a catch - they require upfront payment for this large order. The pressure builds as you don't want to miss this potential opportunity. The choice is difficult - should you take the risk?

In this scenario, whaling targets influential individuals, like you, with high stakes. Stress Tolerance helps manage the pressure and prevent hasty actions.

Use Assertiveness from your emotional intelligence toolkit to question the order's legitimacy. Contact your supplier through a trusted channel before proceeding.

3. Business Email Compromise (BEC)

Imagine you're coordinating a neighborhood carnival, juggling many responsibilities. You're communicating with various parties and coordinating everything via email. Amid the busy inbox, you receive an unexpected email that seems to be from the event planner, who you've been working closely with. The email requests you to redirect funds intended for carnival attractions to a new account, citing a 'last-minute change' in plans. This sudden change might seem strange, but in the hustle of preparations and the trust you've built with the planner, you might not question it.

In the realm of BEC (Business Email Compromise), attackers pose as key players to divert funds. Skills like Problem-Solving and Independence are crucial. They encourage verifying changes through direct conversations, preventing hasty decisions based on deceptive emails.

4. Clone Phishing

Imagine this scenario: You've just settled down with a cup of coffee, and you see a new email in your inbox. It's from your trusted online bookstore, a familiar name that you've been patronizing for years. The subject line is innocuous enough, something you've seen a dozen times before - "Follow-up Email".

You remember that just last week, you ordered a couple of books from them, and you received a confirmation email for the same. This new email, however, has a different attachment. It's labeled "Updated Invoice". Your curiosity is piqued - perhaps they've made a mistake with your order, or maybe there's some new information they need to share.

You've dealt with this kind of routine administrative correspondence many times before, and you don't think twice about it. After all, it's just part of the process when you order something online. So, without a second thought, you move your cursor towards the email, ready to open it.

Clone phishing mirrors something familiar but with a malicious twist. Flexibility allows you to adapt to unexpected changes by pausing to consider why an invoice would be sent again. Empathy towards yourself and your data’s safety means verifying the email’s authenticity first.

5. Smishing and Vishing

Now imagine this... you receive an unexpected phone call, and the caller identifies themselves as a representative from your bank. They express concern about suspicious activity reportedly occurring on your account. They stress the urgency of the matter and insist that they need your account details immediately to halt any further unauthorized transactions. The situation becomes even more convincing as you notice that the caller ID mirrors your bank's official contact number precisely.

Like unexpected phone calls in vishing, the key is Stress Tolerance to keep calm under pressure and Assertiveness to refuse providing sensitive information impulsively. Use your Interpersonal Relationships to call your bank back on a number you trust, safeguarding your personal information.

These stories not only make the phishing types more understandable but also illustrate practical applications of EQ competencies to enhance personal and organizational cybersecurity measures.

Join me in our Exclusive Masterclass against Phishing!

If you're interested in transforming security awareness into narratives that resonate, join me for the first master class in a series tailored for the financial services industry.

On Thursday, June 6 *, I will host an exclusive online master class to help C-Suite leaders in the financial sector strengthen their emotional defenses against phishing attacks.

The focus won't be on preaching about security, but on telling stories that resonate with your worldview.

*Date Change Notice: The Masterclass will now take place on Thursday, 6th of June. The timing remains the same.