The Human Factor: Training Your Team to Recognize and Prevent Fraud

When cybersecurity comes up in a conversation, most business owners prop up their tech stack. Investing in IT is great, but it’s just one part of overall business security. At the end of the day, how secure your store is depends on the humans that interact with it. 

According to Verizon’s 2023 Data Breach Investigation Report, 74% of breaches involved human elements. This included deception, privilege misuse, and data theft. You can’t just install the latest technology and call it a day — people who are responsible for your business must know how to detect cyberattacks on their own.

We’ll discuss the human element of cybersecurity, how attackers target vulnerable humans, and what you can do as a business owner to prevent fraud. 

The Value of a Unified Payments and POS Solution

An in-depth look at how a streamlined platform for payment processing can transform the way you operate your business, especially compared to legacy systems and patchwork solutions.

Learn more

Understanding the stakeholders of cybersecurity

Beyond the security tech stack, you have three groups of people working with your business: employees, vendors, and customers. They have different security challenges and privileges but all of them impact your business. 

Employees hold the biggest security implications and they form a major part of this article. Vendor and third-party contractors may trigger cyberattacks if your vetting process is flawed or your business lacks SOPs to deal with vendors. A few years back the retailer Home Depot suffered a massive leak of 56 million payment details due to a vendor’s compromised credentials. 

Finally, your customers can impact your business security. If threat actors get hold of a user account they may be able to track that to other accounts. In 2019, Facebook was found to be storing user data in plaintext files, which could be accessed by anyone! 

But really, the biggest challenge is to shut down security loopholes on the employee level. Employees need to be aware of the vast amount of data they process and ways to safeguard that data.

What are the common security threats against retail employees? 

Cybersecurity is an evolving field with new threat actors cropping up every day. But here are the most common ways an attacker might steal your data

1. Phishing 

The age-old hacking attempt is still going strong! Phishing is the process of gaining the trust of the victims by posing as a trusted source and making them share confidential information. It’s usually carried out by SMS (smishing) and email attachments but it can also be website pop-ups and QR codes. Phishing has stood the test of time because it attacks the behavioral parameters of its victims.

Automated phishing attacks in 2024 use open source intelligence (OSINT) to create multi-channel attacks. Earlier, one of the telltale signs of phishing attempts was poorly constructed messages and an unusual urgency in them. But now it’s easier to create flawless phishing prompts with ChatGPT which makes identifying cyberattacks harder than ever.

If your personal information has been compromised due to a phishing attack, check out this comperehensive guide that will walk you through the necessary steps to mitigate the damage.

2. Ransomware 

Ransomware continues to be the fastest-growing type of cyberattack in recent years because our devices store a lot of personal data and the stakes have never been higher. Attackers today go beyond simply encrypting data and asking ransom for decryption keys — they now extract and move the data to create more pressure on victims. According to Sophos, 21% of total ransomware attacks in retail involved both encryption and exfiltration last year, with 32% of respondents saying phishing emails were the reason behind the attack. 

Ransomware attacks work so well because businesses can’t afford to lose sensitive data and have them leaked to other hackers. The lack of data hygiene and proper backup and restore systems often trigger these attacks which are further bolstered by the rise of the ransomware-as-a-service industry. 

3. Social engineering

Social engineering attacks track and influence victim’s behaviors to find vulnerabilities or steal access privileges. It’s an umbrella term that involves all kinds of drawn-out steps to gather data and execute precise attacks through extrapolation. 

Phishing and ransomware require some form of social engineering but considering how pervasive they are in the security world, we thought they deserve standalone mentions. 

Social engineering attacks happen covertly, often drawn out over months. From dumpster diving and diversion tactics to honey trap and quid pro quo — these attacks work because criminals have a lot more public data to track and build attack strategies based on that.

4. Cryptojacking

Did you know cryptojacking attempts increased by 659% in 2023 compared to the year before that? Blockchain and cryptocurrencies need incredible power to run so hackers turn to the computers of victims to mine crypto. Cryptojacking extracts the resources of infected devices, making them warm, slow, and unresponsive. Apart from business loss cryptojacking points to another danger. If work devices are used to mine crypto they might contain security lapses that can be exploited further by attackers. 

5. IoT attacks

In addition to devices storing personal data, they also interact with other devices in the same network to improve workflows. Employees that work remotely and fail to secure all IoT devices, might allow hackers to enter the system by exploiting a loophole and spread through the networks. On top of office and personal devices, connected cars may pose a threat to your business as well since the auto industry is quite aggressive in data collection. All of these access points may one day be used to attack your employees unless they’re aware of security implications.

6. CEO frauds

A new kind of threat has emerged in the cybersecurity ecosystem and that’s CEO fraud. It essentially means mimicking a senior executive of the company to manipulate an unsuspecting employee to share something they should not. 

CEO frauds have become frighteningly advanced thanks to AI voice generators that use vishing techniques. CEO frauds over voice calls are effective because employees are given the least amount of time to judge a situation and they end up panicking fast. Just a few months back a high-profile Hong Kong employee sent $25 million to criminals who used deepfakes and voice clones to pass off as their boss.

Employees may unknowingly invite cyberattacks by neglecting online privacy, such as sharing personal information on social media or using weak passwords. Attackers use this data for convincing phishing emails or social engineering. Strong privacy practices and credit protection services can reduce these risks.

What are the ways employees invite cyberattacks?

Knowing how threat actors plan their moves will not solve anything. You also have to plug the loopholes that allow these attacks to be effective in the first place. Here are a few ways the humans of your business knowingly or unknowingly help cybercriminals:

1. Not caring for privacy online

All the AI-powered social engineering attacks gather data on victims over time. They identify potential targets by gauging the levels of security and privacy awareness and how important they are to the company. 

Unfortunately, we still see so many social media users leaving their personally identifiable information (PII) out in the open, posting every detail of their lives and sharing a bit too much on the internet.  These bits and pieces of information are collected and processed to predict login ID and security questions.

To protect yourself from personal identity theft, be careful who you connect with online and limit what you share. The less personal information out there, the harder it is for criminals to steal your identity.

2. Lack of password management practices

If not social engineering attacks over social media, attackers try their luck with password leaks. A Lot of employees to this day don’t use password management apps to generate strong alphanumeric passwords and store them securely. They often use the same or similar passwords on multiple websites and never refresh these passwords after a few months. The lack of password hygiene in these types of employees enables attackers to sift through leaked databases and try brute-force login. 

3. Dissatisfaction

When we started off this segment we mentioned employees knowingly helping cybercriminals. That, in fact, is a very real possibility in today’s landscape. 

According to Statista, 36% of cybersecurity threats originate internally. If you have a disgruntled employee who knows system vulnerabilities or at least the optimal ways attackers can infiltrate databases, it may become a huge problem for your business. From job insecurity to work pressure — dissatisfaction can be triggered in many ways and it’s on you to identify possible disagreements and make sure your greatest assets don’t become liabilities.

Empowering employees

Now that you know the threats employees face and the ways they enable attackers, it’s time to understand how you can help them prevent fraud. And no, training alone doesn’t solve this.

Shift in culture 

The first thing you need to do is create security awareness across the office or store. And it starts from the top. 

If teams understand their role within the security infrastructure, they’ll be able to communicate and explain the cultural shift to employees. A security-first office is aligned with regulatory and compliance frameworks, its employees are confident in detecting fraud attempts and the customers are convinced of the steps taken to ensure their safety. Things like zero trust network, data privacy preservation, and bleeding edge tech stack are all part of a broader company culture where each stakeholder shows accountability. 

Having said that, organizational culture is always a collaborative process. Your job is to encourage employees to share their skills to help bridge the gap and empower people who are not comfortable with the technical side of security. Remember that human weakness is near impossible to abolish but in a transparent and streamlined office people are more likely to talk about potential security lapses. 

Rewriting policies

The next step after overhauling the security culture is to document the new SOPs and protocols. While security awareness is a theoretical concept, it can only be applied via exhaustive documentation. Make sure you document all the dos and don’ts, the communication channels, the disaster response team, and the leadership hierarchy. In case of a cyberattack, following the protocol will save you crucial time. 

Employee training 

Once you know your threats and how to follow protocols, it’s time to invest in employee training and development, enabling those who react to these changes first. Security training imparts key knowledge to employees, along with teaching them how to use security tools. 

Make it interactive

Cybersecurity is a heavy word in business and it weighs more on people who are intimidated by consequences. The goal here is to tick off improvements as a team. 

Employee training should be based on established and peer-reviewed educational content. Instead of making it feel like schoolwork, you can take the base content and make it interactive by incorporating quizzes, debates, and fun office games. One example of holistic learning would be blasting mock phishing and ransomware attempts on employee devices and asking them to spot them. You can create a leaderboard as well to create a healthy competition. 

Reiterate and stimulate

Cyberattacks develop every day and so do prevention strategies. Employee training is not a one-off event — you have to frequently conduct seminars and bootcamps to keep employees up to speed with the latest challenges. Employees cannot function effectively if their response is based on outdated information. Going over industry trends once every few months is necessary but the foundational knowledge should be reiterated more frequently. 

Apart from that, you should also stimulate real-life scenarios to prepare employees better. This may include phishing emails in a contained environment, AI-modulated CEO frauds to make employees think quickly on their feet, OTP bombardment to trigger MFA fatigue, fake password leak notifications, etc. The more practical elements you can introduce in a stress test the better. 

Track and follow-up

Just like software and project development cycles, you must track progress and make adjustments accordingly. Not every employee might respond to the courses at the same pace. In such cases, you have to constantly be in touch with the employees and capture their feedback. If you can rejig the modules and integrate the feedback they’ll feel heard, which is a massive confidence booster. 

Meaningful tracking and following up with employees will help you create a better understanding and this may just prevent employees from being dissatisfied with their job.

Recognize efforts

Finally, you should recognize the efforts put in by your team and recognize the best performers. Incentivizing learning is a tried and tested way to get the most out of people. From coupons to cash or even a paid day off — you can pick the award that resonates most with your employees. 

Tracking the best performers also helps you identify your security champions. You can delegate tasks to them and integrate them into the security response protocols for faster resolutions.

How to create the ideal training program for your team

You should try roping in a security expert to mentor your team of employees. You can work with this person to develop internal security policies, flesh out future goals and implement a cultural change in terms of accountability and awareness. 

Empowering the human

Your business is as strong as its weakest link. Allowing your employees, vendors, or customers to become liabilities costs businesses dearly, despite the security measures implemented. Cybersecurity and fraud detection are evolving concepts so the training has to be a work in progress as well. When employees feel confident in thwarting cyberattacks, it directly adds to your brand value. Beyond that, you should use Lightspeed’s extensive security features customized for retail, ecommerce, and restaurant businesses.