Posted on

Small cyber security choices, big consequences

Understanding good cyber security practices — like using long and unique passwords and two-factor authentication — can go a long way to keeping you safer online, but no matter how good your knowledge is, sometimes it’s still hard to know which practices are most helpful in particular situations.

That challenge is what’s at the heart of our new Cyber Secure Choices series of Security Awareness courses. We want to help you build your confidence in making these decisions by looking behind the curtain of how common cyber attacks work and most importantly, by reassuring you that you have the power to stop them in their tracks.

This series will look at different types of security incidents and give you the choice to decide what happens next.

Consider it a safe place to practice good security choices or see the negative impacts of bad ones. To take an example many of us are guilty of: what could happen as a result of recycling the same password across different accounts? Watching this play out in a Cyber Secure Choices episode can help you see how the impacts of a cyber attack can vary depending on the choices you make.

Cyber Secure Choices will step you through how different security actions can come into play, and how they can help you take control of a security incident as it unfolds.

First in the series is Episode 1: Invoice Redirection Fraud.

The threat is real

You probably won’t be surprised to hear that most cyber attacks are financially motivated, and invoice fraud attacks are top of the list. Hackers target people going about their business, often with no idea that anyone’s trying to use their email accounts to get payments going to places they shouldn’t be going.

You may have come across invoice redirection fraud before. It’s a type of attack where fraudsters get access to the email account of an employee and use it to send out emails telling contacts they need to update the bank details they have on file for the organisation in question.

Invoice Fraud Banners

The people who get those emails then do as they’re asked, thinking they’re paying into the correct, updated account. In reality, these payments are now landing in the fraudster’s bank account.

Invoice fraud combines two common types of attacks: social engineering and email compromise.

Social engineering, or tricking people into giving away their information or access to systems, is at the root of invoice redirection fraud. It’s how an attacker can break into someone’s email account or get payment details changed.

Phishing — when someone sends you scam emails disguised as legitimate emails, with the aim of tricking you into sharing sensitive data or paying money — and business email compromise have also seen a meteoric rise over the past year. According to a 2021 Verizon report, the number of scams using compromised credentials is around 85% — staggering!

This means it’s more important than ever to make micro-changes to how we work, so we’re confident we’re protecting against these types of attacks.

You are the best defence

There’s no one action that can make invoice scams go away. A determined and financially-motivated attacker will probably try several different tactics to get what they want. It’s inevitable that sometimes, us mere mortals are going to make mistakes. We might fall for the oh-so-convincing story spun by a silver-tongued vishing caller, or we might absent-mindedly click on a link in a cleverly-crafted phishing email.

We’re human, and that’s okay. So instead of being perfect cyber security robots, what we want to aim for is creating a culture of cyber security awareness and support — a kind of safety net. If we’re aware of security incidents and their possible stages, we’re better equipped to handle them. In the event that something bad does happen, we have the safety net of basic knowledge we can rely on to catch us before the problem escalates and gets out of control.

And that’s where Cyber Secure Choices comes in.

As well as giving you a safe way to see how different choices can affect a situation, we also want to show why ongoing communication about the basics of good security practice is so important.

A lot of the advice on safe cyber security practices has hardly changed over the years, and that’s for good reason — our weaknesses around the basics are still an easy target for cyber attackers. The attacks haven’t necessarily become any more complex. They’re just taking advantage of the same old mistakes.

Interactive learning: Invoice redirection scams

The first episode in our Cyber Secure Choices series is all about invoice scams. You get to consider certain incidents from the perspective of an employee of an organisation who sends out invoices to be paid.

We’ll go through the security learning actions that can help keep you and your organisation safe, including:

  • Protecting your email with a unique password and two-step authentication.
  • Verifying requests for access or information before acting. This could be calling the requester back on a phone number listed on their official website, or chatting to a trusted point of contact.
  • Turning off features you don’t need in your email, like auto-forwarding rules. If you do need these, disable them by default and add them by exception.
  • Knowing who to talk to when you get requests that you can’t verify, or when you think something odd has happened — like invoice payments that are unusually late.

Try it yourself

If you’re not already signed up for our bite-sized Security Awareness training, grab a free trial and take it for a spin. You’ll get full access to our courses for 14 days, covering topics like passwords, ransomware, security for remote working, and device security.

We love to hear from you

We hope our Cyber Secure Choices series helps you and your team think about the many small choices we make every day that can impact our cyber security for better or worse.

We’d love to hear your feedback. Drop us a line on and let us know what you think.