• United States




Security awareness: Training moms and end users to spot a scam

Jan 19, 20164 mins
IT SkillsSecuritySocial Engineering

Why awareness training is important for securing the enterprise and your extended network of friends and family.

Char Yarema is of the generation of parents who did not grow up using technology, so her son, Jonathan Yarema, security consultant at Trustwave, has impressed upon her the importance of using caution and patience when surfing the web. Jon wrote about his mom’s experience in his SpiderLabs blog post, and I had the chance to talk with the security duo to learn more about their story.

Char reminded me a lot of my own parents, who love the convenience and expansiveness of using the Internet but also fail to understand the potential threats that constantly lurk behind a computer screen. Just a few weeks ago, I received what was clearly a spam mail from my father. I called him to let him know that his email had likely been compromised as I had received said email with a subject that my dad would never have written. “What did the email say?” he asked.

I explained that I didn’t open it and that he needed to change his password immediately and the passwords of all other online accounts.

My dad is a retired general contractor, and at 69 years old, the Internet has always been a source of entertainment. Like many folks his age, he doesn’t understand the criminal activity that he can easily fall victim to, most likely because he’s never been trained to look for suspicious behavior.

Char Yarema has, though. Before Christmas she had called up a store to place an order and learned that the free shipping was only available to online shoppers. “I called because I like to talk to someone. I knew that it said free shipping online, but with the gal it was $12. She explained that it was only free online, so I went back to the computer,” Yarema said. 

It was her first online shopping experience and she navigated through the process with relative ease, clicking the item she wanted and arriving at the point that they wanted her name and all the vital information. “I entered all of the information, and the next step was to place the order, but I heard this inner voice—probably Jon’s voice—saying ‘check for the lock’” said Yarema. She didn’t see it and wasn’t sure if it should have shown up before this point in her checkout, so she decided to call her son.

“I said, just wait and talk to Jon because I didn’t know if it was only the lock I should be looking for. I texted him, and he said not to do anything right now and that he’d check it out when he got to work,” Yarema said.

“Well, I got a message from him, he was practically shouting at me in capital letters—DO NOT PLACE THAT ORDER,” Yarema said. Unfortunately, the scam was sophisticated enough to have an event from field to field that took everything entered into the form so that they got the data even though she hadn’t hit the submit button.

As so many of the employees represented in today’s work force encompass those ranging from recent college graduates to soon-to-be-retired, the average enterprise will have end users who are much like my dad and Jon’s mom. “We enjoy the technology but it’s kind of a love-hate relationship. Having a computer at home is like having a library in your dining room, but sometimes it scares me. Yet, it’s such a great invention that I’m drawn back into it.”

So for all of those who are entering into the information security or cyber security industry, understanding who your end users are and what their level of comfort and threat awareness is will inform the types of training programs you need to implement to best defend your expanded networks.

Jonathan Yarema said, “One of the things that we’ve always looked at is certificates when you’re using a web browser. If you get that untrusted web sign, don’t go any further. Bring that to an administrator.”

Other topics you want to emphasize in training employees about cyber hygiene include password complexity and where they are stored, spam attacks, and spear phishing.  Jonathan Yarema said, “Email comes through and it looks like it’s from someone else in the organization. Knowing what the roles are and who the players are is key, especially for new people. Sometimes security is just starting to see the attack vectors.”

Whether training employees, family, or friends about cyber security, Jonathan Yarema said, “Under normal circumstances you should see a certificate.” In dealing with any person, “You should never be asked for a password.” Ensuring that your employees keep these tips in mind will help to protect the enterprise.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author