Everyone makes mistakes, but do they know it or know what to do next?\n\nWhen I realized I did something \u201cstupid\u201d, the important question was, \u201cWhat do I do next?\u201d I figured it out. Can your users?\n\nOver the past month, there were countless news stories highlighting a new scam where criminals call up random telephone numbers, and a recording begins the call with, \u201cCan you hear me?\u201d The scam then goes on to record you saying, \u201cYes,\u201d and then the criminals use the yes to claim you agreed to buy a product or service, and bill you for it. The advice for people was to hang up immediately. I thought there is no way I would fall for this type of scam, and would just hang up.\n\nOne recent morning, I was sleeping in and received a call. There was some basic introduction, and then said, \u201cDid you vote in the last election?\u2019\u201d In my drowsy state, I said, \u201cYes.\u201d\n\nI quickly realized that I might have fallen for the scam I thought I would never fall for. My immediate reaction was to dial \u201c*57\u201d which records the last incoming caller to send to the police. I then called the number provided by the service to record it.\n\nI spoke to the representative, who told me that the carrier does not perform third party billing. So, if the criminals try to charge something to my account, they will not bill me for any charges. If they try to bill me through some other means, there is a record of the potential fraud with a possible way of tracking the criminals.\n\nWhether or not the call I received was a version of the scam, it does lead to a few important questions.\n\nFirst, does your awareness program provide specific examples of what to avoid, or does it provide blanket guidance for how to behave. In this case, while it wasn\u2019t the predefined scam, what I experienced had the same effect. Does your phishing training teach people how to recognize the simulated phishing messages, or phishing messages in general? Does your social engineering program teach people to recognize specific scams, or all general scams? You need to be very sure you\u2019re teaching people the right things.\n\nSecond, can your users detect if they\u2019ve fallen for some type of scam? You need to consider if your training is too specific to specific attacks. If you use specific examples, you need to ensure that users can broaden their perception of attacks.\n\nAt the same time, can your users step back and review events to see if they fell for an attack? Sometimes, being victimized is not inherently obvious. It my take some reflection to realize that they were either a victim or enabled an attack. This is situation dependent, but it is important to consider the concept for your organization.\n\nLastly, would your users know what to do if they believed they detected such an incident? Clearly, if you are in an organization\u2019s security department, the desired action would be the user reporting the incident to you. However in order for that to happen, the user has to know how to report a potential incident and, most important, feel comfortable enough to do so.\n\nPeople knowing how to report an incident should be simple to accomplish. However in this case, you must ask yourself if a typical person would consider this a physical security or cybersecurity incident. Do you provide a single contact to triage any potential security related incident? You need to make reporting easy.\n\nHowever even if it is easy to report, it is irrelevant if people won\u2019t report potential concerns. Consider that people might not be motivated to report incidents in the first place. Generally, it should be considered a requirement for people to report any potential incidents. That is not always obvious. They might feel they are bothering people and being overly paranoid. They might feel stupid if they report something that is not a valid concern.\n\nMore important, they may feel stupid by reporting that they fell for an attack in the first place. Consider that it is ironic that I am admitting that the impetus for this article is admitting that I might have made a mistake. I however realize that everyone makes mistakes and I am not embarrassed to admit it. The average user doesn\u2019t realize this.\n\nPossibly more relevant is that a person might believe they will be blamed and punished for failing. They might be afraid of repercussions. If they believe they are the only one who knows about their potential error, they would want to hide the mistake.\n\nIn the awareness field, the focus seems to be on making sure users know how to protect themselves, and not fall victim to attack. All too frequently that focus is on protecting against specific attacks, and not on general guidance, as I previously detailed. That must change.\n\nHowever as important, awareness needs to feature detection and reaction. But remember, even an aware person will not react appropriately, if you don\u2019t have a supportive environment. People will make mistakes, and they should feel comfortable admitting it.