When a smishing (SMS-phishing) attack poses as your bank and rips you off thousands of dollars through Zelle, who’s responsible and accountable for the? Is it your bank, since they cover other types of fraudulent losses? Is it Zelle, since it was their platform that facilitated the scam to take place? This Zelle-centric fraud has, sadly, become a quite common occurrence latterly. As Kathy Stokes says in her powerful TED talk on the matter, we need to change the narrative around this type of fraud. As a financial services and cybersecurity industry, we need to empower the victims instead of tritely saying, “How could they fall for that scam?”
Unfortunately, while I feel the banks and Zelle bear some responsibility, the accountability rests solely with you. As I’ve written many times before, cybersecurity (of which fraud is a subset) is primarily a human issue, a human endeavor.
Think about it this way. Imagine you are about to buy a car. A guy in the next state contacts you through Facebook and says, “I’ll sell you this car for $5,000.” You think it is a sweet deal, and take him up on it, handing him $5,000 as you drive away in the car. When you’re arrested later for being in possession of a stolen vehicle, you don’t blame your bank (or the check printer for that matter) for enabling you to give him $5,000 without making sure the title is in order. The same should be true for cybersecurity—if anyone willingly chooses to make a monetary decision without checking the credentials of the other party, the risk is their own (but again, I feel banks and Zelle, in this case, bear some responsibility as well).
If taking responsibility still feels like a bad thing, bear with me.
Taking responsibility is empowering. As Americans, we’re culturally used to comfort. It’s hard to argue with that. Not to generalize too broadly, but we’re used to comfort, complacent, and, many times, too trusting. We assume that the government, our company, insurance—anyone else—will be able to protect our data (and thus ourselves) from cybersecurity threats. Taking responsibility is the last thing we think of, but the first thing we need. No one cares about your interests as much as you do; no one can protect them like you can. In our Academy, we emphasize the development of critical thinking skills (here’s a great resource to challenge your biases and practice critical thinking) because we believe that not only are we capable of taking responsibility for our cybersecurity but that we are better served by understanding risk than by resting in ignorance.
I recognize, however, that taking responsibility for your cybersecurity will look different depending on your role and situation. Using our smishing attack (i.e., use of SMS messaging as part of a cyber/fraud attack) example, however, here are three steps you can use to begin to take responsibility:
First, breathe. Fear, anger, and panic, our knee-jerk reactions in moments of crisis, give a sense of urgency while clouding our thinking. The sense of impending doom means we act irrationally, and further entrenches us into a crisis. Instead of acting without thought, take a moment and breathe.
Second, once you have cleared your mind, ask. Ask yourself, who is this person? Why should I trust them? Why do they trust you? Don’t assume that you know them or that they really know you! In fact, assume as little as possible, no matter what you’re analyzing in cybersecurity.
Finally, look for evidence. Even after you’ve established an identity, continue to test it by looking for evidence that they aren’t who they claim they are. The moment you let your guard down is the moment it becomes most advantageous to pose as someone you think you know. Trust, but continue to verify in each new interaction.
Taking responsibility is what changes the game between victimization and empowerment. At the end of the day, it isn’t the government, your company, or the bank that protects your interests. It’s you.