Security awareness anecdotes often tell a story about the employee who set loose ransomware on the network or e-mailed W-2s to scammers.  The employee is often the focal point in a negative context. If you need some positive reinforcement, here are two recent stories where the good guys one-upped the criminals.

First, the certified technician scam.

This is the scam that pops up while browsing, warning that your computer is infected and to call a certified technician as soon as possible.  Folks who fall for this scam are often directed to pay a fee in exchange for downloading malware disguised as a cleaning program.  The owner of The Jolly Roger Telephone Company, Roger Anderson, is helping to shut these scams down. Through the use of a bot army, he calls the scammers and engages them in meaningless conversation.  His viewpoint?  If he can keep a scammer busy in conversation, it limits the time they have to con others out of their hard earned money.  After receiving one of these pop ups on his own computer, Anderson bombarded a fake call center with his bot army. The call center disconnected the phone number within minutes, saving countless others from being scammed.

Second is the Business E-mail Compromise (BEC) scam that swindles companies out of billions of dollars.

This wire transfer scam impersonates the boss and uses social engineering techniques (often through phishing e-mails) to persuade the purchasing department to quickly wire funds to a vendor or other entity.  Dell SecureWorks, a cyber security company, has two researchers applying reflective social engineering to either discover the identities of these thieves or get their bank accounts shut down.  First, they work with businesses and banks to pretend to fall hook, line, and sinker for a scam.  Then, through a series of scammer-directed tasks to execute the wire transfer, the researchers glean as much information about the scammer as possible and stop any wire transactions.

The next time you engage your user base about security awareness and its importance, include “good guy” success stories like these.  It will liven things up and help with “the sky is falling” feeling that is prevalent in security awareness.  A final note: remind your users that while these are great successes, they should always follow procedure if they find themselves at the receiving end of a certified tech popup or phishing scam.