Clear definitions of the security terms that matter most for protecting your organization.
What is Security Awareness Training?
Security awareness training is a structured education program that teaches employees to recognize, avoid, and report cybersecurity threats such as phishing, social engineering, ransomware, and data breaches. Effective programs use interactive simulations and hands-on exercises rather than passive videos, building practical skills that reduce human-caused security incidents. Modern security awareness training covers email threats, phone-based attacks (vishing), SMS phishing (smishing), business email compromise, physical security risks like USB drop attacks, and compliance requirements including GDPR, HIPAA, and SOC 2. Organizations typically deploy training through SCORM-compatible learning management systems or standalone platforms with analytics to measure behavioral change over time. Related topics: Phishing Simulation Training, Social Engineering. Learn more in our Security Awareness Training Guide.
Phishing is a cyberattack where criminals send fraudulent messages designed to trick recipients into revealing sensitive information, clicking malicious links, or downloading malware. Most phishing attacks arrive via email, impersonating trusted entities such as banks, IT departments, or known contacts. Attackers typically create a false sense of urgency, pressuring victims to act before they think critically. Phishing remains the most common initial attack vector for data breaches, with the Anti-Phishing Working Group recording over 4.7 million attacks in 2023. Detection relies on inspecting sender addresses, hovering over links before clicking, and verifying unexpected requests through a separate communication channel. Organizations reduce phishing risk through a combination of email filtering technology, employee training with simulated attacks, and a reporting culture that encourages flagging suspicious messages. Related topics: Spear Phishing, Phishing Simulation Training, Social Engineering. Read our guide to spotting phishing.
Phishing simulation training is a cybersecurity education method where organizations send realistic but harmless phishing emails to their own employees, then measure who clicks, who reports, and who ignores the test. Employees who interact with a simulated attack receive immediate, targeted feedback explaining what they missed and how to recognize similar threats. Unlike passive training that relies on videos and quizzes, phishing simulations create practice under realistic conditions, building reflexive caution that prevents real breaches. Research from the SANS Institute shows that organizations running regular simulations reduce employee click rates from an industry average of 30% to under 5% within 12 months. The most effective programs combine simulated phishing with just-in-time micro-lessons, spaced repetition, and escalating difficulty matched to each employee's skill level. Related topics: Phishing, Security Awareness Training. Read our phishing simulation guide.
Vishing (voice phishing) is a social engineering attack conducted over the phone where an attacker impersonates a trusted entity to manipulate victims into revealing sensitive information, transferring funds, or granting system access. Unlike email phishing where recipients can pause and inspect links, vishing exploits the real-time pressure of live conversation and the inherent trust humans place in voice communication. Attackers commonly impersonate IT support, bank representatives, government agencies, or company executives, and frequently spoof caller ID to display legitimate phone numbers. According to the FBI's Internet Crime Complaint Center, vishing and related voice scams accounted for over $1.2 billion in reported losses in 2024. The attack is particularly effective against organizations because employees are conditioned to be helpful and responsive on the phone. Related topics: Phishing, Smishing, Social Engineering. Read our vishing awareness guide.
Smishing (SMS phishing) is a social engineering attack that uses text messages to trick recipients into clicking malicious links, downloading malware, or sharing sensitive information. Smishing is increasingly effective because people trust text messages more than emails, SMS open rates exceed 98% compared to roughly 20% for email, and mobile screens make it harder to inspect URLs before tapping. Common smishing pretexts include fake package delivery notifications, bank fraud alerts, tax refund messages, and multi-factor authentication code requests. Smishing attacks bypass traditional email security controls entirely, reaching victims on personal devices that may lack enterprise security software. Organizations defend against smishing by including SMS threats in security awareness training, establishing policies against sharing credentials via text, and teaching employees to contact senders through official channels rather than replying to unexpected messages. Related topics: Vishing, Phishing, Social Engineering. Read our smishing explained guide.
Whaling is a highly targeted phishing attack aimed specifically at senior executives and high-value individuals within an organization. Unlike mass phishing campaigns, whaling attacks involve extensive research into the target's role, communication style, business relationships, and public appearances to craft convincing, personalized messages. Common whaling pretexts include urgent wire transfer requests, confidential acquisition communications, legal threats, and board-level document reviews. Because executives often have elevated system privileges and authority to approve financial transactions, a successful whaling attack can result in immediate, large-scale financial loss or data exposure. The FBI's Internet Crime Complaint Center reports that business email compromise, which frequently begins with whaling, caused over $2.9 billion in losses in a single year. Defending against whaling requires executive-specific security training and multi-person authorization for financial transactions. Related topics: Spear Phishing, Business Email Compromise, Deepfake. Read our whaling attack guide.
Barrel phishing (also called double-barrel phishing) is a multi-stage phishing attack where the attacker first sends a harmless, legitimate-looking message to establish trust before following up with a malicious second message. The initial email typically asks a simple question or shares benign information, prompting a reply that confirms the target is active and engaged. Once the victim responds, the attacker sends a follow-up containing a malicious link, infected attachment, or fraudulent request. This two-step approach is significantly more effective than standard phishing because the prior interaction creates familiarity and social reciprocity. Barrel phishing bypasses many security tools that analyze emails individually, since the first message contains no malicious content. Organizations counter barrel phishing by training employees to scrutinize follow-up requests from new contacts and to verify unexpected asks through a separate communication channel. Related topics: Phishing, Spear Phishing, Social Engineering. Read our barrel phishing guide.
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Rather than exploiting software vulnerabilities, social engineering targets human behavior by leveraging principles like authority, urgency, reciprocity, and fear. Attack vectors include phishing emails, phone calls (vishing), text messages (smishing), in-person pretexting, and even physical access attempts like tailgating through secure doors. Social engineering is the most common initial access vector in data breaches because it exploits the hardest vulnerability to patch: human decision-making under pressure. Effective defenses combine technical controls such as email filtering and multi-factor authentication with ongoing employee training that builds recognition skills through simulated attacks. The most resilient organizations cultivate a verification culture where questioning unexpected requests is encouraged rather than penalized. Related topics: Phishing, Vishing, Smishing. Learn more in our social engineering attacks guide.
A human firewall is an organization's collective employee defense against cybersecurity threats, where every staff member acts as an active line of defense rather than a passive bystander. The concept recognizes that technical security controls alone cannot prevent all attacks, particularly social engineering, and that trained employees who can recognize, report, and resist threats provide a critical additional security layer. Building a human firewall requires ongoing security awareness training, simulated attack exercises, clear reporting procedures, and a culture where questioning suspicious requests is encouraged. The three pillars of an effective human firewall are knowledge (understanding threats), behavior (consistently applying secure practices), and culture (organizational norms that reinforce security). Organizations with mature human firewalls see suspicious email reporting rates above 70% and phishing click rates below 5%. Related topics: Security Awareness Training, Phishing Simulation Training. Read our human firewall training guide.
Business email compromise (BEC) is a targeted cyberattack where criminals impersonate executives, vendors, or trusted business partners through email to fraudulently redirect payments, steal sensitive data, or gain unauthorized access to systems. BEC attacks rarely use malware or malicious links, instead relying on social engineering and convincing impersonation to manipulate employees with financial authority. Common tactics include spoofed email addresses that closely mimic legitimate domains, compromised real email accounts, and carefully timed requests that exploit normal business processes. The FBI's Internet Crime Complaint Center ranks BEC as the highest-loss cybercrime category, with reported losses exceeding $2.9 billion annually. Because BEC attacks exploit human judgment rather than technical vulnerabilities, organizations defend against them through employee training on verification procedures, dual-authorization requirements for financial transactions, and strict processes for changing vendor payment details. Related topics: Spear Phishing, Social Engineering. Read our BEC training guide.
SCORM (Sharable Content Object Reference Model) is an international technical standard that defines how e-learning content communicates with Learning Management Systems. Developed by the Advanced Distributed Learning Initiative under the U.S. Department of Defense, SCORM ensures that training packages created in one tool can run inside any compliant LMS without modification. The standard tracks completion status, quiz scores, time spent, and learner interaction data. Two versions are widely deployed: SCORM 1.2, which offers simpler implementation and the broadest LMS compatibility, and SCORM 2004, which adds sequencing rules, multi-SCO navigation, and more granular reporting. Over 90% of enterprise LMS platforms support at least one SCORM version, making it the default interoperability format for deploying security awareness training and other e-learning content across organizations. Related topics: Security Awareness Training. Learn more on our SCORM integration page.
Ransomware is malicious software that encrypts a victim's files or locks them out of their systems, then demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware operations frequently use "double extortion," stealing sensitive data before encrypting it and threatening to publish the data if the ransom is not paid. Ransomware typically enters organizations through phishing emails, exploited vulnerabilities, compromised credentials, or remote desktop protocol (RDP) attacks. According to IBM's Cost of a Data Breach Report, the average cost of a ransomware attack reached $5.13 million in 2023, not including the ransom payment itself. Prevention requires a layered approach: regular patched systems, network segmentation, offline backups, endpoint detection, and employee security awareness training that teaches staff to recognize the phishing emails and social engineering tactics that initiate most ransomware infections. Related topics: Phishing, Business Email Compromise. Try our free ransomware response exercise.
Spear phishing is a targeted form of phishing where attackers research specific individuals or organizations before crafting personalized attack emails. Unlike bulk phishing campaigns that cast a wide net, spear phishing messages reference real colleagues, ongoing projects, or recent company events to appear legitimate. According to Barracuda Networks (2023), spear phishing accounts for less than 0.1% of all email attacks but is responsible for 66% of all breaches. Attackers gather intelligence from LinkedIn profiles, company websites, social media posts, and data from previous breaches to build convincing pretexts. Common spear phishing scenarios include fake messages from a direct manager requesting urgent wire transfers, spoofed IT department emails asking for credential verification, or impersonated vendor invoices referencing real purchase orders. Defending against spear phishing requires training that teaches employees to verify unusual requests through separate communication channels, regardless of how legitimate the email appears. Related topics: Phishing, Business Email Compromise, Social Engineering.
A deepfake is synthetic media created using artificial intelligence to convincingly replicate a real person's face, voice, or mannerisms. In cybersecurity, deepfakes are increasingly used to impersonate executives during video calls, create fake voice messages authorizing financial transactions, and produce convincing audio or video for social engineering attacks. According to Regula Forensics (2024), 49% of businesses worldwide have encountered deepfake-related fraud. The FBI reported that losses from deepfake-enabled business email compromise exceeded $12.5 billion globally in 2023. Deepfake attacks are particularly dangerous because they exploit the human tendency to trust familiar voices and faces. A notable example is the 2024 Arup case where a finance worker transferred $25 million after a video call with deepfake versions of company executives. Defenses include establishing multi-person approval for large transactions, using code words for sensitive requests, and training employees to recognize artifacts common in generated media. Related topics: Social Engineering, Business Email Compromise. Try our deepfake whaling exercise.
Multi-factor authentication is a security method that requires users to verify their identity through two or more independent factors before granting access to a system or account. The three factor categories are something you know (passwords, PINs), something you have (phone, hardware token), and something you are (fingerprint, facial recognition). According to Microsoft (2023), MFA blocks 99.9% of automated account compromise attacks. Despite this effectiveness, adoption remains inconsistent. A 2024 LastPass survey found that only 33% of organizations enforce MFA across all applications. Common MFA methods include authenticator apps generating time-based one-time passwords, SMS verification codes, hardware security keys like YubiKey, and biometric verification. MFA is required or recommended by every major compliance framework including SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR. Security awareness training should teach employees why MFA matters and how to use it correctly across all work applications. Related topics: Security Awareness Training, Credential Stuffing.
A zero-day vulnerability is a software security flaw that is unknown to the vendor and has no available patch at the time of discovery or exploitation. The term "zero-day" refers to the vendor having zero days to fix the issue before it can be exploited. According to Google's Threat Analysis Group (2024), 97 zero-day vulnerabilities were exploited in the wild during 2023, a 50% increase from 2022. Zero-day exploits are highly valued on underground markets, with prices ranging from $100,000 for consumer software to over $2 million for mobile operating system exploits, according to Zerodium's published price list. While organizations cannot patch unknown vulnerabilities, they can reduce risk through defense-in-depth strategies including network segmentation, least-privilege access controls, endpoint detection and response tools, and employee training on recognizing suspicious behavior that might indicate exploitation. Related topics: Ransomware, Security Awareness Training.
Incident response is the structured process an organization follows to detect, contain, investigate, and recover from cybersecurity events. A well-defined incident response plan reduces breach costs significantly. According to IBM's Cost of a Data Breach Report (2024), organizations with a tested incident response plan save an average of $2.66 million per breach compared to those without one. The NIST Cybersecurity Framework outlines four incident response phases: preparation, detection and analysis, containment and eradication, and post-incident recovery. Effective incident response requires clear role assignments, communication protocols, evidence preservation procedures, and regular tabletop exercises that test the plan against realistic scenarios. GDPR requires organizations to notify supervisory authorities within 72 hours of becoming aware of a personal data breach. Employees play a critical role in incident response by reporting suspicious activity quickly, which directly reduces the time attackers have to cause damage. Related topics: Ransomware, Security Awareness Training.
A supply chain attack is a cyberattack that targets an organization by compromising a trusted third-party vendor, supplier, or software provider that has access to its systems or data. Rather than attacking the target directly, adversaries infiltrate a less-secure link in the supply chain to gain access to multiple downstream victims. According to the European Union Agency for Cybersecurity (ENISA, 2024), supply chain attacks increased by 78% between 2022 and 2024. The 2020 SolarWinds attack remains the most notable example, where compromised software updates gave attackers access to 18,000 organizations including multiple US government agencies. The 2024 XZ Utils backdoor demonstrated that even open-source software is vulnerable when a malicious contributor gained commit access over years of social engineering. Defending against supply chain attacks requires vendor risk assessments, software bill of materials (SBOM) tracking, least-privilege access for third-party integrations, and employee awareness of how compromised tools can appear legitimate. Related topics: Social Engineering, Zero-Day Vulnerability.
Credential stuffing is an automated cyberattack where stolen username and password combinations from one data breach are systematically tested against other websites and services. This attack exploits the widespread habit of password reuse. According to the Verizon Data Breach Investigations Report (2024), stolen credentials were involved in 77% of attacks targeting web applications. Attackers use automated tools to test millions of credential pairs against banking portals, email services, corporate VPNs, and SaaS applications. Even with low success rates of 1-3%, the massive volume of attempts generates thousands of compromised accounts per campaign. The OWASP Foundation identifies credential stuffing as one of the most prevalent automated threats to web applications. Defenses include enforcing unique passwords across services, implementing multi-factor authentication, deploying rate limiting and bot detection on login pages, and monitoring for credential exposure in known breaches. Security awareness training should emphasize the danger of password reuse. Related topics: Multi-Factor Authentication, Phishing.
Data loss prevention refers to the strategies, tools, and processes organizations use to prevent sensitive information from being accidentally or intentionally shared, leaked, or accessed by unauthorized parties. DLP encompasses technology controls like content inspection, classification labels, and transfer restrictions alongside employee training on proper data handling. According to the Ponemon Institute (2024), the average cost of a data breach reached $4.88 million globally, with human error contributing to 68% of incidents. DLP solutions monitor data in three states: at rest (stored in databases and file systems), in transit (moving across networks and email), and in use (being accessed by applications and users). Effective DLP programs combine technical controls with employee awareness about data classification, acceptable sharing practices, and incident reporting procedures. Compliance frameworks including GDPR, HIPAA, and PCI DSS all require organizations to implement appropriate safeguards against unauthorized data disclosure. Related topics: Security Awareness Training, Ransomware. Try our data leakage prevention exercise.