Back
CODED × KIBS
CODED × KIBS · Kuwait
CODED×Institute of Banking Studies

Technology &
Information
Risk Management

A two-day workshop with CODED and the Institute of Banking Studies — recognise the threats, strengthen the defences, and respond to a live breach.

Day 1 · 2026
Institute of Banking Studies, Kuwait
We’ll begin shortly
Press → to begin
Day 1 · before we begin
Would you have caught it?
Round 1 of 3 · tap your call
Score: 0 / 3
What you'll walk out able to do

By the end of Day 1, here's what you'll be able to do.

Name a threat by how it behaves — malware type, phishing vs. BEC vs. social engineering.
Spot the red flags in a fake email, login page, or SMS — before you click.
Know which line of defence owns an incident, and escalate it the right way.
Judge what a breach really costs — well beyond the headline number.
The shape of Day 1

Six threats, one rhythm.

Every term you'll meet runs the same way — a real story, a picture you'll remember, the technical name bridged to it, then a mini exercise you do. Six threats, taken apart one piece at a time.

1
Roles: IT, Risk & Audit
Who owns an incident — and why the answer decides how bad it gets.
2
Latest hacks & losses
What a breach really costs once the whole iceberg is counted.
3
Viruses, worms & Trojans
How malicious code spreads — named by behaviour, not reputation.
4
Spyware
The threat that steals nothing you can see — until the data's gone.
5
Identity theft & social engineering
When the attacker hacks the person, not the machine.
6
Business Email Compromise
The forged instruction that moves real money.
Topic 1 · Roles — IT, Risk & Audit
The story
9:05 AMA teller flags a suspicious email. IT assumes Risk will handle it. Risk assumes IT contained it. Audit hears about it three weeks later — after the fraudulent wire cleared. The breach wasn't the email. It was the silence about who owned it.

Three jobs, three teams. Let's separate them.

Role 1 of 3
The analogy

The people on the floor.

In any building, the staff on the floor know the exits and report a hazard the second they see one. They handle risk where it actually happens — every shift, in real time.
they catch it firstthe floor
The term & the link

This is the first line.

FIRST LINE Operations & IT — the people who own and run the controls day to day, and act first when something goes wrong.
Like the floor staff, they're closest to the risk
so they own it first.
Contain the email, freeze the account, fix the system — before anyone escalates.
Mini check · your call
A teller spots a suspicious login on a branch terminal. Who acts first?
Role 2 of 3
The analogy

The safety officer.

They don't fight the fire. They wrote the fire policy, run the drills, check the extinguishers — and decide when something is serious enough to call the authorities.
the floorchecks the work
The term & the link

This is the second line.

SECOND LINE Risk & Compliance — set the policy, monitor the first line, and decide how far an incident escalates.
Like the safety officer, they set rules and oversee
they decide if it's reportable.
They challenge whether the first line's controls are actually good enough.
Mini check · your call
The breach is contained. Now — who decides whether the regulator must be notified?
Role 3 of 3
The analogy

The independent inspector.

They answer to the city, not the building. They show up unannounced, check that everything actually works, and report what they find straight to the top — no one gets to grade their own homework.
finds what others miss
The term & the link

This is the third line.

THIRD LINE Internal Audit — independent assurance that reports to the board, not to management.
Like the inspector, they're independent on purpose
they catch what the first two missed.
Plus supporting offices — Legal, Fraud, HR — feeding expertise into all three lines.
Mini check · your call
Three months later, who checks — independently — whether the controls actually held?
Break 1 of 3
Break
15:00
Back at 10:15 — stretch, coffee, questions welcome.
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
What the delay costs

The longer it's unowned, the more it costs.

IBM · Cost of a Data BreachAverage time to identify and contain a breach. The control that shrinks it isn't fancy — it's knowing which line owns minute one.
Avg. breach cost
Saved by faster containment
3
Lines that must not blur
Confirm figures before quoting live. Next: what that bill actually looks like — the latest losses →
Topic 2 · Latest Hacks & Financial Losses
The story
FebruaryOne employee clicks one link. For 90 days the systems look normal. Then a reconciliation finds money missing. By the time forensics, fines, lawsuits and walking customers are counted, the final bill is 20× the original theft.

The number in the headline is never the real number.

Cost 1 of 3
The analogy

The tip of the iceberg.

The part above the water is the bit everyone sees and photographs. It's real — but it's the smallest part of the whole thing.
what you seeeverything else
The term & the link

This is the direct loss.

DIRECT LOSS The money actually moved out in the attack — the figure that makes the headline.
Like the tip, it's the visible part…
and usually the smallest line on the bill.
Mini check · your call
A bank reports "$2M stolen." What does that number usually capture?
Cost 2 of 3
The analogy

The time underwater.

A swimmer held under doesn't get hurt all at once — the damage is in how long it lasts. Every extra second underwater makes the outcome worse.
every hidden day adds cost
The term & the link

This is dwell time.

DWELL TIME The gap between the breach happening and anyone detecting it.
Like time underwater, longer is worse
it's the biggest cost multiplier.
More dwell means more systems reached, more data taken, more to clean up.
Mini check · your call
Two banks suffer the same intrusion. Bank A detects in 2 days, Bank B in 200. Who pays more?
Cost 3 of 3
The analogy

The mass below.

Nine-tenths of the iceberg sits unseen beneath the surface — and the cold water it leaves behind lingers for years. That hidden bulk is what sinks ships.
the finechurn · downtime · trust
The term & the link

This is the indirect cost.

INDIRECT COST Forensics, legal, regulator fines, customer notification — plus the long tail of lost customers and higher insurance.
Like the mass below, it's most of the iceberg
routinely 5–10× the theft.
Mini check · your call
The stolen funds are even recovered. What's usually the biggest line on the final bill?
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

The Bangladesh Bank heist.

2016 · SWIFT network heistStolen via fraudulent payment instructions before anyone caught it — attackers attempted nearly $1 billion, mostly stopped by a lucky spelling mistake in one transfer.
Total attempted
Transfers cleared
~$0
Fully recovered
Confirm figures before quoting live. Next: the code that does the stealing — malware →
Still happening · 2025–26

Bangladesh wasn't the last word — it's accelerating.

ByBit crypto heist · Dubai · Feb 2025 — the largest in history
Average financial-sector breach in 2025 — highest cost of any industry
Bank-sector breaches in 2025 — the #1 target, two years running
The shiftOne vendor breach now hits dozens of banks at once — a single software supplier exposed 74 institutions in 2025, and supply-chain attacks have doubled since 2021. Even the regulator wasn't safe: roughly 103 bank-supervisor inboxes were quietly read for a year. And ransomware crews now demand a $3M median from finance — the fattest target they have.
Sources: American Banker · ITRC 2025 · IBM Cost of a Data Breach 2025 · CSIS · Sophos · current as of 2026.
Topic 3 · Viruses, Worms & Trojans
The story
5:40 PMAn accountant opens an invoice attachment — looks routine. Overnight, the macro inside copies itself to every machine that touches the shared drive. By morning 40 workstations are infected — and nobody clicked a thing after the first.

Malware isn't one thing. We'll take its three forms one at a time.

Term 1 of 3
The analogy

The common cold.

You catch a cold by touching a surface, then your face. It can't jump to you on its own — it needs you to do something. No contact, no contact, no contact… then one touch, and you're infected.
spreads only by contact
The term & the link

This is a virus.

VIRUS Malicious code that hides inside a file and runs when someone opens it — then attaches itself to other files.
Like the cold, it needs a host and a human action
no file, no click, no spread.
That dependency is its weakness — and exactly why "don't open unknown attachments" works.
Mini demo · feel the dependency
The virus needs you — open a file to start
invoice.xls
report.doc
payroll.xls
notes.txt
budget.xls
memo.doc
Infected: 0 / 6Human clicks: 0
Nothing is infected yet. It can't move until you open something.
Term 2 of 3
The analogy

The airborne flu.

You walk into a room and breathe. Nobody touches you. You touch nothing. And you're infected anyway — it travelled through the air on its own, person to person, no action required.
spreads on its own — no contact
The term & the link

This is a worm.

WORM Malicious code that copies itself across a network with no one clicking — jumping machine to machine through an open service.
Like the airborne flu, it needs no host file and no human
it just spreads itself.
Speed is the danger — one unpatched machine becomes a branch-wide event by morning.
Mini demo · one release, zero clicks
Release it once — then don't touch anything
Infected: 0 / 40Your clicks after release: 0
A network of 40 machines, all clean. Press release — then watch it move on its own.
Term 3 of 3
The analogy

The poisoned gift.

A beautifully wrapped present arrives. You want it. You open it yourself, gladly. It's exactly what it looked like — and a spy is hidden inside, now sitting in your house because you carried it in.
looks like a gift — isn’t
The term & the link

This is a Trojan.

TROJAN Software that looks useful and works as promised — while hiding a malicious payload that runs the moment you install it.
Like the gift, the danger isn't the spread — it's the disguise
you install it willingly.
That's why perimeter defences wave it through — the user invited it in.
Mini demo · install the "free" tool
It does exactly what it promises — watch what else
FreePDF Converter 4.2
Verified publisher · 4.8★ · 2M+ downloads
Looks legitimate — signed, rated, popular. Install it and see.
⚠ Background activity · what it didn't show you
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
Break 2 of 3
Break
30:00
Back at 12:15 — stretch, coffee, questions welcome.
When it was real

Carbanak.

Carbanak · banking malware campaignEntered through ordinary staff machines, then spread quietly inside the network until it reached the systems that move money — across 100+ banks worldwide.
Banks hit
Countries
Undetected
Confirm figures before quoting live. Virus, worm, Trojan — you now name each by behaviour, not reputation. That's the pattern for every term in the course.
Topic 4 · Spyware
The story
A free downloadAn analyst installs a free PDF converter. It works fine. It also screenshots every account statement she opens and forwards them overseas. For three months nothing looks wrong — nothing is missing. The data is just… leaving.

The threat that steals nothing you can see.

Form 1 of 3
The analogy

The wiretap.

A tap on the line records every word you say, silently. You never hear the click — you just talk, and someone else is listening to all of it.
your keystrokescopied off
The term & the link

This is a keylogger.

KEYLOGGER Spyware that records every keystroke — passwords, messages, card numbers — as you type them.
Like the wiretap, it doesn't break the lock…
it watches you type the combination.
Mini demo · type something, watch it leak
Type a "password" below — anything. Watch the attacker's capture.
attacker@remote › captured:
Every key appears over there instantly — even a strong password leaks the moment you type it.
Form 2 of 3
The analogy

The one-way mirror.

They watch every move you make; you see only your own reflection. You behave normally because you have no idea anyone's on the other side.
they watch your screen, unseen
The term & the link

This is screen capture.

SCREEN CAPTURE Spyware that silently photographs what's on the screen at intervals.
Like the mirror, if you can see it…
so can they.
Mini check · your call
A user never types the password — they paste it from a manager. Safe from spyware?
Form 3 of 3
The analogy

The mole.

A trusted insider quietly copies files and carries them out the back door, day after day. The theft isn't the watching — it's the steady leak outward.
insidequietly carries data out
The term & the link

This is data exfiltration.

DATA EXFILTRATION Copying the collected data out to an external server controlled by the attacker.
Like the mole going out the back, it has to send
and that is where you catch it.
Unusual outbound traffic to a strange address is spyware's one visible tell. Watch the exits.
Mini demo · find the leak

Spot the exfiltration.

A night's outbound traffic from one branch. Most is normal. One line is the spyware phoning home — click it.

Attempts 0
Leak: not found
SIEM · outbound connections · branch-04 · last nightclick the anomaly
TimeHostUserDestinationData outAction
08:42teller-ws-02m.alfadhlicore-banking.local14 KBallow
10:15teller-ws-05r.aleneziupdate.microsoft.com22 MBallow
12:03mgr-ws-01a.riyadmail.bank.local3 KBallow
03:14finance-ws-07svc_backup185.220.101.44 : 4432.4 GBallow
13:20teller-ws-02m.alfadhlicore-banking.local9 KBallow
16:48mgr-ws-03n.albannaisharepoint.bank.local8 MBallow
17:30teller-ws-05r.alenezicore-banking.local11 KBallow
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

Zeus.

Zeus · banking spywareInfected machines through bad links, then logged keystrokes to capture online-banking credentials — draining accounts while everything looked normal.
Machines infected
Institutions targeted
silent
Until accounts emptied
Confirm figures before quoting live. Next: when the attacker targets the person, not the machine →
Topic 5 · Identity Theft & Social Engineering
The story
A help-desk callCalm, professional — knows her name and her ticket number. "Quick security fix, I just need the 6-digit code from your token." She reads it out. The caller wasn't IT. In the 60 seconds it took to be polite, they were inside her account.

Sometimes the attacker hacks the person, not the machine.

Move 1 of 3
The analogy

The fake uniform.

Put on a hi-vis vest, carry a clipboard, and walk in anywhere — nobody questions you. The uniform isn't real, but the authority it borrows is enough.
FAKEthe badge is the whole act
The term & the link

This move is authority.

AUTHORITY Impersonating someone you'd instinctively obey — IT, the CEO, a regulator — so the request feels normal.
Like the uniform, it borrows a badge
and we're trained to comply.
Mini check · your call
A caller: "This is the CISO. I need your login to fix an urgent issue." Why does this work on people?
Move 2 of 3
The analogy

The ticking clock.

"Now, or you lose the deal." A deadline doesn't change the facts — it changes your ability to think about them. Pressure is the whole trick.
no time to think
The term & the link

This move is urgency.

URGENCY A deadline engineered to make you act before you stop to verify.
Like the clock, it removes the pause
if you're rushed, that's the attack.
Mini check · your call
"Transfer this in the next 5 minutes or your account locks." Why the tight deadline?
Move 3 of 3
The analogy

The friendly face.

They know your name, your ticket number, your manager. That familiarity feels like trust — but it was assembled from stolen details to lower your guard.
warm on the outside
The term & the link

This move is pretexting.

PRETEXTING A believable backstory built from real details about you — often harvested through identity theft.
Like the friendly face, it manufactures trust
stolen data is its fuel.
Same playbook by email, phone, or text — phishing, vishing, smishing. Recognise the moves, not the medium.
Mini demo · catch the con live

Flag every trick as it plays.

An "IT support" chat unfolds line by line. Tap every message that's manipulating her.

"Khalid — IT Support"
incoming chat · identity unverified
Hi, this is Khalid from IT Support — I'm looking at ticket #4471 on your machine right now.
Oh — okay. What's the problem?
Your account flagged a security error. I need to push a fix before it locks you out — about 10 minutes.
Should I call the helpdesk to confirm first?
No need — I am the helpdesk. And don't loop in your manager, it'll only slow the ticket down.
Just read me your username and the 6-digit code from your token so I can clear the lock.
Red flags found: 0 / 4▶ reveal the chat, then tap the tricks
Break 3 of 3
Break
15:00
Back at 14:00 — stretch, coffee, questions welcome.
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

MGM, 2023.

A single phone callAttackers called the IT help desk, impersonated an employee, and talked their way past the login — no malware, no exploit. Days of outage and a nine-figure hit.
The call that did it
days
Systems offline
help desk
Was the door
Confirm figures before quoting live. Next: when the con arrives by email and moves money — BEC →
Topic 6 · Business Email Compromise
The story
2:50 PMAn email lands in finance from the CEO. Same name, same sign-off, urgent: "Wire KD 380,000 before 3pm — keep it between us." Everything looks right except one quiet detail: the domain reads joincoded-finance.com, not joincoded.com. By the time anyone notices, the money's gone.

The most expensive email a bank can receive looks completely ordinary.

Tell 1 of 3
The analogy

The lookalike envelope.

A letter arrives with a return address one letter off from the real one. At a glance it's right. On a proper look, it's somebody else entirely.
joincoded.comjoinc0ded.comone character off — easy to miss
The term & the link

This tell is a spoofed domain.

SPOOFED DOMAIN A near-identical sender address — joincoded-finance vs joincoded — relying on your eye reading the name, not the address.
Like the envelope, it's almost right…
always check after the @.
Mini check · your call
From "Omar Al-Brahim <[email protected]>". The real domain is joincoded.com. The problem?
Tell 2 of 3
The analogy

"Now — and tell no one."

Every con needs two things: speed so you can't think, and silence so no one else can stop you. Together they isolate you at the exact moment you'd otherwise check.
NOW!rush you, and isolate you
The term & the link

This tell is pressure + secrecy.

PRESSURE + SECRECY The same social-engineering moves from the last topic — rushing you, and telling you to keep it quiet.
Pressure removes the pause
secrecy removes the witness.
Mini check · your call
The email says "wire it now" and "keep this between us." Why both at once?
Tell 3 of 3
The analogy

The changed account number.

Everything in the letter is familiar — except one new account number, slipped in among the usual words. That single change is the entire point of the forgery.
IBAN on the invoice471293two digits changed — money’s gone
The term & the link

This tell is altered bank details.

ALTERED BANK DETAILS A changed IBAN or account number dropped into an otherwise normal-looking request — the actual goal.
Like the changed number, it's the payload
any change to payment details must trigger a callback.
Mini demo · spot every red flag

Spot the BEC.

One real-looking email in finance. Tap every red flag you can find — five are hiding.

Inbox — Finance
FromOmar Al-Brahim <[email protected]>
Reply-To[email protected]
To[email protected]
SubjectURGENT — confidential wire needed today

Hi Mariam,

I'm tied up in back-to-back meetings and can't call. I need you to process a wire of KD 380,000 before 3pm today to close our new supplier deal.

Please keep this between us until the deal is announced.

Use the updated account details: IBAN KW81 CBKU 0000 0000 9981 2237.

Thanks, Omar — sent from my iPhone

Red flags: 0 / 5
False taps: 0
? ? ?
Let's pause here.
I'm stopping for three questions before we move on — what's unclear, or what would you push back on?
When it was real

It's the costliest cybercrime there is.

FBI IC3 · annual BEC lossesReported business-email-compromise losses in a single year — more than ransomware. No exploit, no malware; just a convincing email and a payment that wasn't checked.
#1
By reported losses
$0
Spent on malware
1 call
Would stop most
Confirm figures before quoting live. That closes Day 1 — tomorrow we defend.
Day 1 · wrap

Eighteen terms. One habit.

Roles, losses, malware, spyware, social engineering, BEC — every term gets worse in the dark and smaller in the light. Name it by behaviour, own it fast, verify before you act. Tomorrow: the standards, controls, and response that turn these stories around.

CODED×Institute of Banking Studies
0 more — press
build / next back F full
CODED×IBS
Exercise1:00
1 / 6
screen blanked — press B to resume

Presenter & pointer controls

SpacePg Dn
Next slide / reveal
Pg Up
Back
L
Laser pointer (follows the mouse)
B.
Blank the screen
F
Fullscreen
S
Sound on / off (starts off)
T
Start 60-second exercise timer
?
This panel
Esc
Close / resume
Most USB presenter remotes send Page Up / Page Down — they already drive this deck.