Royal Army College

Lesson Overview

Behind many of the threats the earlier lessons taught to recognise, the phishing email, the malicious download, the dubious site, lies a smaller set of things the attacker is actually trying to do: install malware on your device, lock up your files for ransom, or trick you directly out of money, credentials, or information through a scam. This lesson is about those payloads and frauds themselves: what malware and ransomware are and how they get in, what online scams look like and how they work on people, and the plain habits that keep all of them out. Where the phishing lesson taught the deception and the browsing lesson the front door, this lesson teaches the harm they are trying to deliver, so that the member understands not just the tricks but what the tricks are for, and can defend against the whole chain.

Two ideas run through it. The first is that malware almost always needs the user's help to get in, and so the user is the best defence against it. Most malware arrives because someone opened an attachment, ran a download, clicked a link, or plugged in an infected device; the technical defences help, but the decisive moment is usually a human one, which means the disciplined member who does not open, run, or click the dangerous thing stops most malware before any software has to. The second is that scams work on the person, not the machine, exploiting urgency, fear, greed, and trust to make people act against their own interest, so defending against them is less about technology than about recognising the emotional manipulation and pausing before acting. Together these mean that the member, alert and disciplined, is the single most effective defence against malware, ransomware, and scams alike, which is exactly the "human firewall" the course keeps returning to.

This is the knowledge layer of malware and scam defence; the protection comes from keeping the habits as second nature. It rests on the recognised cyber-hygiene foundations and is wholly defensive: the aim is to protect the member and the Principality's systems from these harms, never to deploy any of them. Read this to know the threats and the habits; the safety comes from the habits kept.

By the end you will be able to explain what malware and ransomware are and how they get in, recognise and avoid the common ways malware is delivered, understand how online scams manipulate people and recognise their patterns, apply the habits that keep malware and scams out, and know what to do if you suspect an infection or a scam.

Key Terms

Malware: malicious software, any program designed to harm, including viruses, worms, spyware, ransomware, and others; the payload many attacks try to deliver.
Ransomware: malware that locks or encrypts a victim's files and demands payment (a ransom) to release them; among the most damaging kinds.
Spyware: malware that secretly watches and steals information, such as passwords, keystrokes, or data, from an infected device.
Infection vector: the way malware gets onto a device, most often through a user's action, an opened attachment, a run download, a clicked link, an infected device.
Online scam: a fraud carried out over the internet that tricks a person directly out of money, credentials, or information by manipulation rather than by technical means.
Social engineering: the manipulation of people into acting against their interest, the method behind both scams and much malware delivery (Lesson 03).
Urgency and fear: the pressure tactics scams use to make a victim act fast and without thinking, before they can pause and check.
Too good to be true: the lure of an unrealistic reward (a prize, a windfall, a bargain) used to draw victims into a scam.
Backups: saved copies of data that allow recovery without paying a ransom, the chief defence that makes ransomware survivable (Lesson 05).
Pause and verify: the core defence against scams, stopping before acting on an urgent or tempting message and checking it through a trusted channel.

What malware is and how it gets in

Malware, malicious software, is the general name for any program built to harm, and it comes in many kinds with different aims: some steal information (spyware that captures passwords and data), some damage or disrupt, some give an attacker control of the device, and some, the ransomware treated below, lock up files for money. The member does not need to know every kind in detail; what matters is the shared truth that malware is hostile software the attacker wants to get running on your device, and that, once running, it can do serious harm, to the member, and, because the device connects to the Principality's systems, to the Principality. Keeping malware off the device is therefore a real contribution to the security of the whole.

The most important practical fact about malware is how it gets in, the infection vector, because that is where it can be stopped, and the great majority of malware gets in through a user's action. It arrives most often by: an attachment opened (a document or file that carries the malware); a download run (a program from an untrusted source, as the browsing lesson warned); a link clicked (leading to a malicious site or download); or an infected device plugged in (a USB stick or drive carrying malware). In nearly all of these, the decisive step is something a person did, opening, running, clicking, plugging in, which means the user is positioned to stop most malware simply by not taking that step with anything untrusted. The technical defences, the security software, the updates, are real and valuable, but they are the second line; the first and most effective is the disciplined member who does not open the dangerous attachment, run the untrusted download, click the suspect link, or plug in the unknown device.

This is why the habits of the earlier lessons matter so directly here: the phishing recognition of Lesson 03, the safe downloading of Lesson 06, the device discipline of Lesson 04, are precisely the defences that stop malware at its vectors. Malware is mostly the payload those deceptions try to deliver, and refusing the deception refuses the malware. The member who has internalised "do not open, run, click, or plug in the untrusted thing" has closed the main doors malware comes through, which is most of malware defence.

Ransomware and the value of backups

Ransomware deserves its own treatment, because it is among the most damaging malware a member or an organisation can suffer and because the defence against its worst effects is specific. Ransomware locks or encrypts the victim's files and then demands payment to release them, holding a person's or an organisation's data hostage, and a successful ransomware attack can render documents, records, and systems suddenly inaccessible, which for a digital Principality whose substance is its information could be gravely damaging. Ransomware gets in by the same vectors as other malware, the opened attachment, the run download, so the prevention is the same; but its particular danger, the hostage-taking of data, calls for a particular defence beyond prevention.

That defence is backups, and it is why the backup discipline of Lesson 05 matters so much. The power of ransomware is that it makes your data inaccessible and offers to sell it back; but if you hold good, separate backups of your data, you can simply restore from them and ignore the ransom, because you have not actually lost the data, you have a copy. Backups thus turn a ransomware attack from a catastrophe into an inconvenience: instead of choosing between losing the data and paying criminals (who may not even restore it), the member or organisation restores from backup and recovers. This is why the course treats "test that you can restore" as seriously as making the backup: a backup that cannot actually be restored, or that the ransomware also reached, does not provide the protection, so backups are kept separate and their restoration is proven. Good backups are the single most important thing that makes ransomware survivable, which is why preventing malware (to keep it out) and keeping sound backups (to recover if it gets in) are the two halves of ransomware defence.

A word on paying: the firm guidance, for individuals and organisations, is that paying a ransom is to be avoided, because it funds and encourages the criminals, offers no guarantee of recovery, and marks the payer as willing to pay again. The member's part is not the payment decision, which belongs to those responsible for the systems, but to prevent the infection and to ensure, through good backups, that paying is never the only option. The member who keeps malware out and keeps data backed up has done their part to make ransomware a survivable inconvenience rather than a disaster.

   RANSOMWARE: KEEP IT OUT, AND BE ABLE TO RECOVER

   IT DOES   locks/encrypts your files, demands PAYMENT to release them
             ......... grave for a digital state whose substance is its data

   DEFENCE (two halves):
     PREVENT   same vectors as other malware -> don't open/run/click/plug
               in the untrusted thing (Lessons 03, 04, 06)
     RECOVER   good, SEPARATE backups (Lesson 05) -> restore and ignore the
               ransom; you didn't lose the data, you have a copy
               ......... test that you can actually RESTORE; keep backups
                         separate so the ransomware can't reach them too

   Paying funds the criminals and guarantees nothing. Backups make
   ransomware a survivable inconvenience, not a catastrophe.

How online scams work

Online scams are frauds that trick a person directly, out of money, credentials, or information, by manipulating the person rather than attacking the machine. They overlap with phishing (Lesson 03), which is one form of scam, but the category is broader: the fake prize, the bogus investment, the romance fraud, the impersonation of an authority demanding payment, the fake invoice, the "tech support" call claiming your device is infected. What unites them is that they work on human psychology, not on technical vulnerability, which means the defence is also human: recognising the manipulation and refusing to be rushed or tempted into acting.

Scams work by exploiting a handful of human levers, and recognising the levers is most of the defence. Urgency and fear are the commonest: the scam manufactures a crisis, your account will be closed, you owe money, you are in trouble, to make the victim act fast, before they can pause and check, because a person hurried into action does not think clearly. Too good to be true is the opposite lure: an unrealistic reward, a prize you did not enter for, a windfall, a bargain that is impossibly good, dangled to draw the victim in past their judgement. Trust and authority are exploited by impersonation: the scammer poses as a bank, an official, a superior, a known company, borrowing the trust those command to make their demand seem legitimate. And emotion, sympathy, fear, excitement, romance, is worked to cloud judgement. The scam's whole art is to get the victim feeling, urgent, frightened, greedy, trusting, rather than thinking, because a feeling person acts and a thinking person checks.

This is why the defence against scams is not chiefly technical but a matter of recognising the manipulation and restoring the thinking the scam tries to bypass. The member who knows the levers, urgency, the too-good-to-be-true, false authority, emotional pressure, can feel them being pulled and recognise, in that very pressure, the mark of a scam. A message that rushes you, that offers too much, that demands payment or credentials under pressure, that plays hard on your fear or hope, is suspect precisely because of how it makes you feel, and that recognition is the defence.

Pause and verify: the defence against scams, and what to do

The single most effective defence against scams is to pause and verify: to stop before acting on any urgent, tempting, or pressuring message, and to check it through a trusted, independent channel before doing anything. Because scams work by rushing the victim past their judgement, the simple act of pausing, refusing to be hurried, taking a moment to think, defeats most of them, since a scam that depended on a snap reaction fails the moment the victim slows down. And because scams impersonate trusted parties, verifying through an independent channel, contacting the bank, the authority, the superior, the company directly, by a known number or address you find yourself rather than one the message gives you, exposes the impersonation, because the real party will not know of the fake crisis the scam invented. Pause, then verify independently: those two habits together break the great majority of scams.

This connects to the firm rules the course has taught throughout: never give a password, a code, or sensitive information in response to an unsolicited message or call (no legitimate party demands these that way); never make a payment under pressure without independent verification; and treat any message that combines urgency with a demand for money, credentials, or action as suspect until proven otherwise. The member who holds these rules and the pause-and-verify habit is highly resistant to scams, whatever form they take, because the defence is general: it attacks the manipulation that all scams share rather than the particular story any one of them tells.

Finally, what to do if malware or a scam is suspected. If you suspect your device is infected, the discipline is that of the next lesson: do not ignore it, disconnect it from the network if you can to stop it spreading, do not try to clean it up yourself in a way that destroys evidence, and report it at once so it can be properly handled, exactly the recognise-report-do-not-tamper drill of Lesson 10. If you suspect a scam, do not engage further, do not pay or hand over anything, and report it, both so you can be helped and so others can be warned. And throughout, hold the no-blame principle the course insists on: a member who realises they may have clicked the wrong thing or fallen for a scam should report it immediately and without fear of blame, because the early honest report lets the damage be contained, while the hidden mistake festers. The member who keeps malware and scams out by good habits, and reports at once when something gets through, has done the whole of their part.

In Practice: Two Attempts, Both Refused

A member of the Royal Kaharagian Army faces, in one week, an attempt to plant malware and an attempt to scam them, and refuses both by the habits of this lesson, where a careless member would have fallen to either. The attacks are ordinary; the defence is ordinary too, which is the point.

The malware attempt arrives as an attachment in an unexpected message, a document the member is urged to open. The member knows malware gets in mostly through such user actions, so they treat the unsolicited attachment as the infection vector it likely is and do not open it; the malware, needing the member's action to run, never does. Had it come instead as a download from a dubious site or an infected USB found lying about, the same discipline, do not run the untrusted download, do not plug in the unknown device, would have stopped it. The member also reflects, with some comfort, that even had something slipped through, their backups mean ransomware could not hold their data hostage, because they could simply restore.

The scam comes as a message manufacturing urgency and fear, claiming a crisis with an account and demanding immediate action and credentials. The member feels the pressure, and recognises in that very feeling the mark of a scam, the rush, the fear, the demand for credentials under pressure, and instead of reacting, they pause. Then they verify independently, contacting the real organisation through a number they find themselves, not the one in the message, and learn there is no crisis: the message was a fraud. They give nothing, pay nothing, and report both the malware attempt and the scam, so others can be warned. Neither attack succeeded, not because the member is a technical expert, they are an ordinary user, but because they kept the plain habits: refuse the untrusted attachment, keep backups, recognise the manipulation, pause and verify, and report. That is malware and scam defence, and it is within every member's reach.

Check Your Understanding

Explain what malware is and the common infection vectors by which it gets in, and why "malware almost always needs the user's help," making the disciplined member the best defence. How do the earlier lessons (phishing, safe browsing, device discipline) stop malware at its vectors?
Explain what ransomware does and the two halves of defending against it (preventing the infection, and recovering through good, separate backups that make it survivable). Why is paying a ransom to be avoided?
Explain how online scams work on the person rather than the machine, the human levers they exploit (urgency and fear, too-good-to-be-true, false authority, emotion), and the core defence of pause and verify. What should you do if you suspect an infection or a scam?

Reflection (write a short paragraph): This lesson argues that scams work by making you feel, urgent, frightened, greedy, trusting, rather than think, because a feeling person acts and a thinking person checks. Recall a time a message or call made you feel a sudden pressure to act, a crisis, a deadline, an offer too good to miss. Looking back, were you being rushed past your own judgement, and would pausing and checking through an independent channel have changed what you did? Why is the simple habit of pausing before acting on an urgent message such a powerful defence, and what makes it hard to do in the moment?

Summary

Malware is malicious software (spyware, ransomware, and others) that an attacker wants running on your device; once running it can seriously harm the member and, through the connected device, the Principality. Its infection vectors are mostly user actions, opening an attachment, running a download, clicking a link, plugging in an infected device, so the disciplined member who refuses the untrusted thing stops most malware before any software must.
Ransomware locks or encrypts your files and demands payment. Defend in two halves: prevent the infection (same vectors, same habits) and recover through good, separate backups (Lesson 05) that let you restore and ignore the ransom, turning a catastrophe into an inconvenience. Test that you can restore; paying funds criminals and guarantees nothing.
Online scams trick the person directly by manipulating human psychology, not the machine, exploiting urgency and fear, too-good-to-be-true lures, false authority (impersonation), and emotion. The art is to make the victim feel rather than think, so recognising the manipulation, and the very pressure it applies, is the defence.
Pause and verify is the core defence against scams: stop before acting on any urgent or tempting message (a scam that needs a snap reaction fails when you slow down), and verify through an independent, trusted channel you find yourself (which exposes the impersonation). Never give credentials or payment under pressure to an unsolicited message.
If malware or a scam is suspected: do not ignore it, disconnect an infected device, do not tamper or engage, give nothing, and report at once without fear of blame (Lesson 10), so the damage is contained and others are warned.
This is the knowledge layer; the protection comes from keeping these habits as second nature. The lesson builds on the phishing of Lesson 03, the safe browsing of Lesson 06, the device discipline of Lesson 04, and the backups of Lesson 05, depends on the updates of Lesson 08, and feeds the spotting and reporting of Lesson 10. Everything here is defensive and lawful.

Malware, Ransomware, and Online Scams