How to Teach Your Employees to Spot a Phishing Email
Because so many businesses use email as an essential tool in their everyday operations, phishing remains a preeminent cybersecurity threat to businesses. The more employees a company has, and the more they rely on email for communication, the greater the chance that someone will fall victim to a scam. One mistake can allow a cybercriminal to gain uninhibited access to financial or proprietary information or release confidential data about their company, its co-workers, or its customers.
Unfortunately, many people still struggle to identify a fraudulent email, and emails are only becoming more convincing as scammers’ techniques evolve. As the World Economic Forum points out, 95% of all cybersecurity issues can be traced to human error. However, that stark statistic comes with a silver lining—by adequately training your staff to spot a phishing attempt, you can significantly reduce your business’s cybersecurity risks.
In this post, we’ll cover how to train employees to spot phishing attempts, as well as ways you as an employer can improve your business’s cybersecurity practices.
Anatomy of a Phishing Scam
To better prevent your employees from falling victim to cybersecurity fraud, let’s explore what these scams typically look like, how they can be delivered, and how employees can learn to recognize them for what they are.
How are phishing scams delivered?
While email is still the top delivery method for phishing scams, there are other methods that can be just as insidious.
Texts and phone calls from scammers can be used to target employees and gather sensitive data, and scammers can even reach out to employees on social media, including sites like LinkedIn.
Regardless of the mode of communication, scammers will pose as someone trusted—often a fellow employee or someone from a trusted agency, company, or organization—urging employees to:
- Send money or gift cards.
- Grant access to financial accounts or other online platforms.
- Provide access to an internal network.
While scammers can manipulate caller ID or email address to mimic trusted senders, if they gain access to internal email accounts or messaging platforms (like Microsoft Teams or Slack) they can send authentic internal messages that can be even harder to detect as scams. That’s why it’s important for employers to stress that all requests for confidential information or money that seem to come from fellow employees be verified using a secondary method of communication with that person.
What are the different types of phishing strategies?
Scammers use a wide variety of tactics, so it’s important for employees to be familiar with the different ways in which they may be approached. These can include:
Malware Phishing
Malware or ‘malevolent software’ is any software that allows scammers to take advantage of their victims. Whether it implants software to remotely view screens or track keystrokes, or software that blocks access to important data until a ransom is paid, malware is one of the most nefarious forms of phishing. Malware can be inadvertently installed by downloading an attachment guised as a legitimate file (like a resume or account statement), clicking on a link that initiates a download, or downloading a suggested app or software upgrade from a third-party platform or popup.
Spear Phishing
Spear phishing, or “targeted attacks” are when scammers conduct research on individuals (about their jobs or personal lives) in order to effectively target them, gain trust, or disguise themselves as a person or organization the victim may regularly interact with.
Whaling: Whaling is a form of spear phishing where the target is huge, like the CEO of a company or someone with exceptional access to information or accounts. Cybercriminals may invest a significant amount of time researching, infiltrating close-knit circles, and creating believable scenarios to deceive their “whales.”
What can businesses do to improve their cybersecurity?
Here are a few things your business can do to protect itself, its employees, and its customers from cyber threats.
Develop a Cybersecurity Policy
Establish a comprehensive cybersecurity policy that outlines the organization's security protocols, guidelines, procedures—and consequences for employees who disregard protocol. This policy should be clear, concise, and easily accessible to all employees. It should cover all key aspects of cybersecurity including password management, data encryption, email and internet usage, social engineering awareness, and reporting procedures for suspicious activities.
Provide Regular Training and Education
Because cyber threats are always evolving, cybersecurity training should be an ongoing process and not a one-time event. Businesses should conduct regular training and education programs to keep their employees updated on the latest threats and best practices. This can include workshops, webinars, online courses, and other forms of training that cater to different learning styles. Employees should learn how to spot phishing attacks, secure personal and company devices, avoid clicking on suspicious links or downloading unknown attachments, and use strong and unique passwords.
Encourage an Open Environment
Tech can be intimidating, and employees may feel ashamed to ask questions or seek assistance—especially if they feel that they may have made a mistake. But Delaying action during a cyberattack can have grave consequences, and creating an environment where employees do not feel comfortable asking questions or requesting help can also lead to lost opportunities for learning. Let your employees know they are valued, that there is no such thing as a “dumb question”, and your top priority is to simply keep your business secure, for their benefit as well.
We Take Cybersecurity Seriously
At American Community Bank & Trust, we know that cyber fraud is a major threat to businesses of all sizes and strive to provide the most secure commercial bank services that we can. From robust security measures to safeguard ACH transactions and wire transfers to Positive Pay services to verify the authenticity of your payments, we work hard to keep your accounts safe.
Reach out to us to learn more about our commercial cybersecurity practices, and how we can be part of your comprehensive strategy to protect your business from fraud.