David Kelleher Profile min

David Kelleher

May 01, 2023

David Kelleher Profile min

David Kelleher

May 01, 2023

Raising awareness on phishing attacks among employees

Today, phishing is one of the most prevalent and dangerous types of cybercrime that businesses and individuals face nearly three decades after the word was first recorded, in 1995. 

What is phishing?  

It is a social engineering attack in which a malicious actor tries to trick or lure someone into divulging sensitive information, such as login credentials, financial details, or personal data, by posing as a trustworthy organisation, website or person they know well, for example, the company’s CFO or even the CEO. 

These attacks come mostly via email, but they can also be delivered through phone calls, text message or social media. They have become so sophisticated that even trained professionals can fall victim to such attacks. 

According to Ironscales, 8 out of 10 organisations worldwide have experienced an increase in phishing attacks since March 2020. 

EarthWeb estimates that more than 3 billion phishing emails are sent daily, and almost half of all emails sent in 2021 were phishing attempts

Phishing is a very lucrative revenue stream for cybercriminals. For example, clients of a UK law firm lost more than £3 million due to a phishing attack in April 2022.  

Phishing attacks are so successful because they target one of the weakest links in an organisation – employees.  

To prevent your company from falling victim to a phishing attack, it's essential to train employees on how to recognise and avoid these scams.  

The Red flags 

There are several red flags that can indicate a phishing email or message.  

Suspicious senders or domain names: Check the sender's email address carefully, as scammers often use domain names that are similar to legitimate ones but with slight variations. Check the email header to confirm if it is a legitimate domain. 

Urgency or fear tactics: Phishing messages often use urgency or fear tactics to prompt quick action from the recipient. Think twice before opening and if in doubt delete and call the person who sent the email to verify. 

Request for sensitive information: Most businesses never ask for sensitive or financial information by email. Neither do genuine organsations ask you to update your credentials or bank details by email. If in doubt, contact the sender and delete. 

Amazing offers: If it’s too good to be true, then it most likely is. Quick wins, surprise gifts, and coupons, for example, are used to tempt users to click on the links or attachments. 

Misspellings and grammatical errors: Many phishing emails contain misspellings or grammatical errors, which can be a sign that the message is not legitimate. Badly designed or formatted emails should also raise a flag. 

Suspicious links or attachments: Hover over links before clicking on them to ensure they lead to a legitimate website. The rule is simple: Do not download attachments from unknown sources. 

The message to employees should: if in doubt, delete. Contact the sender by email or phone to verify the information or request.  

What you can do 

  1. Ensure that ALL employees receive some form of cybersecurity awareness training or dedicated phishing training. 
  1. Sign up for a security awareness program that allows you to educate and test your employees’ actions when receiving phishing emails. Most programs integrate seamlessly with your corporate email and in real-time.  
  1. Show employees what phishing is and how it works. Explain the different types of phishing attacks and how they can be delivered - email phishing, spear phishing, and smishing (SMS phishing), among others. Ask your IT team to send samples of phishing attempts to everyone as part of an ongoing phishing awareness exercise and explain the tactics that scammers use to make their messages look legitimate. 
  1. Emphasize the importance of being cautious. Encourage them to always think twice before clicking on links, downloading attachments, or entering sensitive information online. 
  1. Establish policies and procedures for them to report phishing attempts to the IT department or security team. 

It is important to create a culture of security awareness among employees. Cybercriminals play on human error and this is a major security weakness. Training employees to stop phishing attacks contributes to a more secure first line of defence and a huge step towards keeping your business safe. 

Read next