One way to help employees stay alert to potential phishing attacks and catch them early on is to configure a DNS Filtering service or Gateway firewall to block newly registered domains. Blocking newly registered domains helps mitigate many phishing attacks since attackers frequently register new domains that aren’t yet classified as a threat by security services. By preventing the employee from unknowingly interacting with a newly registered domain, you can create a buffer where the employee has a chance to verify the legitimacy of a new website or catch instances where the attacker is using a name similar to a well-known company.
My favorite approach is to use phishing simulations in combination with micro-learnings. I've yet to meet anyone who doesn't hate security trainings more than five minutes in lengths, so rather than fighting that I find it better to meet people halfway and require them to do short and up to the moment trainings when they're caught messing up. If you pass the phishing attempt and, even better, report it then you probably deserve your free pass to carry on with your day.
Encouraging open communication in the office is the best way to prevent a security incident stemming from a phishing email. As a recruiter, I see candidates daily. Many tell me that their current or previous job eschewed this kind of open communication, leading them to feel alone when it came to decision-making. That's often a reason they're moving on. And, when it comes to cyber security, unwavering independence makes failure more likely. I always emphasize to my employees that wanting a second-opinion is no sign of naivety. When workers are faced with a questionable email, they should know they're able to bring the concern to management without fear of repercussion or judgement. These emails are becoming more sophisticated by the day, so requesting a fresh set of eyes on the link before clicking is a great habit to develop. Rob Reeves CEO & President, Redfish Technology https://www.redfishtech.com/fintech-recruiting/
Phishing is typically conducted via email, with links. How many people actually know what to do with links to determine if they are safe? Therein lies the problem. Many cyber security awareness training solutions will state things like “don’t click on strange looking links”, and yet many legitimate links can be “strange looking”! So, if you really want to protect against phishing, it’s a good idea to teach people in detail how to deal with links. It doesn’t take that long (1/2 an hour can cover it quite well), but you need to ensure you are talking topics such as: what risks links pose, what they can look like; hovering; how to read them; warning signs (e.g. an @ sign in the link); QR codes; use of legitimate sites by criminals; research tools (e.g. virus total). Ensure the content is relatable so they care (that typically means a focus on home use). Keep it short, fun, engaging, and include practical examples that they can work through.
Hovering on the link with the mouse. If the preview link on the left looks suspicious, don't click on it. Masking links are pretty easy, and it's an often used method by scammers. You must always check the link before clicking, and read it really careful. It's maybe not facebook.com and faceb00k.com or not google and g00gle, or not facebook.com and rather facebook.co. My name can be spoofed easily and my coworkers can get mails from my name in their inbox by scammers, and they'd still check the links in the mail, even if it looks like it came from me. So, previewing the links and paying attention, that's critical.
One tip to avoid falling victim to phishing attempts is to encourage employees to engage in ethical hacking exercises. By participating in controlled and supervised hacking activities, employees can gain firsthand experience of phishing techniques and tactics. This practical knowledge enhances their ability to recognize red flags and develop a critical mindset towards suspicious emails or communications. For example, employees can be given simulated phishing emails and tasked with identifying red flags, such as poor grammar, suspicious sender addresses, or requests for personal information. This hands-on approach enables them to understand the phishing landscape better and strengthens their defenses against real-world phishing attempts.
Oh I had a lot of issues with this and I had to have multiple conversations about it. I’d say what drove my point home, ultimately, was teaching people that no one asks you to click links in their emails. Some do for verification purposes, but that’s where my second tip comes in: always check the email address that’s sending you the email. It becomes immediately obvious that the email isn’t actually from Amazon when the email address is 3964jggdew942@scam.com
First, you need to train them over and over again! I would recommend doing it at least bi-monthly and keep them informed in between with security-related content and best practices. This will raise security awareness and it will also establish the mindset that YOUR organization takes security seriously. The good old saying "trust but verify" would be applied to anything that looks or sounds remotely suspicious. In the Secret City (Oakridge, TN) during the Manhattan Project in the 1940s, huge billboards would remind and train people to keep secret things secret. Today we assume wrongly that people understand that certain things need to be protected and we could not be more wrong. Edward Snowden was a contractor who convinced over 20 government employees to hand over their passwords so he could do his job as an administrator. Their ignorance caused the largest data breach in NSA history and this could have been easily prevented with frequent security training and frequent reminders.
One thing to consider when training employees to recognize phishing red flags is the unique vulnerability of your particular workforce. As a recruiter specializing in the executive sphere, I work with a lot of established employees who were trained before the Internet engulfed everything. They're also powerfully skilled and in high-demand, meaning they can be a little strong-headed when it comes to verbalizing their own weaknesses. Keeping this is mind has allowed me to craft successful training programs. Hands-on learning is crucial, and whenever possible, I try to bring in teachers who are of the same generation as them. Highlighting what might be obvious to Gen-Z is an important step, so starting at the basics is often a key to success, but I do so while concurrently reminding them of the value inherent in their experience. Travis Hann Partner, Pender & Howe https://penderhowe.com/toronto-executive-search/
The most important factor is to catch your employees in the right mindset to be receptive about improving their resistance to phishing attempts. One approach that I've been quite impressed by was a small company that would bring in employees from various departments into their cybersecurity meetings to help them craft believable phishing simulation scenarios for their particular department. Nothing quite gets you in the right frame of mind to work on your anti-phishing training quite like getting caught with your pants down by something that looks extremely believable due to an inside man helping fine tune the details and exploit vulnerabilities.
My preferred approach is to link internal phishing simulations with immediate bite sized learning. You are never going to have a more receptive audience to a cybersecurity training than after someone falls for a phishing simulation, so rather than waiting and putting together a list of people that need to take your cybersecurity course again I prefer to push a short quiz or something similar immediately after the failed interaction. It really does work significantly better if you can do something in the moment, even if it is just a few questions, as your audience is ready to work with you.
Start with clear policies on reporting suspicious emails and required training upon onboarding and annually. Run simulated phishing tests to gauge vulnerability. Use any breaches as teachable moments without punishment. Share examples of phishing emails alongside authentic ones so employees learn how to spot differences in tone, grammar, sender address. Teach them to hover over hyperlinks to check destinations before clicking. Set up workflow requiring verification calls for unusual financial requests. Remind staff it is always better to double check if something seems off rather than worry about delaying a response. Foster a culture of healthy skepticism instead of implicit trust. My top tip is to pause before reacting anytime you feel a false sense of urgency or fear created by content. Phishers rely on triggering emotional responses. Staying calm allows rational assessment of legitimacy.
Edtech Evangelist & AI Wrangler | eLearning & Training Management at Intellek
Answered 2 years ago
We use an interactive training approach to teach employees how to spot phishing attempts. Our training includes regularly updated online modules with simulated phishing exercises and real-world examples to keep the content relevant. A subscription model allows us to provide ongoing, up-to-date training, encouraging a proactive response to new phishing techniques. Through interactive exercises, employees learn to be skeptical of suspicious emails and practice avoiding immediate actions. A key training tip is to verify unusual emails, especially those from apparent internal sources, using alternative communication channels like phone calls or separate email threads. Another crucial takeaway is to avoid responding to or clicking links in suspicious emails. By promoting skepticism and proactive verification, employees become better at recognizing and stopping phishing attempts, contributing to a more secure work environment.
In our Japanese teaching company, we equate recognizing phishing with learning katakana syllables. Just as each incorrect stroke order or direction in katakana signals error, so do strange email addresses or too-good-to-be-true offers ring alarm bells. We instill a cautious mindset that our employees apply to their inbox. Our safety-rule? 'Filter before you fulfill'. Let every email pass through a 'reality-check' filter. It's as crucial as practicing the right stroke orders, and it keeps phishing at bay.
Staying Cautious through Simulated Exercises We train employees to recognise phishing red flags through multiple steps. First, we teach them the standard practices, i.e., spotting common signs like incorrect URL spellings and generic greetings. Second, we create simulated phishing exercises with controlled and realistic scenarios. These tests check if your employees can identify phishing attempts and give feedback and learning resources accordingly. My tip to avoid falling into phishing attempts is to verify unidentified emails through independent and trusted channels. Rather than directly contacting the suspicious mail, you should try a different phone number or mail address to verify the legitimacy of the mail address. Phishers sometimes mimic internal communication, so alternative contact channels are a great way to cross-check the sender and reduce phishing chances. By spotting common signs and verifying your received communication, you can always stay ahead of scammers.
Training employees to recognize phishing red flags is a critical aspect of cybersecurity. Here's a two-part answer to your question: Training Employees: Education and Awareness: Provide comprehensive training programs that educate employees about common phishing tactics. Use real-life examples to illustrate the dangers and how to recognize suspicious emails or messages. Regularly update this training to keep up with evolving phishing techniques. Simulated Phishing Tests: Conduct regular simulated phishing tests within your organization. One Tip to Avoid Falling Victim to Phishing: One important tip to avoid falling victim to phishing attempts is to trust your instincts. If an email or message feels even slightly suspicious or too good to be true, it's better to err on the side of caution. Employees should feel empowered to question the legitimacy of any communication that raises doubts. Always verify the sender's identity and the request's authenticity before taking any action.
As a hands-on tech CEO, I run surprise 'Phish Alert Tests' with fake scam emails, training my staff to spot clues like mismatched URLs or pressure tactics. Key anti-phishing tip: Never act on an email asking for sensitive info unless you've confirmed it with the sender on a known number or in-person first.
One tip to avoid falling victim to phishing attempts is to always verify the authenticity of a request or email by contacting the supposed sender through a separate trusted communication channel. This extra step helps confirm the legitimacy of the request and avoids falling into a phishing trap. For example, if an employee receives an email requesting sensitive information or financial transactions, they should not reply directly to the email. Instead, they can independently look up the contact information of the sender and reach out through a verified phone number or a company-provided email address. By doing so, employees can minimize the risk of inadvertently sharing confidential information with attackers masquerading as legitimate senders.
Phishing attacks severely threaten organisations as they trick individuals into sharing confidential details like login credentials, credit card information, and customer data. The best way to prevent phishing attacks is through regular awareness training. It keeps employees updated on the latest phishing methods and prepares them to act appropriately on seeing something fishy. Such training should include safe browsing habits and best practices for password management. It will help organisations to keep their sensitive data safe from a successful phishing attack.
While it’s really useful to offer some in-house training services, educational materials, and even newsletters that alert employees of the latest phishing scams, I find that it’s also important to get third-parties involved in the process. Even if you have a great cybersecurity team, you’ll still get value from hiring a third-party expert to come and do a presentation. They can add new insight to the process of identifying the red flags of not only phishing scams, but also other types of hacks that cybercriminals use to infiltrate corporate servers. This should be done regularly, as criminals are constantly finding new ways to infiltrate and hack - so what was valid a few months ago might still be, but there are new ways that they go about it. This is especially a concern with the rise of AI tech.