Imagine this scenario: you’re a managing director of a small business. One day, you receive an email from one of your suppliers stating that it is time to renew your annual subscription.
The email states that this is the last day you can renew before your company’s access to the service is prohibited. You think to yourself that you must have missed the other emails, which isn’t surprising as it’s been a busy month.
Unfortunately, you are about to head into an important meeting. So, you forward the email to a couple of junior members on the team who are familiar with the service and ask them to take care of it.
Without you realizing it, you’ve just forwarded a phishing email to your staff. Your junior employees are keen to impress, so immediately stop their current tasks to jump on your email and proceed to share sensitive data with the email address in question.
Within minutes, your company has lost thousands of dollars to cybercriminals, and it will take weeks to recover.
Why you shouldn’t forward emails to your employees without due diligence
The scenario above isn’t just hypothetical. It has happened to countless organizations over the last few years. In 2020, 75% of companies across the globe faced phishing attacks, and 74% of those in the US were successful.
To defend against phishing attacks, many organizations deploy employee phishing training modules, which equip employees with the knowledge they need to spot phishing emails.
However, this training will most likely go out the window if an employee receives a phishing email forwarded to them by their boss. Even the most tech-savvy junior staffer is unlikely to question a request from a senior member of their team.
How to conduct employee phishing training that works
Employee phishing training is a great way to reduce the likelihood of your people falling victim to phishing scams. However, for phishing training to be practical, you need to ensure that every employee is playing their part – from your newest employees to your co-founders.
You see, every single person in your organization is vulnerable to phishing. A scam email could land in any one of your inboxes. You need to be sure that your senior and junior employees can spot these emails and take the right course of action.
In fact, managers and business leaders are often more of a target for phishing than junior employees. This is because cyber attackers realize that senior businesspeople tend to have more authority and access privileges than junior team members.
Here are a few things to bear in mind to ensure that you aren’t undermining your employee phishing training efforts:
Conduct regular, bite-sized training for all employees
Annual IT security days aren’t enough to keep phishing awareness front of mind. We recommend altering your training program to deliver ‘micro learning’. These are bite-sized training sessions between 5 and 10 minutes, which can easily fit into the working day.
Create a security aware culture
Enhance phishing awareness in your company by incorporating security updates into your weekly team meetings and/or newsletters. This will highlight the importance of security awareness to your employees as well as encourage senior members of staff to lead by example.
Be specific about your forwarding preferences
There will always be times when an urgent request comes in, and you don’t have time to deal with it. At that point, we recommend you forward any suspicious or urgent emails to your IT administrator or outsourced IT team. You should make this a rule amongst your senior staff.
Your IT provider will have the experience and expertise to differentiate a legitimate email request from a fraudulent one and critically assess such an email. This also takes the pressure off junior members of the team, who are more likely to be eager to please and less likely to be suspicious of a forwarded request.
Deploy the right anti-phishing solutions
In an ideal world, no phishing emails would land in your company inboxes in the first place. While the odd phishing email will always slip through, there are solutions you can deploy that will drastically reduce the velocity of phishing attacks you receive.
Reduce the Number of Phishing Emails Your Staff Receives
How secure is your network against the newest forms of phishing? Pro Tech Guy can help your Framingham or Natick company with a cybersecurity audit to identify and address any weaknesses.
Contact us today to learn more. Call 508-364-8189 or reach us online.