Book a Demo
Demo Centre

Emma Woods

An IT Manager's Guide To Preventing Employee Phishing Attacks

In our working days, it can be difficult to fully concentrate on tasks 100% of the time, especially when churning through a backlog of emails. 

Close up of computer

 

The truth is, many of us believe that we're able to spot the signs of a fraudulent email, without actually knowing what the real signs are. Simply knowing not to interact with an email that is asking for personal information isn't enough to avoid a phishing scam - especially with these attacks becoming more and more cunning.

 

 

91 of phishing emails are spear phishing attempts.

 

 

 

From the automatic ‘mailer’ technique of launching a high volume of emails targeted towards the more susceptible users - to the more direct technique of ‘spear phishing’ a specific individual of certain importance to an organisation, all of us have the potential to take the bait. That is why spotting the warning signs of a phishing attempt is important.

So, to get you started, we've put together a guide to discuss:

 

 

1. How to spot phishing emails

2. How to prevent phishing attacks

3. How to report a phishing scam

 

 

 CLose up of office appliances

 

 

 

Chapter 1: How To Spot Phishing Emails

 

-Be smart and vigilant

 

In our working days, it can be difficult to fully concentrate on tasks 100% of the time, especially when churning through a backlog of emails. But if/when you receive an email asking for personal information, it's time to be smart.

 

156 million phishing emails are sent every single day.

 

Legitimate organisations should never request sensitive information via email, especially banks. If you are suspicious of the email, then contacting the original sender can be a good option to take. Looking out for ‘red flags’ or warning signs is also a good technique. If the email is asking for information such as your password, then this should be reported to your IT department.

 

 

Close up of female hand typing on a desktop

 

-Don't give in to scare tactics

Phishers like to get you to react quickly - and they have a range of proven techniques to do so. Scare tactics, such as threatening to disable an account or delay services until you update certain information, can often make an employee unwittingly hand over their personal information through a state of urgency. Fraudulent emails that appear to be from your IT support team asking for a password change is a common example.

Be sure to contact the merchant directly to confirm the authenticity of their request, and raise the issue to IT should your suspicion increase.

 

 

GDPR & information security awareness posters  

 

-Look out for spelling and grammar mistakes

Employees tend to be common targets for hackers and they will continue to be until employees stop reacting to phishing emails and happily giving away their information.

Most phishing emails contain blatant indications of being fake. Punctuation can often appear different to that of legitimate ones, with typos, excessive exclamation marks (especially for scare tactics) and capital letters indicating that they might not be from an authentic source.

 

Even the way in which the email greets the user can be a suspicious sign. Common examples are ‘Dear Sir/ Madam’ and ‘Dear Customer’, which both noticeably show a lack of personal details, such as your name, not being available to them.

Although many of these mistakes are genuine errors by the attackers, intentional mistakes are also used in order to pass spam filters, improve responses and to weed out the more savvy recipients who are aware of such scams.

 

91 of phishing emails are spear phishing attempts.-1

 

 

-Look out for dodgy links or attachments

Never use links in an email to connect to a website - unless you are absolutely sure it is authentic. Instead, open a new browser window and type the URL directly into the address bar. Often, a phishing website will look identical to the original - look at the address bar to make sure that this is the case.

In some phishing emails the  URL will look legitimate, hovering your mouse over the top of the URL will show you the real address. If the address is different from the one displayed, there is a high chance its a phishing email.

 

 

Similar Read: The 5 Types of Employees Phishing Emails Love to Target

 

 

As well as dodgy links some phishing emails will contain attachments, the email will ask you to open or download the attachment. These attachments can contain various types of malware that can harm your device and steal your personal data.

 

closed up of mobile resting on a white keyboard

 

  

-Watch out for pop-ups

Pop-up phishing involves fraudulent messages that "pop up" whilst your surf the web. Phishers will infect legitimate well known websites with malicious code that causes pop-up messages to appear when someone visits the website.

The content of the pop-up message usually presents the visitor with a fraudulent warning, usually about security on their device. The aim of these phishing pop-ups are to prompt the visitor to download a tool "to fix the problem" these tools are usually anti virus applications or firewalls. Once the visitor downloads the tool their device will become infected with some form of malware. 

Malware-tips has a great blog on  "How to remove tech support scam popups"

 

 

Untitled design-4

 

-Common phishing phrases

 

Hackers use scare tactics to scare their victims into taking immediate action and giving away their credentials. Although some phishing emails look almost legitimate, there are a few common phrases that are used regularly in phishing emails.

 

Top phrases used by phishers

 

"Click here to update your information"

"your account has been deactivated"

"Click here to open your document"

"We need to verify your account"

"If you don't respond immediately, your account will be closed"

 

 

 Phishing email screenshot

 

 

 

14.5 billion spam emails are sent everyday

 

 

Chapter 2: How To Prevent Phishing Attacks

 

-Enable spam filters 

 

One effective but simple way to prevent phishing emails is to utilise an effective spam filter software program in your email system. 

The spam filter will filter out any spam, including phishing emails. (however, some phishing emails can still make it into your inbox)

 

 

Read Next: Your Complete Guide To Employee Phishing Scams.

 

 

Since most phishing emails have specific characteristics, its easy for the spam filter to identify such emails before they even reach your inbox. The most advanced spam filter is Gmail, its very easy to enable your spam filters on Gmail:

go to Settings (in the top right hand corner)> The click Account and Import> Click Send Mail> Fill in the details in the pop up box and follow the instructions. 

Enabling this will not only prevent phishing emails but it was also give you an rich interface for your email address.

 

access-black-and-white-blur-270514-1 

 

-Implement 2FA and MFA 

Using a strong password to protect  your accounts will simply not cut it. Cyber security threats are continuing to grow in variety and sophistication, this is why its crucial to do what ever you can to protect your data. 

You might not realise it, but most people regularly use 2FA. For example, when swiping your debit card you are asked to enter you pin code or write a check. Two factor authentication requires two ways of providing your identity through two different means. 

As well as 2FA, multi factor authentication is an added layer of security on your online accounts. Instead of  requesting two forms of security MFA will request 3-4 types of authentication such as:

-Pin code

-Security question

-Thumb scam

-Password

-SMS code 

Man scanning him thumb on his phone

 

 

-Run regular phishing simulations in your business

Phishing your employees is one of the most important ways to combat the threat of phishing. With email being the main source of business communication these days, its a favourite target for cyber criminals.

Many organisations invest heavily in tools and other technology gadgets, this is a great way to protect devices but there not the weakest link in the security chain... it your employees.

Phishing your employees has numerous benefits. It allows you to locate individual knowledge gaps and provides you with a clear into how vulnerable your organisation actually is.

Phishing simulations bring reality to your employees and unconsciously creates a mindset that scrutinises emails before taking action.

We have a free phishing tool that enables you to launch your own phishing simulation with ease and track your users' open and click rate.

 

 

How to run an effective phishing simulation

 

 

-Regular backups and updates 

Backing up your data makes it a lot easier to retrieve it. Conducting regular backups has multiple benefits,  one obvious reason to back up your data is the recover in the event of a breach. With cyber security threats constantly evolving, backing up your system on a regular basis is incredibly valuable. 

As well as helping the recovery of your data backing up adds an extra layer of security. When you implement remote data backup, you store your data in a secure location.

Upgrading your software is another crucial element of strong security. By keeping software up to data you and your end users can ensure their system works smoothly and prevents the system from crashing. When updating your software it comes along with new features and services that can offer great value to your organisation and employees.

 

 

Only 50 of SMB are confident their data is backed up.

 

-Educate your employees 

As well as running phishing simulations another way to protect your business is to educate your end users of how to spot and prevent phishing scams. To do this you will need to find a good security awareness platform that educates your end users on not only phishing, but the many cyber security topics such as:

Ransomware

Social engineering

malware

Remote Working

BYOD

These are only a few of the key topics your end users should be educated on. A good security awareness program will cover all the essential topics and discuss what the risks are and how to prevent them. We have a free trail of our security awareness platform that can give you a true insight into what knowledge gaps are in your business.

 

 

 

Read Next: Your Complete Guide To End- User Security Awareness Training 

 

 

Free security Awareness starter kit

 

 

 

Chapter 3: How To Report a Phishing Scam 

 

If you or your employees do fall for a phishing scam, the best thing you can do it report it. 

To report a phishing scam go to: 

https://www.actionfraud.police.uk/report-phishing

When you go to the website this page will appear below:

 

How to report a phishing scam 

 

 

Dealing with the repercussions of a phishing attack is not only very time consuming but equally costly.  One careless click on has the potential to destroy an entire company. It is extremely important for your employees to understand how severe the consequences of a phishing attack can be and what they can do to prevent them from happening. We have a free phishing awareness kit that can help improve phishing awareness among your employees and prepare them for any attacks in the future.

 

 

Phishing Awareness Kit

Read next

Subscribe now and get notified of new posts on the usecure blog