It’s 9:05 am and you’re going through emails. You stumble across one from somebody@HR.com and, without really thinking, you open it. It becomes evident right away that this is not a person from your HR department; no one in HR is interested in your database login. This is a poor attempt to phish you, and you delete the offending email with a wry smile on your face. Not today, intruder!
But as the delete button does its work, you look down the hallway and wonder, “Is everyone knowledgeable enough to spot this fake?” And as the realization that even a slightly more advanced phishing email attack was likely to breach your network, you pick up the phone to HR and ask if it has capacity for a new workshop…
What Is Phishing?
Phishing emails are fake emails sent to employees designed to trick them into disclosing login credentials or to click on a malicious link that will install malware or otherwise comprise their computers. They come in many shapes, and intruders then use this access to breach and compromise your network.
Why Do People Click?
Everybody gets tricked at some point. An email designed to look like company correspondence or of equal importance—like a summons from the Supreme Court—may not register properly if an employee is distracted. We’re only human, after all.
Often, the reason employees click the link is because they’re completely unaware such an email could be a problem; employees don’t know what “phishing” is and don’t know to protect themselves.
Other times, they are aware of threats but don’t know what to do about them. They have heard that “fake emails” get passed around, but have no experience or training on how to react in a situation. That’s why awareness and training are linked, but separate, entities.
Make Your Employees Aware
Awareness is always the first key. Informative emails—from official, legit company channels—as well as word of mouth, workshops, and other educational mediums are important to inform people that threats exist. Many people will likely think themselves unimportant enough to target. Part of the education process should be to teach that intruders can access networks through all kinds of methods, and who they target often doesn’t matter so long as they can get your employees’ personal information—or just get them to click a malicious link.
Show an example of a phishing email used against the company in the past; your IT department likely has records. General examples are good, but specific ones related to your company are even better. Remember, though, awareness cannot stand on its own; you’ll need to let your employees practice, too.
Help Your Employees Practice
There’s something to be said for hands-on experience spotting phishing emails. Some of your employees may be beginners with technology, or perhaps they’re just trusting people. Actually seeing and being able to implement what they learned in regards to spotting phishing emails will go a long way to supporting employees’ ability to spot them in the future.
A great way to demonstrate phishing is to commit an attack yourself! Work with your IT department to send out a controlled phishing attack—and see who clicks. (This is a great way to fill the attendance list for your first workshop session.) There’s no better argument for education than, “You already failed the test.”
Phishing email attacks are a common occurrence, and not all employees are prepared to spot, deal with, and avoid them. A mock attack combined with an informative workshop and a chance to continually check their skills will help your staff dodge the worst phishing attacks.