How to Train Employees to Spot Phishing Emails-

Employees are the greatest asset in any company. Unfortunately, when it comes to cybersecurity, they can also be your biggest vulnerability. No matter the size or scope of your business, the people who work for you could be a threat to the safety of your company’s sensitive data and that of its clients. Fortunately, there are steps you can take to train your personnel and mitigate cybersecurity risks.

One of the easiest ways for bad actors to gain access to your business network is through the channels your employees use most often: email. Specifically, cyber criminals often use phishing emails to dupe well-intentioned employees into giving away passwords or otherwise granting access to private networks and accounts. These emails are becoming increasingly sophisticated, making them more challenging to spot.

With a trained eye, however, phishing emails can be identified, and the efforts to gain access to sensitive data can be thwarted. Employee cybersecurity training should be an ongoing effort – not just a one-time event – but here are some tips to bear in mind as you guide your workforce on what to look for in suspicious emails.

1. Watch for Variations in Email Addresses

It’s become exceptionally difficult for email users to spot illegitimate email addresses, because hackers have begun using tactics like display name spoofing and cousin domains. Train your employees to be extremely detail-oriented when watching for these issues.

With display name spoofing, the cybercriminal will use a legitimate-looking company name as the display name, such as support@microsoft.com, even though their actual email address is something completely different. For example, it might be some combination and letters and numbers from a Yahoo or Gmail account. This tactic can be especially effective when recipients view emails on a tablet or smartphone, since the sender’s email address is usually hidden. Some email platforms and security tools can pick up on the bogus email accounts and flag them. Yet, it’s still important to train employees to check the sender’s address before opening new emails that aren’t part of an existing thread.

When it comes to cousin domains, these emails will be sent from an address that’s almost completely the same as an existing one. For example, an “O” might be replaced by a zero. Or, they might end in “.co” instead of “.com.” Although the difference is almost undetectable, this is another instance in which a critical eye should be able to spot the phishing attempt.

2. Be on the Lookout for Peculiar Subject Lines

In addition to the tactics described above, wannabe hackers will use specific subject lines in hopes their recipients will look past bogus email addresses and open the message quickly without thinking. To do so, they might use wording that calls for your immediate attention. Phrasing such as “Urgent – open ASAP,” subject lines sent in all caps, or promises of rewards like free gift cards are often used. Chances are, if a subject line seems off, it’s probably not legitimate. Educate employees on the phrasing that is and isn’t likely to be used for internal communications so they’re better able to tell when an email seems concerning.

3. Take Note of Strange Wording or Requests

While there are undoubtedly cybercriminals located in the U.S., some are attempting to hack businesses from other parts of the world. English may be their second language, and this may come out through some of the phrasing they decide to use in their email. If any verbiage seems unnatural – for instance, if someone uses “Kind regards” as a send-off, which is uncommon in American English, take note. It never hurts to flag the email and alert the appropriate parties to investigate further.

On the other hand, it’s possible that the email will be well-worded but come with suspicious requests. For example, it should be a corporate policy that no one ever requests password or payment information online, or any other sensitive data that could be compromised by third parties. If a sender is asking you to provide confidential client or company information – and especially if they claim to need the details urgently – beware.

4. Don’t Be Fooled by Logos & Signatures

Email signatures and company logos can be copied to perfectly replicate what you see in legitimate company emails. If you’ve spotted any of the concerns above but the email still looks official, don’t be fooled by appearances. Encourage employees to elevate the matter through the appropriate channels.

5. Be Extra Wary of Links & Attachments

Phishing emails always contain a link, but sometimes, the link may be deceptive. For example, sometimes phishing scams will appear as requests to reset your password. The link in the email may send you to a site where you input your credentials, and then the hacker has effectively gained access to your data. Make sure your employees know that it’s unusual to receive such requests via email. Additionally, encourage them to hover over links with a mouse to preview the link from emails before they click on it.

While employee training can go a long way in preventing phishing attacks, it isn’t completely foolproof. IT ArchiTeks offers comprehensive cybersecurity solutions to protect your company against phishing attacks and other types of cybercrime. Contact our team to discuss your business’s needs today.