There’s a sentiment that has, unfortunately, taken hold in the field of cybersecurity: Users are the weakest part of your environment. You can see why some may try to paint that picture. The statistics would seem to back it up:
- 43% of people have made mistakes at work that have compromised security
- 25% of employees said they have clicked on a phishing email at work
- 74% of breaches involve the human element
However, there’s a deeper truth hiding behind these statistics: It’s not the employees who are the weakest part of your security environment, it’s the training they receive.
In late 2022, Arctic Wolf conducted a worldwide survey of over 700 global IT security decision makers to understand their priorities and anticipated challenges for the year ahead. We discovered that security awareness training still — even after social engineering attacks have wreaked havoc for years — remains on organisations’ “to-do” lists.
Employees can’t be expected to know how to recognise and neutralise social engineering attacks like phishing without the proper training. But with the proper training? Your employees will become your first line of defense, a human firewall protecting your data, your reputation, and your finances. Here, then, are five ways for employees to spot — and stop — a phishing attack.
How to Protect Against Phishing Attacks
1. Keep Your Guard Up
If you receive a message which you find the slightest bit suspicious, don’t confirm those suspicions by engaging with it. When you reply to a phishing message in any way, even to tell them “I know this is phishing,” or “Nice try,” you let cybercriminals know they have your attention.
You instantly become a more active target once you confirm there is a real person at the other end of the inbox, ready and willing to engage. They will focus more energy on you, sending you multiple phishing attempts with ever-more enticing scams to try and trick you into sharing your information.
2. Don’t Trust. Verify.
If you receive a message purporting to be from a co-worker or your boss, don’t just accept the message as genuine.
In today’s interconnected world, it’s all too easy for threat actors to use social media and other publicly posted information like company reports and filings to learn plenty about an organisation’s inner workings, including organisational hierarchy and who reports to whom. Then it’s a simple matter of assuming the role and making the ask, whether it’s to send a payment to a faux third-party, open a malicious file, or forward confidential information, to name a but a few available routes.
Whenever you receive an unexpected email from a colleague or vendor, verify that the sender is who they are claiming to be by performing a secondary check. Slack your co-worker, knock on your boss’ door, or call your rep at that third-party vendor. Verify they’ve sent that email, and that they are the ones requesting you to take that next step.
3. Check for the Unexpected
When a message you don’t expect, or one you find the least bit suspicious, arrives in your inbox, take a few moments to tick the following boxes:
- Check the address in the From field. Is everything correct? Is that really a W or two VVs?
- Give it a spellcheck. Phishing emails are notoriously rife with misspellings and grammar errors.
- Hover over hyperlinks. The bottom of the webpage will display the URL the box or hyperlink redirects to. If it looks wrong, it probably is.
4. Go Slow on Mobile
Cybercriminals understand human psychology. They know that we are more prone to errors when we are distracted or multitasking. That’s why phishing attacks will often be launched outside the target’s typical office hours — they’re trying to catch you on your phone.
- In 2022, mobile phishing attempts increased by 50% year-over-year
- 11.8% of enterprise users clicked on six or more malicious links in a single quarter
When checking your email on your phone, give it the same level of focus you would if you were seated at your desk. In fact, give it more. If there’s any email that raises suspicions, save the additional verifications and investigations listed above until you’re back in front of your work monitor.
5. Keep Calm and Email On
When they can’t rely on you to be distracted, they can rely on you to be human. And human actions are run by emotion far more often than logic. Phishing emails play on our emotions by creating a sense of urgency. It could be a notification that you logged in somewhere you didn’t, an offer that sounds too good to be true, a warning that some compromising behavior of yours has been captured on video, a sudden inheritance from someone you’re not related to, or a message from your CEO. Whatever the message itself, they all share a common trait: the clock is ticking.
Any sense of urgency in an email should be treated with suspicion until you’ve followed the other steps above verified the email is what it’s claiming to be and is from who it’s claiming to be.
Bonus Step: Work Where They Conduct Security Awareness Training
According to IBM’s 2023 Cost of a Data Breach Report, employee training has been shown to reduce the average breach cost by $232,867 USD.
Continuous security awareness education (meaning a program that is conducted weekly or monthly, not just annually) combined with regular phishing simulations significantly increases the ability of employees to make proactive choices that adhere to more secure standards.
An effective security awareness program will improve and reinforce employee behavior. This has a positive effect on an organization’s ROI, as it not only ensures the organisation performs cybersecurity best practices, but also alleviates the amount they need to spend on cyber threat mitigation.
Discover the value of a security awareness program for your organisation.