Phishing is one of the most common types of cyber attacks targeting businesses worldwide as recent data indicates that cybercriminals send over 3.4 billion phishing emails per day. Many employees are fooled into clicking or interacting with these messages as the emails appear as though they came from higher ups or reliable sources. This results in massive financial losses for companies, and the FBI estimates that scams using business emails have cost over $43 billion since 2016.
When it comes to this type of scam, no business is safe. Whether it’s a mega conglomerate or a small enterprise, any venture or organization in any part of the globe can become a victim of a phishing attack. If you’re running a business, protect your brand and customers by implementing cybersecurity measures, and train non-technical staff to properly inspect email sender addresses. Learning to recognize threats can be an effective strategy to prevent data breaches and financial losses, and maintain business reputation and customer trust.
Why is Sender Inspection Training Essential?
Companies frequently become victims of phishing scams through impersonation wherein attackers pose as CEOs, vendors, clients, or trusted brands to steal funds or sensitive data. Even tech giants aren’t immune to this as both Google and Facebook became victims of a phishing attack between 2013 to 2015. According to reports, a Lithuanian scammer named Evaldas Rimasauskas fabricated a business that posed as another company, Qantas Computers, which actually does business with both Facebook and Google. Rimasauskas and his co-conspirators sent emails with fake invoices to employees of both companies, which led to Facebook losing $99 million while Google lost $23 million. The scam was discovered later, and authorities were able to recover nearly $50 million of the stolen money.
Training employees to inspect email sender information is a must since it enables staff to act as a first line of defense against advanced cyber attacks like Business Email Compromise (BEC). Once cybercriminals gain initial access through phishing, the BEC attack chain begins to play out as they access emails and contact lists, delete responses or move them to other folders, and hide alerts to orchestrate financial crimes. Training can reduce the number of employees falling for such scams, and it also teaches them to stop and analyze instead of responding quickly to fabricated requests. Proper training can also reduce the likelihood of employees opening infected attachments, clicking malicious links, or sharing sensitive information.
Key Training Concepts for Training
Your staff doesn’t need to be well-versed in IT to defend your company against cybercriminals. When it comes to guarding against phishing, all it takes are some simple, practical steps that they can follow whenever they’re checking or responding to emails. First, teach employees that the display name can be easily faked. They may think that they’re responding to James Williams CEO, but clicking or hovering over the name will reveal the sender’s real email address. They should also be taught to be on the lookout for lookalike domains since scammers can create website names that look similar to the real ones. Look for misspellings, such as blue@cornpany instead of blue@company, or substitutions like using zero instead of the letter O. Staff should also be trained to inspect the domain extension since there’s a clear difference between an email address that uses ‘.net’ from one that uses ‘.com.’
Next, train employees on suspicious requests. Sometimes, an attacker may use a legitimate looking email address, but they’ll require people to send replies or information to a different email. They should also be wary if they get an unexpected, urgent request from management, executives, or IT to send credentials or transfer money, even if the name and email address seem correct. If an email seems slightly suspicious, instruct staff to verify by calling the sender or sending an SMS message before taking action.
Also, train employees to slow down and not be pressured by urgent or persistent requests. If they get an email urging them to send credentials or money quickly, this should be considered as a potential red flag, and the email should be reported right away to IT staff. After training, run regular phishing simulations to see if staff have learned all the key concepts, and follow up with immediate, short training sessions if any of them clicked on a fake link.
Train your staff to be your company’s first line of defense against phishing attacks. Instruct them on the proper ways to inspect email sender addresses, and build a culture of cybersecurity awareness to protect your business.