Companies that want to avoid falling victim to a cyberattack make an effort to train their employees in phishing identification. Phishing remains the main delivery method for all types of malware, and it directly targets human error.
In 2020, 75% of organizations experienced a phishing attack, and 74% of those attacks were successful at their intended goal.
Phishing remains one of the biggest threats to your company’s health and wellbeing. Just one wrong click on an email message can take your company down for days and mean hundreds of thousands of dollars in remediation costs.
In just 12 months, the average cost of remediation for a ransomware attack more than doubled from $761,106 to $1.85 million.
Companies spend time and money improving their employee phishing awareness, so the thought that a business owner or manager could be sabotaging that effort is alarming.
But this happens in offices every day and is the result of being unaware of the risk of forwarding a phishing email to an employee.
Here’s a Common Scenario of How This Sabotage Happens
Hal owns his own business and is getting ready to rush to a big sales meeting, he gets an email that looks to be from the company’s cloud storage provider warning that account credentials need to be updated or service may be interrupted. It seems a little odd, but he’s in a hurry.
He doesn’t have time to deal with this message right now, so he marks it as high priority and forwards it to his office manager who usually handles vendor accounts. He then heads out the door to his meeting, not giving it another thought.
When the office manager receives the email, he immediately sits up and takes notice for two reasons. One is that it’s from the boss, and the other is that it has been marked as a high priority. There is no other explanation on the email forward.
The office assistant, who would have normally examined the email from the cloud vendor more carefully if it came into his email originally doesn’t do that. The reason is that he sees this as a directive from his boss not as potential phishing.
That and the fact that it’s marked high priority cause all thought of phishing detection to go out the window, and instead he is focused on taking care of this quickly so he doesn’t get in trouble.
He clicks the link in the email and is taken to a sign-in page that looks familiar, so he signs in and goes to the account administration page. But once there, he doesn’t see any message about what needs to be updated.
Confused, he now calls the cloud company and finds out this email is a scam. He got trapped not only by the phishing attacker but also with an assist from his own boss.
Within seconds of him logging in to the fake page, the attackers launched an automated ransomware attack that encrypted all files in the cloud account and sent a ransom note. A costly lesson for both the business owner and the employee.
How To Improve Phishing Training for ALL Your Staff
Teach the Power of an Email Forward
It’s important to not only teach phishing detection skills during cybersecurity awareness training but to also explain how dangerous it can be to forward a suspicious email.
Forwarding a phishing email lends it another level of trust and legitimacy. The recipient might think the person forwarding it already checked to ensure it could be trusted.
And in the case of someone in a managerial position forwarding the email to someone that reports to them, that forward is even more dangerous for the following reasons:
- Employees see the forward as a directive to take action on the email
- Employees don’t want to get in trouble
- Employees want to be seen as being responsive to a request
Include Upper Management in Phishing Training
Phishing emails are often targeted at those with higher-level positions in a company because they will also tend to have more access to company data and systems.
Don’t leave your upper management out of phishing detection training. Teach that they are just as much responsible for learning how to identify phishing and being vigilant about it as any other staff member.
Provide a Safe Place to Forward Suspicious Emails
When that business owner in our story above received that email that looked a little strange, the place they should have forwarded it instead of to their office manager was to the company’s IT provider or IT team.
An IT professional can objectively review suspicious emails and let you know whether they are legitimate or a dangerous phishing scam. This is a much safer way to handle emails that look “off” in some way when you aren’t sure about them or don’t have time to review them.
Get Help Warding Off Phishing Attacks
Rocky Knoll Technologies can help your Charlotte area business put security protections in place that reduce the amount of phishing that is delivered to user inboxes and prevent visits to malicious websites.
Schedule a consultation by calling 704.594.7292 or reach us online.
