How to Prepare Your Employees for Phishing Attempts

Phishing Attempts

In the past year, 61% of small and medium-sized businesses have reported at least one cyber attack. In this climate, phishing awareness plays an important role in ensuring employees remain on high-alert and understand that today’s cyberattacks no longer come exclusively by anonymous email. As this threat landscape continues to evolve, you need to know how to prepare your employees for phishing attempts.

Phishing Attempts


How Does Phishing Work?


Cybercriminals are highly intelligent and engage in sophisticated attacks. They might send an email that impersonates a known brand, an associate, or leverage social engineering tactics to create a heightened sense of urgency to lead employees to click on a link or download an asset. 


The links traditionally lead to a malicious website that either steals credentials or installs malicious code on a user’s device. The downloads, usually PDFs, have malicious content stored in them that installs the malware once the user opens the document.


What to Look for in a Phishing Email


While security professionals understand the elements of a phishing email, every employee must know when not to open an email to keep the organization protected. Whether your business engages a specialized firm to deliver customized cybersecurity training for employees, or you develop those materials and classes in-house, the training should cover the following:


  1. Define phishing in all of its forms, including spear-phishing, which targets specific people, and whaling, which involves those in positions of power
  2. Explain what happens when a phishing attack succeeds and the financial costs that incur
  3. Provide examples of the types of subject lines cybercriminals use to increase email open rates
  4. Look for clues, such as grammar or spelling errors and attempts to instill a sense of urgency
  5. Emails with hyperlinks embedded within the text that link to sites bearing close resemblance to legitimate sites


Did the Training Work?


Finally, you’ll want to determine if the training experience was successful with your employees. In order to do this, you’ll want to present emails and ask employees to classify them as legitimate or suspicious. Ideally, this test should require employees to circle every issue they see on paper, or click on each issue. Either way, to make it more realistic, limit the employee’s review to five to seven seconds, which is typically the time individuals spend determining whether to open an email.


To make sure cybersecurity training for employees sticks, continue to share examples of phishing emails on the IT department’s intranet site, department newsletters, or on posters in break rooms. And since cybercriminals’ tactics are ever-evolving, require employees to participate in phishing awareness training at least on an annual basis.


Cybersecurity under control? Now call Assured Protection to help with your site protection!


Whether you need around-the-clock protection, lobby security, or mobile patrol services, Assured Protection can help. We’ll meet with you to assess your concerns and needs, then present you with a customized plan. With almost limited options – from unarmed to armed security specialists, along with off duty law enforcement officers – we’ll keep your property, and your people, safe.  Give us a call at 443-281-8391 to get started.