How to Stop Your Staff from Opening Phishing Emails

Email security is one of the most vital parts of any business's cyber protection strategy. In many cases, fooling employees into handing over valuable data or tricking them into downloading malware is one of the most reliable ways for hackers to gain access to a network.

Large businesses can be especially vulnerable to these attacks. It may only take a single person to take a careless action when going through their inbox and you could find yourself facing severe consequences. Therefore, ensuring your teams are educated about the threat of email attacks such as phishing and know what to look out for is essential.

Why you need a strong anti-phishing strategy

According to Verizon, 94% of malware arrives on PCs via email. However, delivering malware such as viruses, ransomware or spyware is far from the only way phishing emails can harm firms.

Another common technique is to direct people to a fake website where they can enter login credentials. These usernames and passwords can then be reused by criminals to gain access to networks. Phishing can even trick users into handing over sensitive data directly, by posing as senior employees requesting information.

While all businesses should have effective antimalware and antispam filters as part of their email defense gateways, you can't rely on these for 100% protection. For example, the BBC deals with 250,000 malicious or spam emails every day, and as it may only take one to cause a major incident, it's vital staff are trained to spot them quickly.

How to spot the telltale signs of phishing

Phishing emails come in a wide variety of forms. While the more obvious attacks may be easy to spot, criminals are using increasingly sophisticated tactics to bypass defenses and reach end-users' inboxes.

Therefore, your staff need to be able to recognize key signs that an email isn’t as it seems. Here are a few things to highlight to prevent employees from interacting with these emails.

1.  Be aware of what companies will and won't do

Many phishing emails purport to be from organizations a user already does business with, such as a shipping company, online retailer or bank. It's therefore vital that employees are aware of what firms will and won't ask of you. For example, they'll never ask you to confirm or reenter sensitive information such as payment card details via email.

Other suspicious activity to be aware of includes unsolicited attachments. For example, 'please find attached your latest statement', or an email directing you to a link that's outside the sender's domain.

2.  Spelling or grammar errors

Many sophisticated scammers will put great effort into ensuring their messages look as professional and genuine as possible. However, things like spelling or grammar errors are still a frequent sign a message is fake.

These are often quite subtle - anything obvious is likely to get picked up by your email security software. But things like odd capitalization, punctuation where it isn't supposed to be or unusual phrases may get through. If you're unsure, try reading the email aloud to see if it makes sense, as this can often help you home in on anything that's off.

3.  Check URLs and addresses

Many phishing emails try to convince people to follow a link to a data capture form where they'll be able to farm information. But these URLs won't match the legitimate domains of the company - and the same applies to the domain in the sender's email address.

Sometimes this will be more obvious than others - for example, domain names that have no connection to the company, or contain strings of letters or numbers are easy to spot. But at other times, they’ll appear a very close match at first glance. In this case, look for signs such as top-level domains not matching, or single letters that are out of place.

Often, scammers will try to hide the URLs behind large buttons or hyperlinks, so it's vital employees hover over any link before clicking or, on mobile, holding down the link until a popup containing the URL appears.

4.  Does the tone seem unusual?

Employees should always be alert to the tone of an email, particularly if it's trying to create a sense of urgency. Phrases like 'act now' or 'immediate response required' are designed to stop you looking at the email too closely to identify any of the above signs.

This is especially important for emails that purport to come from someone within the company. Scammers know many employees will be unwilling to question a request from a senior executive, so pretending to be the CEO and asking junior staff to act quickly is often a great way for them to get a response.     

Beyond training - test your employees

It's also essential to remember that simply training your employees to spot these signs isn't enough. If they don't take what they've learned and apply it to their day-to-day work, all your efforts will be for nothing.

The best way to ensure your messaging is sinking in is to regularly test your employees' responses to phishing emails by running your own simulations. Sending test emails that mimic the behavior of real phishing emails lets you see clearly who's following the procedure, who needs extra training and where any gaps lie in your defenses.