How to stop your employees from falling for phishing emails

Has someone in your company fallen for a phishing scam? If no one has - congratulations - but chances are that your luck won't hold forever.

Phishing emails are the #1 cyber threat to businesses, affecting 83% of companies experiencing an attack in the last 12 months. And as widespread as they are, phishing scams are also increasingly costly to deal with: the average cost of a single breach is now over $20,000 USD for medium-size businesses.

A major factor in the success of phishing scams is how simple they are. In order to carry out a scam, all a cyber criminal needs is an email client and a target. As just about every employee now has access to email - and sensitive data that cyber criminals are after - keeping your company safe is harder than ever.

So, how can you keep your staff from clicking on phishing emails? Don't fret - we've gathered all the information you'll need to keep your data, devices and network safe.

• Can anti-phishing software stop the flow of phishing emails?
• Should employees be educated on spotting phishing emails - and what's the best way to carry out training?
• Can you protect your company by phishing your own users?
• How can your business comprehensively reduce the risk of losing time and money to phishing emails?

Can anti-phishing software stop the flow of phishing emails?

Technical solutions such as spam filters can blitz out the majority of generic phishing emails - but some scams will always slip through the net.

As a bare minimum, you will want to ensure that you've set up phishing email detection and filtering in your email software's settings. There are also a growing number of intelligent AI-powered anti-phishing solutions on the market, though no tool is able to spot all cases of phishing.

What anti-phishing tools are provided by email vendors?

The two major email vendors provide built-in phishing blocking tools, which should be the starting point of your phishing response.

• Microsoft 365 / Microsoft Outlook - The first point of call for Microsoft users will be your Exchange Online Protection settings. Microsoft offers an intelligent suite of tools including spoof intelligence and implicit email authentication to detect suspicious emails and potential forged senders, and filters these emails out from your users' mailboxes.
• Google Workspace / Google Gmail - For users of the Google suite, there is a similar set of tools available in your Google Workspace admin settings. From there, you can set up advanced phishing detection, and choose what to do with suspicious emails detected by the system - such as quarantining them for review, or automatically moving them to users' 'spam' folders.

What about intelligent and AI-powered anti-phishing software?

In addition to the tools offered by email software vendors, there is a growing market of AI-powered intelligent phishing detection tools. Depending on your company's budget, AI tools can play a large role in stemming the flow of phishing emails that reach your email servers.

Whichever anti-phishing solution you choose to use, it's important to remember that no software or email policy can stop all phishing messages from reaching your users' mailboxes. It only takes one successful scam to lose your company thousands in IT costs and mitigating the damage to your company reputation, so it's essential that you also address the second factor in stopping phishing: the human element.

Should employees be educated on spotting phishing emails - and what's the best way to carry out training?

Regular staff training on spotting and reporting phishing emails is a requirement to keep your business safe from the number one cyber threat.

No matter what their job role or what data the employee has access to, without training any employee can download a malware-infected attachment or give up credentials and let a cyber criminal penetrate further into the company network.

What should phishing email training involve?

Your employee phishing awareness training will need to teach your users about the signs and reporting of phishing emails - as well as why they should care.

• Understanding the threat of phishing - Why you are being given this training, how damaging phishing scams can be, and why all staff could be affected.
• The methodology of a phishing scam - How phishing scams work, what they try to gain from you, and what tactics they use to succeed.
• Common signs of phishing emails - What things you should always check in emails, from poor grammar to impersonated domains and urgent requests.
• What to do if you spot a phishing email - Who you should report the suspicious email to, and why you should never reply.

How should staff phishing training be carried out?

To increase learning retention and to keep up awareness throughout the year, training should be carried out in regular, easily digestible learning modules.

While the traditional approach to security awareness training takes the form of annual slide-show supported lectures, new online- and video-based training programmes that allow training to be broken down into components and personalised for each users' needs are far more likely to improve real-world outcomes in phishing response.

• Lecture-based, annual company-wide training sessions - This type of training ensures all employees will be present for training and that the compliance checkbox can be ticked - but users are not likely to stay engaged throughout a long session or remember their training throughout the rest of the year.
• Cloud-powered training modules, personalised for each user - Online-based, automated training allows the training topics to be personalised based on job roles, departments and the users' performance - and more regular training in smaller modules is far more likely to keep users engaged with their training.
• Video, text, or in-person presentations? Video content is perfect for increasing user engagement - but traditional text modules allow more learning content to be presented and are often more cost-effective to create. In-person presentations, however, can be highly effective, but are also inflexible to business and employee needs. Optimally, employees are allowed to choose their preferred training format.

Can you protect your company by phishing your own users?

Carrying out regular phishing simulations on all staff members helps you understand your risk level - but is also a highly effective method in training your users to spot real-world phishing emails in their own mailboxes.

There's nothing that can impress the threat of phishing in your users' minds than falling for a simulated phishing email in their own inbox.

Simulating common scams helps your users understand what a real phishing email could look like, and what details they should pay attention to in order to prevent themselves from falling for a real scam.

• Use realistic, high success rate templates - Popular phishing simulation solutions provide libraries of real-world templates for you to use.
• Personalise emails to your organisation - Real criminals will target your users with targeted impersonations, so it's important you follow this tactic in your own simulations.
• Send emails out at the right time - Just like a real cyber criminal would, you should think about when users are least likely to exercise caution - for example, on Friday afternoons.

How can your business comprehensively reduce the risk of losing time and money to phishing emails?

Your business should address the risk of phishing by making use of the right technical solutions, instituting security awareness training and regular phishing simulations - as well as by reducing the potential impacts of breaches.

There are a number of steps you should consider the ensure that any potential breach has the minimum possible impact, such as enforcing two-factor authentication, limiting employee access to sensitive data, and utilising the principle of least privilege across the business.

As an overall strategy, your business should address phishing emails by:

• Making use of spam filters and technical anti-phishing tools
• Instituting company-wide, continuous security awareness training
• Carrying out regular simulated phishing campaigns
• Reducing the potential impacts of breaches by restricting access and enforcing multi-factor authentication

Help your employees stop falling for phishing emails - today

Roll out phishing awareness training and automated, real-world phishing simulations to your entire user base in just a few clicks. 

Grab your free 14-day trial of the usecure platform - and start saving your business time and money in a matter of minutes.