getty
In any cybersecurity strategy, accounting for human error is essential. By some estimates, phishing attacks—in which a bad actor attempts to elicit personal information from a target using deception—account for roughly 90% of business security breaches.
With the volume and sophistication of phishing attacks increasing year over year, businesses need to continuously educate their employees—and leaders—on how to spot and handle them. Below, 20 members of Forbes Technology Council share essential lessons and principles about phishing that companies should share with their team members and leadership group.
1. Attackers Often Seek To Mimic Authentic Organizations And People
Spear phishing is one of the most common phishing attacks today. Attackers may mimic an authentic organization, such as a third-party partner, or an individual, such as another employee. For example, an employee may receive a phishing email in which an attacker pretends to be the CEO and requests sensitive company information, credentials or money transfers. - Gene Fay, ThreatX
2. Phishers Can Find A Lot Of Information Online
It’s important to understand that there’s a wealth of personal and organizational information available through search engines, social networks and trade resources. Phishers often use social media and company websites to gather personal information—information that helps them craft incredibly branded, personalized attacks that can cause recipients to lower their guard and provide a quick response. - Dustin Verdin, Zipline Logistics
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Be Wary Of Email Spoofing
One common phishing attack is email spoofing. This occurs when an attacker sends an email that appears to come from a trusted source. These emails often contain convincing logos, sender names and content, and the goal is to deceive recipients into clicking on malicious links, downloading malware or providing sensitive information. - Anne Lise Waal, Aiba
4. Don’t Let Yourself Be Rushed
Phishing scams often rely on urgency. The malicious message will give you a time-bound reason to log into a trusted platform, such as, “Log in to confirm your account within 24 hours or it will be deactivated.” Don’t allow yourself to be rushed; when in doubt, take the time to access your account through the login page, never the link in the email. - Daniel Chong, Harpie
5. Always Examine Domain Names In Email Links
Companies must educate their employees on how to handle potential phishing emails. For example, many phishing emails impersonate businesses (such as LinkedIn, Twitter and so on) or individuals (such as a colleague, superior or acquaintance). Always examine domain names in email links before clicking on them. Be especially cautious if the email or the subsequent website requests personal information or money. - Tim Liu, Hillstone Networks
6. Phishing Also Happens Via Text Messages
It is important for businesses to educate their team members about “smishing”—that is, text message phishing. Though preventing these scams completely isn’t possible, there are simple solutions for blocking and reporting these types of threats. However, it is most important that organizations take the first step: educating employees that smishing exists. - Miles Ward, SADA
7. Don’t Automatically Trust Messages ‘From A Boss’
Many phishing attacks use hierarchical leverage, with the attacker impersonating someone in a higher position in the organization than the recipient. It can be a highly effective method for a threat actor to elicit quick, near-automatic responses from employees. - Tim Femister, NetXperts
8. Protect Your Microsoft 365 Account
The most sought-after credentials by cyber threat actors are those for Microsoft 365 accounts. Phishing attacks commonly try to gain these credentials, usually via a password reset or account confirmation request. Businesses should educate their teams that these emails try to communicate a sense of urgency that an account will expire or be deleted or that there will be some other dire consequence if action isn’t taken. - Andrew Hollister, LogRhythm
9. Work Closely With The Security Team
Threat actors increasingly rely on social engineering to penetrate an organization’s security systems. Employees must operate with due diligence when interacting with any suspicious email, phone call, text or other form of communication. Bad actors rely on employees being the weakest link. It’s vital that you work closely with your security teams and always practice good cyber hygiene. - Kevin Lynch, Optiv
10. Ensure Names And Email Addresses Match Up
The biggest red flag for any employee should be when they are contacted via an email address that has not been used to contact them before. Regardless of the type of phishing attack, ask everyone to simply check that the name and email address tally. Back this up with “white hat” phishing campaigns of your own. - Martin Taylor, Content Guru
11. Even Emails With ‘Personal’ Touches Could Be Phishing Attempts
Today, elaborate attacks include emails that seem as though they come from your co-workers, asking for approval for things that might seem common. These emails are often friendly, include “personal” touches and, in many cases, seem legit. Using artificial intelligence capabilities, attackers are perfecting their techniques, and “time sensitive” requests make them very effective. The solution? Always double-check a request with a phone call. - Ophir Katzir, senseIP
12. Avoid Opening Email Attachments And Links
The problem is that with AI, phishing attacks not only look like legitimate emails, they are created from legitimate emails. This means it is almost impossible to rely on awareness to prevent phishing. Phishing attacks are successful because organizations allow emails to contain attachments and embedded links. Until those are removed, no amount of awareness will stop advanced phishing attacks. - Eric Cole, Secure Anchor Consulting
13. ‘Vishing’ Is On The Rise
While much attention is focused on phishing through email and text, voice phishing (a.k.a. “vishing”) is on the rise. Human-to-human voice contact has a very high power of persuasion. Awareness training is essential, but for added protection, it should be combined with modern technical solutions designed to detect tell-tale call behaviors that indicate the presence of a vishing probe. - Roger Northrop, Mutare, Inc.
14. Watch For Unexpected Messages Or Emails From Vendors
Vendor email compromise is a subset of the traditional business email compromise scam, where attackers impersonate vendors to request fraudulent wire transfers or payment of fake invoices. They are highly successful as they exploit trusted vendor-customer relationships. Further, because discussions with vendors often involve payments, it becomes harder to catch attacks that mimic these conversations. - Mike Britton, Abnormal Security
15. Notify IT About ‘Account Termination’ Messages
One of the most common tech concerns is phishing linked to account termination. Employees will receive a message that says a business or personal account is set to expire shortly and credentials or credit card information are needed to continue services. Employees should always report these messages to their IT teams, as most successful breaches start with this type of deceptive notification. - Danny Allan, Veeam Software
16. Deepfakes Are Increasingly Believable
With generative AI being easily accessible, deepfakes are increasingly believable. From emails to texts to phone calls, bad actors can create near-perfect imitations that can fool even the most experienced professionals. Employees need to be aware of and educated on these attacks, but CISOs need to be equipped with passwordless and high-assurance, identity-based approaches to ensure the safety of their data. - Anudeep Parhar, Entrust
17. Senior Executives May Be Targeted
One common high-risk phishing technique is “whale phishing.” It targets senior executives, potentially granting attackers valuable access to financial resources and entire networks. Assumptions of high-level protection can be deceptive; there’s no such thing as 100% awareness. Businesses must prioritize comprehensive cybersecurity training across all levels of the organization. - Almog Apirion, Cyolo
18. There Are Many Ways To Learn More About Cybersecurity
It is always important for organizations to continuously raise awareness about cybersecurity incidents, phishing and any malicious activities that employees report. Several methods can be used for this purpose, including e-learning, lectures by security experts, phishing drills and allowing employees to communicate the company’s legal obligations and risks associated with noncompliance. - Meiran Galis, Scytale
19. Real-World Simulations Can Hone Employee Awareness
Cybercriminals are using AI to make phishing emails appear more realistic than ever before, significantly increasing the chances of victims clicking malicious links or opening attachments. Organizations should deploy real-world simulations to help test employee awareness of and vigilance about phishing threats and to help train and reinforce proper practices when users encounter targeted attacks. - Michael Xie, Fortinet
20. Always Report Phishing Attempts (Including Successful Ones)
Users need to feel safe. They need to know that they can report phishing attempts without any sort of negative impact, including if they may have fallen victim to an attack. Quick detection and response is key to removing attackers from the environment and preventing a (more significant) breach. - Tim Medin, Red Siege
