Helping users identify and report suspected phishing emails - Layer Two

Helping users identify and report suspected phishing emails - Layer Two

Continuing with our series on cyber security, we’ve already covered Layer One - ‘Making it difficult for attackers to reach your users’ as part of the National Cyber Security Centre’s guidance helping organisations protect themselves from cyber attacks.

Here’s a refresher of the 4 layers you need to consider to ensure you are as protected as possible:

1. Making it difficult for attackers to reach your users

2. Helping users identify and report suspected phishing emails

3. Protecting your organisation from the effects of undetected phishing emails

4. Responding quickly to incidents

 

This blog is going to look at Layer Two - Helping users identify and report suspected phishing emails.

 

Help your people identify and report suspected phishing emails

Ensuring that your staff have been trained to detect phishing emails (usually a simulation scenario) and empowering them to report them is key to establishing robust anti-phishing protocols. However, it’s important that you don’t rely totally on your workforce to keep your organisation protected. Whilst it’s a necessary aspect of online security, it can’t possibly be the only measure of protection. It’s somewhat unrealistic to expect your people to be the only source of detection and these emails can be so convincing that they’re difficult to spot.

 

Does your organisation aid and encourage the reporting of phishing?

If not, you should be working towards that end. This arms you with important information as and when a email phishing incident has occurred. It’s important that a culture exists whereby people feel comfortable to report email phishing (even more so when they’ve clicked on a link) since this will make you aware of the types of threats that are being aimed at your organisation. 

Similarly, you will discover the legitimate emails that are being confused with rogue emails and how this could be having an effect upon your organisation.

Ensure there is a clear reporting process so your people know exactly what to do if they fear that a bogus email has succeeded in getting through. Also ensure that in the event of a member of staff reporting a phishing email, you assure the individual concerned that it will be dealt with. Communicate quickly and explain what is being done and how their actions are appreciated. It’s important that people are not dissuaded from making future reports if they feel that their efforts are in vain. 

 

Be open and clear

Since phishing emails are so convincing, don’t encourage a blame culture. If someone fails to detect a phishing email, it shouldn’t be a punishable offence. If staff feel that this may happen, they’re less likely to report something similar happening in the future. This could potentially have harmful consequences if a phishing email goes unreported. 

Internally, keep various channels of communication open so people feel they can ask for support when presented with a phishing attack whether that be through colleagues, teams or message boards.

 

Be supportive through training

Senior management including HR must be totally committed to supporting more vulnerable staff (due to the role performed) in the detection of email phishing. They need to feel confident to report anything that looks dubious and be given extra support if they’re not sure.

Consider which of your departments are likely to be under a higher threat and make them aware how deadly phishing can be. Your customer service desk may receive more unsolicited emails but a more vulnerable department is likely to be the one that deals with sensitive information perhaps your accounts or IT team. Anyone who is given a higher level of access to an organisation’s assets is going to be far more attractive to a hacker.

 

Do it now!

We’re all human and when we’re told to do something we usually do! You can train staff how to be vigilant to the urgent CTA (Call To Action) within a phishing email by giving them some examples of this technique. Refer to CPNI’s Don’t Take the Bait! for more information and materials available to help raise awareness.

 

Phishing simulations don’t make your organisation more secure 

Using phishing simulations will not guarantee security. They are popular because the end result is a measurement of some kind but you need to delve and consider whether the reporting can bring a false sense of security (will a week on week comparison of how many staff were duped by a phishing email really tell you anything?). Define what you want to find out and build the simulation around that. More varied training techniques are coming to the fore which includes:

  • Trainees creating their own phishing email
  • Workshops
  • Quizzes
  • Gamification

 

How do I recognise a dodgy email?

A perfectly reasonable question to ask when they’re so convincing. People will share personal information such as passwords and payment details if the legitimate process can be duplicated by those targeting your organisation. It’s important to review and assess any process deemed open to duplication and adapt it, if necessary. This means staff will be able to immediately detect a phishing email. 

 

How can people outside your organisation know it’s you?

Don’t be complacent and assume that customers or indeed, anyone who receives an email from your organisation can tell the difference between a bona fide email and a rogue one. Do the emails you send out make it easy or hard for recipients to make the distinction between the two? It would also be unwise to assume that by putting in identifiable information will be sufficient - this information could already have been stolen/obtained by the people behind the phishing email so is no source of validation.

When your emails get delivered to suppliers and customers, are they expecting it and will they recognise your email address, links etc.? The NCSC suggests you should be completely transparent and be quite forthright within your emails so people can trust you are who you say you are and the way in which you operate i.e.

  • We will never ask for your password or
  • Our bank details will not change at any point

More importantly - they will spot a phishing email when it hits their inbox.

 

Ensure familiarity with internal processes

In order to help staff spot anything out of the ordinary, it’s crucial for them to be up to speed with normal organisational processes.

 

Use second forms of communication

When an email request for action is made, having a follow-up form of communications will help make your organisation less vulnerable to phishers. This can be in the form of:

  • SMS messaging
  • Phone call
  • Logging into an account
  • Confirmation by post
  • Confirmation by person
  • Different login method
  • Sharing files via the cloud (and access-controlled) rather than in attachments

 

If you would like to know more about how we can help your organisation defend itself against email phishing or security in general, please get in touch with our cyber security team. We’re here to safeguard both you and your staff.

Other articles in the series:

Layer One - ‘Making it difficult for attackers to reach your users’

Protecting your organisation from the effects of undetected phishing emails - Layer Three

Email phishing and why your organisation should protect itself

Audit your security with Cyber Essentials

How can we help you?

Microsoft Gold Certified
Microsoft Partner Solutions
Cyber essentials plus
Watchguard one gold
Hp enterprise