Teach Employees to Avoid Phishing

Phishing happens when attackers convince victims, like small business owners and their employees, to interact with harmful links, emails or attachments that could give hackers access to information or infect devices with malware.  

In fact, most successful online attacks begin when someone clicks and downloads a malicious attachment from an email, direct message or social media post. Criminals can use stolen credentials to log into sensitive accounts to access data or money. Phishing can also result in an employee unwittingly downloading malware that damages systems or installs ransomware that holds systems captive.  

Small and medium businesses are at risk of phishing attempts and often have fewer resources to prevent attacks than larger organizations. The good news is that many security breaches are avoidable if people are trained to spot and avoid phishing messages.  

Are you training your employees to spot phishing and take steps to protect access to their devices? A well-trained workforce can learn how to spot common phishing signs and prevent attacks.  

With modern technology and social engineering tactics, it’s becoming harder to identify phishing attempts because they may include information that makes the message seem legitimate. Employees should be trained to look for basic signs of phishing emails such as strange or unexpected requests, often using alarming language or urging immediate action. Check the email address for validity, but also remember to think about whether the request seems legitimate. The email could be sent from a seemingly known entity whose account was compromised.  

Malicious actors are improving their techniques all the time, so employees need to repeat training at regular intervals to learn about the latest scams and how to respond to suspicious communications.  Regularly review common signs of phishing so employees are familiar with what to look out for. 

If employees know how to recognize strange behaviors, this can provide organizations with early warning for malicious code or malware and give them a better chance at fighting such attacks. Threat literacy training helps by educating individuals on the various ways that bad actors infiltrate the organization (e.g., through websites, emails, scam alerts and social engineering). Effective training includes techniques for recognizing suspicious emails, web communications and the potential targeting of individuals at home. 

You don’t have to create anti-phishing training materials from scratch. Your IT provider, professional/industry organization or a nonprofit may have ready-to-use materials available at no cost. CISA offers many free resources for small and medium businesses. (See below.) 

Ask your IT provider, or designate an employee as a security manager, to keep tabs on current events related to cybersecurity. Ask that person to brief you on the latest scams so you can keep your staff up to date between trainings.   

Provide regular updates and messaging to continually remind employees, customers and vendors to watch out for communications that may seem legitimate but aren’t. If they are not expecting communication or receive something that seems off, they should check with supervisors through known channels.