January 14, 2020

How to Train Your Employees on Phishing Attempts?

Phishing AttemptsYou reach your office at 9:30 am sharp, switch on your computer, and start going through all the emails. As you are going through your emails, you come across an email that is from an unfamiliar address. Still, you decide to open it and immediately you know that the email isn’t from someone at work; instead, it is a poor attempt at phishing. After all, why would anyone at work need your database login? Since you known that it is an attempt to phish you, you decided to delete the email.

However, while you’re deleting the offending email, you start to wonder if ‘everyone in the office has enough knowledge to spot fake emails or phishing attempts that happen via email’. This realization hits your hard and start to fear that a network breach from a phishing email attack might be just around the corner. You pick the phone and ring to request HR to organize a training session on phishing attempts. If HR accepts your request, then following are the things you need to convey to your employees during the training session on phishing attempts.

What is Phishing?

Phishing is basically the use of fake emails that are designed to trick people into clicking on a malicious link; clicking on the link comprises their computers by installing malware on the system. it is also used to get employees to disclose login credentials. Intruders can use many different types of phishing attempts to compromise your computer or network. Some common phishing attacks include deceptive phishing, spear phishing, CEO fraud, Pharming, Dropbox phishing, and Google Docs Phishing.

Why People Click on Phishing Emails

We all get tricked at some stage. If an employee is distracted, then they may fall prey to a phishing email designed like an office or company correspondence. After all, to err is human. Generally, employees click on these emails because they have little idea of the problems that this can create. In fact, many of them don’t even know what phishing is and that it should be avoided.

There are also occasions when the employees are aware of these threats, but they don’t know what to do about them. While they know about the ‘fake emails’ that get passed around, they have no training or experience to deal with the situation. While employees having awareness about phishing emails is always good, the focus should be on training them to protect against these threats.

What a Phishing Attack Looks Like

Another important thing that your employees need to know about phishing attacks is what they look like. Today, hackers and cyber-criminals use highly sophisticated phishing attacks to trick people into clicking malicious links or disclosing sensitive information.

Basically, cybercriminals use phishing emails to trick people into click on a link that navigates to a fraudulent page. After you navigate to it, the fraudulent page starts to gather your personal information. This includes your ID, login credentials and passwords, and bank account information. Also, it often installs malware on your system. In fact, more than 90% of all malware come from phishing emails.

While there are occasions when phishing emails are easy to spot due to fake logos or misspellings, many times these emails are highly sophisticated and contain personal information that leads you into believing they’re real.

At times, they are drafted in an urgent tone that demands a response. A email that says your bank account or another important account has been compromised is often a phishing email that tempts you to click on a malicious link. Therefore, it is important to learn how to distinguish genuine emails from phishing emails and then train your employees about it.

It is Possible to Spoof Email Addresses

It is important to train your employees that they shouldn’t trust an email just because it seems to be a familiar source. Often, cybercriminals use different methods to disguise emails. They are experts at tricking people into seeing an email as legitimate when it is actually coming from a malicious source.

The two most common methods used by cybercriminals to spoof email addresses are cousin domains and visible alias spoofing. Also called display name spoofing, visible alias spoofing involves the use of a legitimate company name as the email sender. However, the mail is actually from a random address.

This method to spoof email addresses is most effective when the intended mail recipient checks the phishing email on a mobile device; this is because the sender’s email address is hidden on phones and most users do not bother to expand the name to view the email address.

On the other hand, a cousin domain is an email address is designed to look like a legitimate email address; it is only slightly modified. For example, if Microsoft.com is the legitimate email address, then the attacker may use the email address Microsoft. Co. There are also cases in which hackers trick users by using extensions. Examples of extensions are Microsoft-support.net, Microsoft-logins-co and so on. Often, confusing and lengthy sub-domains are used to trick users.

How to Recognize a Phishing Email

If any of your employees fails to recognize a phishing email and report it, then your company can get into big trouble. Just one click from an unsuspecting employee could comprise your entire network. Therefore, you must train all your employees to recognize phishing emails. Following are some of things you should tell them to look for to recognize phishing emails and then report them:

  • Familiar company email names that end with ‘.ca’, or ‘.co’ instead of ‘.com’
  • Checking the emails for any logos that seem a bit off
  • Being suspicious of and performing due diligence on all emails that ask for personal information, login credential and passwords, or bank account information

By making the above-mentioned things part of your training session on phishing attempts, you will allow your employees to recognize phishing emails and thwart any attempts to comprise your network.


by Bobby J Davidson

We love our company and we love what we do.  Check out the ‘Why Percento‘ page to learn more: Love of Technology and Business!  As the President of Percento Technologies International, I provide day-to-day leadership to the company’s senior management and I am personally involved in the strategy, business development and sales activities of the firm.

The company was founded in 1999 with the purpose of providing a one call source for organizations in need of Enterprise IT Consulting and Management.  We also provide a line of products in the boutique Cloud Server space with a touch of high-end website strategy consulting and design services.   We personalizes the IT Service experience with a team approach, working with clients from diverse sectors of industry, including energy services, financial, legal, entertainment, healthcare, hospitality, retail and general and/or corporate business.  percentotech.com/contact