Free Shipping On Many Orders Over $300 (Exclusions Apply)

Chat To Us - 7am-10pm - 7 Days A Week

20 Phishing Lessons And Principles For Business Leaders And Teams

20 Phishing Lessons And Principles For Business Leaders And Teams

Esther McNally |

In any cybersecurity strategy, accounting for human error is essential. By some estimates, phishing attacks—in which a bad actor attempts to elicit personal information from a target using deception—account for roughly 90% of business security breaches.

With the volume and sophistication of phishing attacks increasing year over year, businesses need to continuously educate their employees—and leaders—on how to spot and handle them. Below, 20 members of Forbes Technology Council share essential lessons and principles about phishing that companies should share with their team members and leadership group.

1. Attackers Often Seek To Mimic Authentic Organizations And People

Spear phishing is one of the most common phishing attacks today. Attackers may mimic an authentic organization, such as a third-party partner, or an individual, such as another employee. For example, an employee may receive a phishing email in which an attacker pretends to be the CEO and requests sensitive company information, credentials or money transfers. 

2. Phishers Can Find A Lot Of Information Online

It’s important to understand that there’s a wealth of personal and organizational information available through search engines, social networks and trade resources. Phishers often use social media and company websites to gather personal information—information that helps them craft incredibly branded, personalized attacks that can cause recipients to lower their guard and provide a quick response.

3. Be Wary Of Email Spoofing

One common phishing attack is email spoofing. This occurs when an attacker sends an email that appears to come from a trusted source. These emails often contain convincing logos, sender names and content, and the goal is to deceive recipients into clicking on malicious links, downloading malware or providing sensitive information. 

4. Don’t Let Yourself Be Rushed

Phishing scams often rely on urgency. The malicious message will give you a time-bound reason to log into a trusted platform, such as, “Log in to confirm your account within 24 hours or it will be deactivated.” Don’t allow yourself to be rushed; when in doubt, take the time to access your account through the login page, never the link in the email. 

5. Always Examine Domain Names In Email Links

Companies must educate their employees on how to handle potential phishing emails. For example, many phishing emails impersonate businesses (such as LinkedIn, Twitter and so on) or individuals (such as a colleague, superior or acquaintance). Always examine domain names in email links before clicking on them. Be especially cautious if the email or the subsequent website requests personal information or money. 

6. Phishing Also Happens Via Text Messages

It is important for businesses to educate their team members about “smishing”—that is, text message phishing. Though preventing these scams completely isn’t possible, there are simple solutions for blocking and reporting these types of threats. However, it is most important that organizations take the first step: educating employees that smishing exists. 

7. Don’t Automatically Trust Messages ‘From A Boss’

Many phishing attacks use hierarchical leverage, with the attacker impersonating someone in a higher position in the organization than the recipient. It can be a highly effective method for a threat actor to elicit quick, near-automatic responses from employees. 

8. Protect Your Microsoft 365 Account

The most sought-after credentials by cyber threat actors are those for Microsoft 365 accounts. Phishing attacks commonly try to gain these credentials, usually via a password reset or account confirmation request. Businesses should educate their teams that these emails try to communicate a sense of urgency that an account will expire or be deleted or that there will be some other dire consequence if action isn’t taken. 

9. Work Closely With The Security Team

Threat actors increasingly rely on social engineering to penetrate an organization’s security systems. Employees must operate with due diligence when interacting with any suspicious email, phone call, text or other form of communication. Bad actors rely on employees being the weakest link. It’s vital that you work closely with your security teams and always practice good cyber hygiene.

10. Ensure Names And Email Addresses Match Up

The biggest red flag for any employee should be when they are contacted via an email address that has not been used to contact them before. Regardless of the type of phishing attack, ask everyone to simply check that the name and email address tally. Back this up with “white hat” phishing campaigns of your own. 

11. Even Emails With ‘Personal’ Touches Could Be Phishing Attempts

Today, elaborate attacks include emails that seem as though they come from your co-workers, asking for approval for things that might seem common. These emails are often friendly, include “personal” touches and, in many cases, seem legit. Using artificial intelligence capabilities, attackers are perfecting their techniques, and “time sensitive” requests make them very effective. The solution? Always double-check a request with a phone call. 

12. Avoid Opening Email Attachments And Links

The problem is that with AI, phishing attacks not only look like legitimate emails, they are created from legitimate emails. This means it is almost impossible to rely on awareness to prevent phishing. Phishing attacks are successful because organizations allow emails to contain attachments and embedded links. Until those are removed, no amount of awareness will stop advanced phishing attacks. 

13. ‘Vishing’ Is On The Rise

While much attention is focused on phishing through email and text, voice phishing (a.k.a. “vishing”) is on the rise. Human-to-human voice contact has a very high power of persuasion. Awareness training is essential, but for added protection, it should be combined with modern technical solutions designed to detect tell-tale call behaviors that indicate the presence of a vishing probe. 

14. Watch For Unexpected Messages Or Emails From Vendors

Vendor email compromise is a subset of the traditional business email compromise scam, where attackers impersonate vendors to request fraudulent wire transfers or payment of fake invoices. They are highly successful as they exploit trusted vendor-customer relationships. Further, because discussions with vendors often involve payments, it becomes harder to catch attacks that mimic these conversations. 

15. Notify IT About ‘Account Termination’ Messages

One of the most common tech concerns is phishing linked to account termination. Employees will receive a message that says a business or personal account is set to expire shortly and credentials or credit card information are needed to continue services. Employees should always report these messages to their IT teams, as most successful breaches start with this type of deceptive notification. 

16. Deepfakes Are Increasingly Believable

With generative AI being easily accessible, deepfakes are increasingly believable. From emails to texts to phone calls, bad actors can create near-perfect imitations that can fool even the most experienced professionals. Employees need to be aware of and educated on these attacks, but CISOs need to be equipped with passwordless and high-assurance, identity-based approaches to ensure the safety of their data. 

17. Senior Executives May Be Targeted

One common high-risk phishing technique is “whale phishing.” It targets senior executives, potentially granting attackers valuable access to financial resources and entire networks. Assumptions of high-level protection can be deceptive; there’s no such thing as 100% awareness. Businesses must prioritize comprehensive cybersecurity training across all levels of the organization. 

18. There Are Many Ways To Learn More About Cybersecurity

It is always important for organizations to continuously raise awareness about cybersecurity incidents, phishing and any malicious activities that employees report. Several methods can be used for this purpose, including e-learning, lectures by security experts, phishing drills and allowing employees to communicate the company’s legal obligations and risks associated with noncompliance. 

19. Real-World Simulations Can Hone Employee Awareness

Cybercriminals are using AI to make phishing emails appear more realistic than ever before, significantly increasing the chances of victims clicking malicious links or opening attachments. Organizations should deploy real-world simulations to help test employee awareness of and vigilance about phishing threats and to help train and reinforce proper practices when users encounter targeted attacks. 

20. Always Report Phishing Attempts (Including Successful Ones)

Users need to feel safe. They need to know that they can report phishing attempts without any sort of negative impact, including if they may have fallen victim to an attack. Quick detection and response is key to removing attackers from the environment and preventing a (more significant) breach.