Your Staff Wouldn’t Click… Right?

Phishing Emails: How Well Do You Trust Your Team? And Is Trust Enough?

As we enter a new year, many of the digital threats targeting small businesses aren’t changing drastically. They’re just getting more sophisticated. Phishing was a top threat to your business’s cybersecurity last year, and a recurring cybersecurity mistake most small businesses make, and it’s going to be this year, too. With attacks getting more and more believable and harder to detect, just how much should you trust your team to get this right? We believe business leaders should leave their digital security up to chance. Now is the time to go on the offensive.

Phishing: a Refresher

In case the term phishing isn’t quite ringing a bell, here’s a quick refresher. Phishing describes email-based attacks where people or groups send an email that looks like it’s coming from somewhere official (like Microsoft, a big bank, or a prominent supplier in your industry). They send you an urgent message and ask you to click a link (and usually log in). The link is malicious, though: clicking could initiate installation of malicious software. Or, more commonly, doing so could drop you on a fake sign-in page. If you attempt to sign in, your credentials will be logged and stolen. By some estimates, a staggering 3.4 billion phishing emails get sent every single day. So, what can business leaders like you do to protect against phishing attacks? It all starts with education.

Step 1: Phishing Education

The first step is to educate your staff. They need to know that phishing emails exist, that they will likely run into one eventually, and what the consequences could be if they click. They also need to get a sense of what a phishing email looks like and how they can usually be identified. The best way to help people visualize the difference between phishing email and legit ones is to use a quiz (or three). Many tech giants have a free test you can use. Here are three:

• Google’s Phishing Quiz
• The FTC’s Cybersecurity for Small Business Phishing Quiz
• OpenDNS’s Phishing Quiz

Quizzes like these provide visual cues after a person answers each question, helping quiz-takers improve their ability to spot a fake.

Step 2: Conduct a Test

After your initial phishing education, it’s time to conduct a test or simulation. This step involves generating a (legitimate, fake) phishing email, which gets sent to your staff as a test. Anyone who clicks the link will be warned, and you’ll be able to see who clicked versus who deleted or marked as spam. Now, if this sounds daunting, don’t worry: you don’t need to do this work yourself. Your IT department or your IT services provider can handle this, and they’ll likely rely on one of several services that offer this sort of thing. In fact, we’d encourage you not to try to set this up on your own. Doing it poorly could create distrust among your staff, especially if anyone thinks you were actually trying to get their information!

Step 3: Assign Additional Training (to Staff Who Didn’t Pass the Test)

The employees who fell for the trap will likely feel pretty sheepish, but this isn’t the time to let feelings get in the way. Assign additional similar resources to those who didn’t pass (or even to your entire staff) to reinforce the lessons they’ve begun to learn.

Partner with Blue Ridge Technology for Your IT Needs

There are plenty of other behind-the-scenes steps that businesses can take to reduce phishing risks. Better business email filters can stop more illegitimate mail from reaching inboxes, for one. If you’re looking for help with your IT services or are looking for something more than your current IT provider is offering, Blue Ridge Technology is ready to help. Reach out to us today to start the conversation.