Identifying Phishing Red Flags: Employee Training Insights
In the digital age, recognizing phishing red flags is a crucial skill. We asked fifteen professionals, including CEOs and Heads of Digital, for their top tips on training employees to avoid falling victim to phishing attempts. From checking links before clicking to involving employees in phishing-simulation creation, discover the strategies these experts recommend.
- Check Links Before Clicking
- Teach Detailed Link Handling
- Use Phishing Simulations and Micro-Learnings
- Consider Workforce Vulnerability and Hands-On Learning
- Verify Email Addresses and Links
- Organize Regular Phishing Awareness Training
- Implement Frequent Security Reminders
- Encourage Ethical-Hacking Exercises
- Configure DNS Filtering to Block New Domains
- Promote Open Communication in the Office
- Establish Clear Reporting Policies
- Adopt an Interactive-Training Approach
- Teach Skepticism towards Atypical Requests
- Link Simulations with Immediate Learning
- Involve Employees in Phishing-Simulation Creation
Check Links Before Clicking
Hover over the link with the mouse. If the preview link on the left looks suspicious, don’t click on it. Masking links is pretty easy, and it’s a method often used by scammers. Always check the link before clicking, and read it very carefully. It might not be facebook.com but faceb00k.com, or not google but g00gle, or not facebook.com but rather facebook.co.
Names can be spoofed easily, and coworkers can receive emails from a spoofed name in their inbox from scammers. They would still check the links in the email, even if it looks like it came from a familiar source.
So, previewing the links and paying attention is critical.
Selman Seref
Head of Digital, tectrain GmbH
Teach Detailed Link Handling
Phishing is typically conducted via email, with links. How many people actually know what to do with links to determine if they are safe? Therein lies the problem. Many cybersecurity-awareness training solutions will state things like, “Don’t click on strange-looking links,” and yet many legitimate links can be “strange-looking”!
So, if you really want to protect against phishing, it’s a good idea to teach people in detail how to deal with links. It doesn’t take that long; half an hour can cover it quite well. But you need to ensure you are discussing topics such as: what risks links pose, what they can look like, hovering, how to read them, warning signs (e.g., an @ sign in the link), QR codes, use of legitimate sites by criminals, and research tools (e.g., Virus Total).
Ensure the content is relatable so they care. That typically means a focus on home use. Keep it short, fun, engaging, and include practical examples that they can work through.
Mike Ouwerkerk
Fun, Engaging Cyber Security Awareness Trainer and Cultural Transformation Consultant, Web Safe Staff
Use Phishing Simulations and Micro-Learnings
My favorite approach is to use phishing simulations in combination with micro-learnings. I’ve yet to meet anyone who doesn’t hate security trainings that are more than five minutes in length, so rather than fighting that, I find it better to meet people halfway and require them to do short, up-to-the-minute trainings when they’re caught messing up. If you pass the phishing attempt and, even better, report it, then you probably deserve your free pass to carry on with your day.
Onno Halsema
CEO, Contentoo
Consider Workforce Vulnerability and Hands-On Learning
One thing to consider when training employees to recognize phishing red flags is the unique vulnerability of your particular workforce.
As a recruiter specializing in the executive sphere, I work with a lot of established employees who were trained before the Internet engulfed everything. They’re also powerfully skilled and in high demand, meaning they can be a little strong-headed in verbalizing their own weaknesses.
Keeping this in mind has allowed me to craft successful training programs. Hands-on learning is crucial, and whenever possible, I try to bring in teachers who are of the same generation as them. Highlighting what might be obvious to Gen-Z is an important step, so starting at the basics is often a key to success, but I do so while concurrently reminding them of the value inherent in their experience.
Travis Hann
Partner, Pender & Howe
Verify Email Addresses and Links
I had a lot of issues with this, and I had to have multiple conversations about it. I’d say what drove my point home, ultimately, was teaching people that no one asks you to click links in their emails.
Some do for verification purposes, but that’s where my second tip comes in: always check the email address that’s sending you the email. It becomes immediately obvious that the email isn’t actually from Amazon when the email address is 3964jggdew942@scam.com.
Rick Berres
Owner, Honey-Doers
Organize Regular Phishing Awareness Training
One way to prepare your employees for phishing attempts is to educate them thoroughly. The optimal strategy is to keep every employee well-informed so that they can spot the scams from a mile away. It may seem like an easy task, but today’s phishing attempts are more sophisticated than before. I recommend organizing phishing awareness training from time to time.
Bring in a cybersecurity expert to cover all the latest and most dangerous methods used by phishing scammers. The more employees know about these scams, the better their chances are of avoiding getting tricked.
Amy Tribe
Director, OGLF (Our Good Living Formula)
Implement Frequent Security Reminders
Train them over and over again! I would recommend doing it at least bi-monthly and keep them informed in between with security-related content and best practices. This will raise security awareness, and it will also establish the mindset that your organization takes security seriously.
The good old saying, “trust but verify,” would apply to anything that looks or sounds remotely suspicious. In the Secret City (Oakridge, TN) during the Manhattan Project in the 1940s, huge billboards would remind and train people to keep secret things secret. Today, we wrongly assume that people understand that certain things need to be protected, and we could not be more wrong.
Edward Snowden was a contractor who convinced over 20 government employees to hand over their passwords so he could do his job as an administrator. Their ignorance caused the largest data breach in NSA history, and they could have easily prevented this with frequent security training and frequent reminders.
Thomas Neudenberger
COO, realtime North America Inc.
Encourage Ethical-Hacking Exercises
One tip to avoid falling victim to phishing attempts is to encourage employees to engage in ethical-hacking exercises. By participating in controlled and supervised hacking activities, employees can gain firsthand experience of phishing techniques and tactics.
This practical knowledge enhances their ability to recognize red flags and develop a critical mindset towards suspicious emails or communications. For example, employees can be given simulated phishing emails and tasked with identifying red flags, such as poor grammar, suspicious sender addresses, or requests for personal information.
This hands-on approach enables them to understand the phishing landscape better and strengthens their defenses against real-world phishing attempts.
Ben Lau
Founder, Featured SEO Company
Configure DNS Filtering to Block New Domains
One way to help employees stay alert to potential phishing attacks and catch them early on is to configure a DNS Filtering service or Gateway firewall to block newly registered domains.
Blocking newly registered domains helps mitigate many phishing attacks since attackers frequently register new domains that aren’t yet classified as a threat by security services. By preventing the employee from unknowingly interacting with a newly registered domain, you can create a buffer where the employee has a chance to verify the legitimacy of a new website or catch instances where the attacker is using a name similar to a well-known company.
Ben Bozzay
Founder, Tech Lockdown
Promote Open Communication in the Office
Encouraging open communication in the office is the best way to prevent a security incident stemming from a phishing email.
As a recruiter, I see candidates daily. Many tell me that their current or previous job eschewed this kind of open communication, leading them to feel alone for decision-making. That’s often a reason they’re moving on.
With cybersecurity, unwavering independence makes failure more likely. I always emphasize to my employees that wanting a second opinion is no sign of naivety.
When workers face a questionable email, they should know they’re able to bring the concern to management without fear of repercussion or judgment. These emails are becoming more sophisticated by the day, so requesting a fresh set of eyes on the link before clicking is a great habit to develop.
Rob Reeves
CEO and President, Redfish Technology
Establish Clear Reporting Policies
Start with clear policies on reporting suspicious emails and require training upon onboarding and annually. Run simulated phishing tests to gauge vulnerability. Use any breaches as teachable moments without punishment. Share examples of phishing emails alongside authentic ones, so employees learn how to spot differences in tone, grammar, and sender address.
Teach them to hover over hyperlinks to check destinations before clicking. Set up a workflow requiring verification calls for unusual financial requests. Remind staff it is always better to double-check if something seems off rather than worry about delaying a response. Foster a culture of healthy skepticism instead of implicit trust.
My top tip is to pause before reacting anytime you feel a false sense of urgency or fear created by content. Phishers rely on triggering emotional responses. Staying calm allows for a rational assessment of legitimacy.
Vikrant Shaurya
CEO, Authors On Mission
Adopt an Interactive-Training Approach
We use an interactive-training approach to teach employees how to spot phishing attempts. Our training includes regularly updated online modules with simulated phishing exercises and real-world examples to keep the content relevant. A subscription model allows us to provide ongoing, up-to-date training, encouraging a proactive response to new phishing techniques. Through interactive exercises, employees learn to be skeptical of suspicious emails and practice avoiding immediate actions.
A key training tip is to verify unusual emails, especially those from apparent internal sources, using alternative communication channels like phone calls or separate email threads. Another crucial takeaway is to avoid responding to or clicking links in suspicious emails. By promoting skepticism and proactive verification, employees become better at recognizing and stopping phishing attempts, contributing to a more secure work environment.
Ricci Masero
Marketing Manager, Intellek
Teach Skepticism towards Atypical Requests
We had an expensive lesson in phishing involving an enthusiastic intern. She received a deceptive email, seemingly from our owner, requesting the purchase of $1,500 worth of Apple gift cards for client gifts. The email asked her to send the activation codes to him immediately, which she did because she was eager to prove herself. Ultimately, having those codes gave them irrevocable access to that money.
She fell prey to this scam by not verifying the unusual request directly with our owner. The email turned out to be from a scammer using a similar-looking email address.
To prevent such an expensive mistake from happening again, we cover this topic in employee onboarding. We recount the story of the eager intern and ask our employees to be skeptical of atypical requests, especially those involving money or sensitive information. We stress the importance of double-checking email addresses for tiny discrepancies. Since the gift card debacle, everyone has been extra careful.
Michael Morgan
Managing Director, Medallion Partners
Link Simulations with Immediate Learning
My preferred approach is to link internal phishing simulations with immediate, bite-sized learning. You will never have a more receptive audience to a cybersecurity training than after someone falls for a phishing simulation.
So, rather than waiting and putting together a list of people that need to take your cybersecurity course again, I prefer to push a short quiz or something similar immediately after the failed interaction. It really does work significantly better if you can do something in the moment, even if it is just a few questions, as your audience is ready to work with you.
Dragos Badea
CEO, Yarooms
Involve Employees in Phishing-Simulation Creation
The most important factor is to catch your employees in the right mindset to be receptive about improving their resistance to phishing attempts.
One approach that I’ve been quite impressed by was a small company that would bring in employees from various departments into their cybersecurity meetings. They did this to help them craft believable phishing-simulation scenarios for their particular department.
Nothing quite gets you in the right frame of mind to work on your anti-phishing training quite like getting caught with your pants down by something that looks extremely believable. This is due to an inside man helping fine-tune the details and exploit vulnerabilities.
Kate Kandefer
CEO, SEOwind
Submit Your Answer
Would you like to submit an alternate answer to the question, “How do you train employees to recognize phishing red flags? What is one tip to avoid falling victim to phishing attempts?”
Leave a Reply