7 Email Best Practices to Keep Employees Safe from Phishing

Sep 12, 2017 11:15:00 AM

Phishing scams continue to be a growing threat to enterprise security because hackers target the weakest link in any organization—its employees. More than 90 percent of breaches can be attributed to phishing attacks.

Despite the increased focus on cyber security awareness training across many industries, 37 percent of companies have had their systems infected with malware after falling victim to a phishing attack.

Breaches by the Numbers

email best practices

According to the 2017 Verizon Data Breach Investigations Report, nearly half (43 percent) of breaches were social attacks. In 95 percent of the phishing attacks that resulted in breaches, malware was installed.

Most often these are cases in which a user opens a link or an attachment reported to be something work related—forms from HR, a shared file, notations from a review.

Given the growing number of data breaches attributed to phishing scams, teaching your workforce secure email best practices should be a core part of your overall cybersecurity strategy.

From Weakest Link to Strong Defense

Everyone is vulnerable to phishing, but there are anti-phishing steps you can take to educate users on email best practices. Use these steps to help transform your workforce.

  1. You are a target. Training can no longer be an annual event that is checked off a list. An ongoing training program is the most effective way to keep employees on their toes when it comes to recognizing email scams.

  2. Know the favorite hacker tools. Email is a popular tool used in phishing scams because it works. In 2015, 30 percent of all phishing messages were opened and 12 percent of recipients also clicked on a malicious link or attachment, so training employees remains an important part of anti-phishing initiatives.

  3. Encourage reporting. Empowering workers to identify and report suspicious emails can turn the workforce from the weakest link to a strong first line of defense.

  4. Include, but don’t rely on software alone. Anti-phishing software aids you in identifying and blocking suspicious sites, but software can’t protect a human being from being bamboozled.

  5. Assess before opening. All users should know how to assess a message by confirming the identity of the sender and checking the URL before opening an email. Users should also try to understand why this email has reached them in the first place. Incorrect “from” addresses and generic greetings, for instance, can be warning signs.

  6. Relax, report, return to work. Remaining calm in any crisis is a challenge, and your employees don’t want to be embarrassed to the point of silence. Let them know that you want to know, even if it’s a false alarm.

  7. Have a policy and practice it. Simulated phishing campaigns will put your employees on alert, but what do they do with the information if they think they might have accidentally opened a fraudulent message. Have a policy in place and have practice drills so that your employees become comfortable with—rather than afraid of—reporting.

These are only a few of the many steps that have proven successful in anti-phishing campaigns. With the growing persistence and stealth of modern threats, no company can totally avoid being targeted by phishing. A Fortinet partner, Istonish offers Security Assessments that include end-user training. Contact us to learn more.

James Mathis

Written by James Mathis

James Mathis is a Systems Administrator at Istonish.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts