Taking the Bait: Email Phishing in the Workplace

Email phishing is the fastest growing online crime method. The aftereffects of personal phishing attacks are newsworthy (stolen funds, bank account and credit card numbers, and other personal information), but attacks targeting businesses are equally, if not more, dangerous. Stolen credentials give attackers access to a plethora of useful information: intellectual property, financial information, employee records, and customer information. While the staff member who receives the email may not be harmed personally, by opening the message, he puts the entire company, including customers, at risk — particularly if he enters log-in credentials and/or installs malware on his local machine. Attacks can result in financial losses, non-compliance penalties, and serious reputational damage – not to mention investments of time, money and human resources spent on remediation.

According to the 2016 Verizon Data Breach Investigations Report, 30 percent of phishing emails are opened, and 12 percent of recipients click the link or open the attachment. This is a significant — and alarming — increase from the 2014 data set, of which 23 percent of the messages were opened. Today’s emails may be more convincing, and the attacks more sophisticated, but we clearly have a lot to learn when it comes to prevention and awareness.

Successful strategies for educating employees and increasing resistance to phishing attacks include:

  • Promoting awareness through training. Make sure that training sessions are engaging, reference real-world scenarios, and teach employees to evaluate the legitimacy of hyperlinks and sender addresses.
  • Conducting regular phishing exercises to test user awareness, evaluate the training program’s effectiveness, and identify employees who may require additional training.
  • Establishing a system for reporting possible phishing attempts, such as a button on the taskbar.