If you’re like most companies, you work employee awareness training into your mix of cybersecurity safeguards. When staff is well trained in security-related subjects like password security and how to spot a phishing email, studies show that company risk of a cyber incident can go down 45% – 70%.
Employees are often on the frontline of malware and virus attacks that come in through phishing emails. Knowing how to spot them and being kept updated on the latest tactics help reduce human error, which is what phishing attackers are depending on.
However, there is one major mistake that a company owner or manager can make that hurts all their training efforts. It can cause an employee to forget all their awareness training and be taken in by a phishing email, even if they are tech-smart otherwise.
What’s this fatal mistake that can cause employees to be more susceptible to clicking on phishing? It’s when someone in a position of authority forwards the phishing email to them.
How a Phishing Forward Caused a Website and Email Takeover
When employees receive email from those in a position of authority, such as their boss or the company CEO, they see that email differently than when it comes in on its own. It has a big invisible red alert flag that increases the urgency because of who it came from.
Here’s a true story of a small start-up company that was hurt because the CEO decided to forward a phishing email that he didn’t have time to deal with himself, and didn’t forward to a trusted IT provider (which is where it should have gone).
The situation began when the CEO received an email that appeared to be from the company’s web server host for its website and email. It warned that the service could be turned off if the account wasn’t updated, and it provided a link.
The first inclination the CEO had was to forward the email without any explanation to the employee that usually handled the website and other office account items.
When the employee received the email from the CEO, they immediately went into high-alert mode. See, the CEO wasn’t known as being particularly patient and especially got upset when anything went wrong with the website (their main money-generator).
So, the employee thought they’d better handle this immediately or risk getting into trouble should the website go down. The “from” email address was the correct domain for the hosting provider (a case of domain spoofing).
Normally, the employee would have called the hosting company first – but knew that could mean being on hold for quite a while, and because the CEO forwarded this for her to handle, she clicked the link. The page appeared to look exactly like the normal login page for the provider (part of the spoofing scam), so she logged in and looked for the area that the email said to update.
After a couple of minutes, she got a sinking feeling when she couldn’t find a setting that matched the email and immediately changed the password on the account. But it was too late.
These types of attacks are automated, and the hackers took over the server within seconds of her logging into the phishing site. Their script began putting up phishing pages over the company’s website and sending phishing emails from the company domain.
The company spent the better part of two days getting the server secured, with the website down the entire time. More time and effort were spent after that getting the domain name reputation cleaned up, as it had been blocked by multiple email services due to the phishing spam.
The moral of the story is that all this could have been avoided if that CEO had not forwarded the phishing email without realizing how the employee would see it as an urgent directive.
Reasons to Have Your IT Provider Check Suspicious Emails Instead of Forwarding Them to Employees
Employees Can See a Forward as a Directive
When a manager forwards a phishing email to an employee because they don’t have time to deal with it themselves, the employee can see that email as a directive to take care of whatever issue the email is about.
Employees Feel an Added Sense of Urgency
An email from the boss adds an element of urgency. This can cause employees to bypass scrutiny that they may have normally given an email like this if it had come into their inbox organically.
Employees May Think Their Boss Already Checked the Message
When receiving an email forward from a person in a position of authority, the phishing email elevates to having a level of trust. The employee can easily think that the person that forwarded the message must be saying it’s okay since they forwarded it in the first place.
IT Professionals Have the Experience Needed to Detect a Scam
IT professionals will have the knowledge and skills needed to detect a dangerous email without feeling the need to take action on it as an employee will.
How Strong Are Your Phishing Defenses?
C Solutions can help your Orlando area business ensure your defenses against phishing are adequately protecting you from a breach or malware infection.
Schedule a free consultation today! Call 407-536-8381 or reach us online.