5 Major Phishing Mistakes to Avoid That Leave You Vulnerable
Is your company making some mistakes that increase your risk of a phishing attack? Simply forwarding a phishing email or not reinforcing security awareness throughout the year can put you in a higher risk category than a company that builds security awareness into its “business as usual.”
Teams that are well-trained in security awareness can reduce an organization’s risk of a cyberattack by as much as 70%. But teams that don’t receive regular training and aren’t supplied with tools to help ward off phishing can leave a company’s network security in danger of a breach.
Phishing is only getting more sophisticated, and companies are beginning to fall behind in defending against it. Between 2020 and 2021, the number of surveyed organizations that were victims of successful phishing attacks increased from 57% to 83%.
One of the first ways to improve your company’s security posture and reduce cyberattack risk is to ensure you’re not making one of these common phishing mistakes.
Ignoring Phishing via SMS
Have you noticed that you get more emails from retailers now than you did a couple of years ago? They’ve figured out that their ads are much more effective when they can bypass your email inbox and go straight to your text messages.
Phishing attackers have also figured this out. Mobile numbers are now readily available from multiple sources, and scammers are using those to send phishing via SMS (known as “smishing”).
If you’re not yet training your employees on tactics to avoid falling for phishing coming in via text message, then you leave your company at risk of an infection that originates from that person’s smartphone.
Only Holding Employee Awareness Training Once per Year
Training your employees on phishing detection and other cybersecurity awareness topics just once per year is not going to be enough to give them the detection skills they need.
You also are not illustrating to employees that your organization takes IT security seriously or expects them to when you only bring the subject up annually.
According to a study on employee awareness training, it was found that four months was the sweet spot for employees retaining information and being able to correctly identify phishing emails in a test. After four months, they performed worse. The testing was conducted in four, six, eight, ten, and 12-month increments.
So, shoot for quarterly security awareness training at a minimum.
Forwarding Phishing Emails Inside the Organization
If the first person that gets a phishing email doesn’t click the link, but then forwards the email to someone else, the risk that the phishing trap will be successful has just increased.
When phishing emails are forwarded inside your organization, the person on the receiving end of the forward now may not evaluate that message as thoroughly as they may have without a colleague or manager forwarding it. They may even think it’s legitimate because the person forwarded it.
You should have a policy against forwarding questionable emails for all staff, especially those in higher positions that may forward an email to a subordinate that they don’t have time to deal with. Each forward exponentially increases the chances of success for that phishing scam.
Having an Overworked Staff
People that are overburdened make more mistakes. They don’t have time to thoroughly look through a phishing message and may be tired from a long day. Their brain is not functioning at full capacity in many cases, which makes them an easier target for phishing.
Keep this in mind when thinking about IT security. You may need to let your employees know they have permission to take time to review questionable emails or send them to your designated IT team or IT provider for review.
Not Building a Culture of Cybersecurity Awareness
If you want to have reliable defenses against cyberattacks then you ultimately need to build a culture of cybersecurity awareness.
This means that people incorporate things like password security, not blindly clicking links in emails, and similar safeguards into their day-to-day.
To do this, you need to put security-focused messages at the forefront in a variety of ways. This could look something like:
- Cybersecurity awareness posters in your building
- Short weekly IT security videos that employees can access online highlighting a different message each week
- Quarterly forums where all employees discuss security and get updated training
- IT security tips in a team messaging channel
- Celebrating Cybersecurity Awareness Month each year with fun team events
- Doing regular phishing and disaster recovery drills
Get Help Building a Culture of Cybersecurity at Your Company
Need help building a strong team that adopts cybersecurity as BAU (business as usual)? C Solutions can help your Orlando area business reduce risk and improve your cybersecurity resilience.
Schedule a free consultation today! Call 407-536-8381 or reach us online.