Insider Threat Management

Coachable Moments: How to Help Employees Avoid Phishing Attacks

Share with your network!

Phishing attacks are certainly nothing new, but their effectiveness makes them a continuous cybersecurity issue for organisations. According to a recent report from Carbon Black, the holiday season is an especially vulnerable time of year, with cyber-attacks on track to increase by 60% this year. The most common tactic is… you guessed it... phishing!

Fortunately, if your employees are aware of the tricks of the trade, they’re less likely to fall for a phishing scam -- no matter how convincing it may be. Here are a few tips to arm them against fraudsters.

Identifying the Real vs. the Fake

Spear phishing attacks are becoming increasingly sophisticated, which makes it more and more difficult for users to spot a fake email or website. However, there are still some telltale signs that an email or website may be fraudulent, including the following:


  • An email asks for your credentials. Encourage employees to exercise caution if they ever receive emails from services they use (bank accounts, apps, and more) requiring them to submit or reset passwords, especially if they did not request resets in the first place.
  • Emails contain unknown attachments. Attachments from unknown senders should be completely off-limits, and many email security programs will trigger alerts when such communications are sent. Occasionally, these messages slip through the cracks, so it’s important to still exercise vigilance.
  • A site or email contains misspellings or grammatical issues. If an email from a so-called reputable sender contains typos, or poor grammar, it can be an obvious sign of phishing. Remind employees to put their elementary school grammar education to work to catch these errors in practice.
  • A site’s URL looks suspicious. A recent PC Magazine article on avoiding phishing scams details several scenarios in which URLs may look suspicious. For example, many hackers capitalise on misspellings that users type into browsers, or insert random characters into common URLs. Looking for the lock in the upper left-hand corner of your browser can ensure that the site you’re using is legitimate.


Visual clues give it away. Often times, fraudsters make simple visual mistakes, which can telegraph that a site is fake. In the example below, the “Log In” buttons are different colors (not to mention the URLs are incorrect and lack the lock in the upper left-hand corner).

(Source: PC Magazine)

To keep your employees up to speed on the latest tactics for hackers, send a seasonal email reminder or host a training that’s focused on exercising caution and vigilance during the holidays (when it’s especially easy to be caught off guard).

Protecting User Credentials

Phishing attempts are most often focused on credential theft, which is one of the three top causes of insider threat incidents. According to insider threat statistics from the Ponemon Institute, credential theft and imposter risks cost organisations an average of $2 million per year.

Help employees protect their user credentials by requiring the use of account security best practices, including the use of multi-factor authentication, and password management tools or password vaults. It can be difficult to roll out password vaulting software organisation-wide, since people are creatures of habit.

Take the time to walk team members through the importance of password management, including how vaults and password managers can make life easier (when password requirements are getting increasingly stringent). Check out our tips on choosing the right password manager, and help employees make adherence to password policies a resolution for 2019!

Relying on Cybersecurity Team as a Check

Creating a positive culture of cybersecurity awareness and vigilance doesn’t happen overnight, but it starts with trust. Remind employees that they can come to the cybersecurity team when they have questions about the legitimacy of an email or website -- especially before they click.

All too often, cybersecurity is called to action when it’s too late. Hosting office hours or just keeping an open-door policy for questions may break down some of the barriers to communication. Or, if your employees aren’t feeling particularly empowered to chat about their issues, host an anonymous “Ask Me Anything” session, where people can submit questions without their identities being revealed. Answer the questions during a lunch and learn, and remind employees that their questions will be answered at any time with zero judgement.

Coaching Questions for 2019?

Speaking of questions, we want to know which employee coaching topics you’d like covered for 2019. Tell us what you think on Twitter @Proofpoint, and feel free to ask us how to navigate tricky coaching issues.