Have you ever received a suspicious email that you ended up ignoring or immediately deleting?
If I had to guess, most of you would probably say yes, at least to the part about receiving a suspicious email. And hopefully, you also answered yes to ignoring or deleting it. Why do I hope that?
Because chances are that these were phishing attempts. In 2020, these emails were the most common tactic by cybercriminals to steal data, so a majority of people probably received one. And 30% of these phishing messages get opened.
If you engaged with the message, then it’s possible you ended up with malware on your device or had your data compromised. For companies, this can result in massive financial impacts.
To prevent this from happening at your company, you want to make sure that all of your employees know what phishing is, how to identify an attempt, and how to avoid it. You can do this with more steps than just your annual cybersecurity training.
One way is by sending phishing awareness emails to your employees. This will remind them to stay vigilant of attacks so that your company doesn’t end up suffering a breach. So what should you include in these emails in the first place?
Table of Contents
Explain What It Is
Describe the Different Types of Phishing
Explain What to Watch For
Include Statistics
Add Shock Value
Inform The Team About Attempts
Simulation Ideas
Real Examples
Conclusion
Explain What It Is
By the sounds of it, people might get confused if they hear the word phishing.
What do fish have to do with our company?
That’s not the kind of phishing we’re talking about when we’re referring to cybersecurity and data. But not everyone might know what these attempts entail.
So the first step to your phishing awareness emails is to explain that. If people don’t know what they are, then they’ll more likely fall victim to a phishing attempt.
Describe the Different Types of Phishing
It’s also important to explain these because not all attacks come through email. Sure, this is the most common method. According to Tessian, 96% of attacks come through malicious emails.
But hackers try other methods too, and your employees need to be aware of them. There are almost 20 types of phishing methods, including…
Angler Phishing
Business Email Compromise (BEC)
Evil Twin
Pop-up Phishing
Clone Phishing
Domain Spoofing
Email Phishing
Malware Phishing
Malvertising
Man-in-the-Middle Attack
Pharming
Search Engine Phishing
Smishing
Spear Phishing
Whaling
Vishing
Deceptive Phishing
HTTPS Phishing
For instance, this diagram shows how they use the pharming technique…
Each of these uses different tactics by hackers to try to steal sensitive information, so employees should be aware that phishing attempts can come through other methods besides email.
Explain What to Watch For
But how will employees know how to identify a potential threat? Even the most common tactics through email can get overlooked by people and result in a breach. And now they have to pay attention to 10+ other methods?
Yes, that’s right. This can be overwhelming if someone doesn’t know what they should be paying attention to.
Because of this, you need to explain in your phishing awareness emails what kind of techniques to be cautious of. Break down each of these phishing methods with the risks to identify so that your employees will recognize them as an attempt.
Include Statistics
Other phishing awareness emails should include statistics about these attempts. How often do they occur, and how many people get affected?
In 2020 alone, 75% of all organizations worldwide experienced a phishing attack. Unfortunately, many of these attempts are successful in stealing organizations’ data and have negative consequences for them.
By including statistics within awareness emails about how often attacks happen and what the impacts can be, employees realize how serious these incidents are. They’ll understand the importance of your emails and why they need to remain vigilant against phishing attempts.
Add Shock Value
Hackers like to use shock value in their attempts to grab the recipient’s attention and create a sense of urgency.
Likewise, you can add shock value to your emails too so that employees get the sense of urgency to stay vigilant. Some of the statistics that you add will do this already.
For instance, shock your staff by telling them the cost of phishing attempts. This gives them a stronger inclination to watch out for attempts since they don’t want to be the result of so much money lost.
Breaches cost slightly over $1.52 million in lost business
A phishing attack costs an average of $4.65 million
Businesses lose $17,700 every minute from a phishing attack
Inform The Team About Attempts
Phishing awareness emails shouldn’t stop at educational information about this type of breach.
They also need to update your team on any current threats. If anyone notices a phishing attempt within your company, you need to email your team about it.
This way, they stay extra cautious about what they click since they know that there’s an active risk. They’ll be less likely to let in a malicious hacker if you’ve given them a heads up about the attempt.
Simulation Ideas
So how do you know that your work is paying off by putting in the effort to send these phishing awareness emails? You don’t want your staff to ignore them. That would make it a waste of time for you and pose a risk if recipients aren’t paying attention.
Well, there’s a simple solution: simulate a phishing attempt. You’re sending awareness emails anyway, so why not turn one into a phishing attack simulation?
Example 1: The Request Simulation
Subject: Urgent Task Request
Body:
Hi [Employee's First Name],
Are you available at the office? I have a task I need you to complete right away. Can you please print this letter and leave it on my desk for when I return from lunch?
Thanks,
[Your First Name]
Have your administrative team create a fake email that appears legitimate from someone at your company. Of course, it isn’t actually that person, it just looks that way. But that’s the whole idea…to spoof the recipients into thinking it’s that person.
Then, send your employees an email from that account. Again, you want this to look like a legitimate message. Maybe it’s an urgent request from who appears to be the general manager. Or perhaps you send a downloadable attachment which, if it was a real phishing attempt, would include malicious code.
Once you send these simulations, you’ll notice which team members have been paying attention to your phishing awareness emails.
Did the employee verify that the sender’s name matched their company email address before clicking download? Did they instantly reply, engaging with this spoof account? Or did they inform the IT department that they suspected a phishing scam?
Regardless, creating a simulation will help identify how effective your awareness emails are and who has learned from them.
Real Examples
Now that I’ve given you some ideas for your phishing awareness emails, where do you start? It can be overwhelming trying to come up with effective messages since there’s so much information that’s important to include.
The first step is to break it down. Don’t try to cram all of these details into one email. No one’s going to read all of that. Research shows that it’s best not to go over 125 words in an email, and between 75 and 100 words is most effective. It isn’t necessary to stay within this range if it would compromise the importance of the message, but click-through rates decrease after 200 words.
So you’ll want to break up the information into several emails anyway. Let’s take a look at some options that you can use.
Example 2: What is Phishing?
Subject: If It Smells Fishy, It's Probably Phishing
Body:
Team,
With data breaches on the rise, I wanted to take the chance to remind you to stay vigilant against phishing attempts.
Hackers use fraudulent practices to spoof people into giving up their data. The most common technique is email phishing. Hackers send messages that appear legitimate or look like they're from someone you trust so that you engage with the message or click on malicious attachments.
If something seems fishy...it's probably phishing. Here are some tips to keep in mind to avoid falling victim so that we protect our company and its data:
- Double-check that the sender's email address matches who they claim to be
- Don't click a link or download from someone you don't know, or weren't expecting
- Don't reply to a suspicious email or message from an email you don't recognize
- Inform the IT team of potential attempts
Thank you in advance for your vigilance,
[Your First Name]
This email summarizes what phishing is and explains the most common type of threat (email phishing). It also gives tips to watch for so that the recipients’ don’t fall victim.
Example 3: The Cost of Phishing
Subject: $1.52 Million in Lost Business
Body:
Team,
I know what you might be wondering.
"How did we lose that much business?!"
Well, we didn't lose that much yet. With your help, we never will. Breaches cost an average of $1.52 million in lost business. And a phishing attack costs an average of $4.65 million.
Because of these steep financial losses, we need to remain vigilant against phishing attempts. If you suspect any unusual activity, especially in your inboxes, please notify the IT team or management immediately. Remember, do not engage with any suspicious messages until we deem them safe.
Thank you for your cooperation,
[Your First Name]
This message uses shock value to grab employees’ attention. The subject line takes the recipient by surprise. We lost how much business?!
Then, the message goes into explaining the cost of falling victim to a phishing attack. This emphasizes why it’s important to be cautious against attacks and watch out for threats.
Active Attempt Alert
Example 4: Active Attempt Alert
Subject: $1.52 Million in Lost Business
Body:
Team,
This morning, we received the following phishing attempt:
[Insert screenshot of phishing attempt here]
Luckily, one of our team memebers recognized that this was a suspicious email and immediately notified our IT team. Hackers often make multiple attempts to compromise company data.
Please be on guard against phishing attacks in general. I have blocked the domain of the sener from sending us more emails. Should you receive a suspicious email, DO NOT engage with these messages, DO notify our team, and DO delete them from your inbox.
Thank you,
[Your First Name]
In the image above, administrators emailed the team to warn them about an active attempt. An employee noticed a phishing scam in her inbox so she informed management. They then sent an email to the entire team, just in case the hackers were targeting any other employees.
That way, everyone on the team knows that there are messages they need to watch out for. And it’s a nice reminder to always stay cautious since anyone can become a target.
Conclusion
Because of the financial and business costs of a phishing attempt, staff must know how to identify and avoid these threats.
Email phishing campaigns are the most common technique by cybercriminals, and they’re the second-costliest type of breach.
But these threats don’t need to be inevitable. As with anything in cybersecurity, training is necessary. And you can continue to offer this training through phishing awareness emails that you send to your employees.
That way, they continue to get reminders of how to recognize attempts and avoid falling for scams. With just a little bit of effort, providing these details to employees helps them prevent these threats so they can keep your company data safe.
