Article

Distracted by Phishing: 5 Steps Employees Can Take to Reduce Cyber Risk

By Rex Johnson

As we head to the other side of the pandemic, we can look back and see a year marked with a number of major cybersecurity events. The FBI reported that cybercrime increased by 300% in 2020. Cybercriminals were even successful in compromising well-known technology firms like Microsoft, FireEye, and Solar Winds. Even the most advanced organizations, including cybersecurity companies, are not immune to attacks.   

According to global cyber education company Cybrint, 95% of cybersecurity breaches occur due to human error. Even with security awareness training becoming more commonplace, mistakes still happen. As humans, we all are prone to distraction, and it only takes one click to expose a company to risk. It’s important to give employees the tools they need to understand the risks and the role they play as a key part of a company’s defense.

Studies show that one critical step is to minimize multi-tasking. And, if possible, avoid responding to email while attending meetings, trainings, or other online activities.

This is a huge challenge for many of us. Our days get busy, and the emails pile up. But if individuals are not careful, relatively simple actions made while distracted can add up to undue risk exposure for a company. After all, the intent of a social engineering attack is to exploit the mistakes workers make by just being human. Many phishing attempts are designed to elicit a response out of fear, excitement, or another strong emotion.

Here is an example of a successful phishing campaign. You receive an email that your boss has completed your evaluation. It contains a link to log in and view the results. With a little investigation of your website, LinkedIn, or some other open sources, a hacker can find out the name of your boss and even include it in the email. Once you access the link, you go to a fake site and reveal your credentials.

In most workplaces, multi-tasking is the norm. Many office cultures even tacitly encourage it – or at least are resigned to the fact that employees go through emails while they are attending meetings or conference calls. An article last year in Infosecurity Magazine stated that 47% of those surveyed claimed that distraction was the primary reason for falling for a phishing scam. A similar study showed that 47% of respondents in the technology industry and 45% of those in the banking industry have clicked on links in phishing emails.

Here are some tips to help encourage more security-minded habits across the workplace – from the C-suite on down:

  1. If you see an email that intrigues you, such as an evaluation from your boss, set that email aside to read later. Many email applications include a feature that allows you to flag a given email for follow-up (today, tomorrow, etc.). You don’t have to respond right away.
  2. Once you are out of the meeting you can go back and re-read the email without clicking any links or opening any files. If you get a lot of emails, maybe even set aside time to dedicate to reading emails.
  3. Examine carefully who the email is from. Although you may recognize the name, the email address (which includes a name, server name, and domain) may be different. For example, Robert Smith <manager@yourcompany.com> Robert Smith may be your boss, but if you look closely, you’ll recognize his email is not “manager.”
  4. If possible, contact the person you think originated the email or the action required in the email before acting on the email. This can confirm its legitimacy before you take any action.
  5. If your company has a phish alert option on the email, click it. If the email did come from a legitimate source and is important, they will notify you and resend it.

If you do fall for a phishing attempt, there are some things you can do right away to minimize the impact. First, immediately change your password. And second, notify your IT or security group about what happened.

When changing your password, consider using passphrases instead of single words. Passphrases are a string of words used to authenticate a user to a system. They are generally easier to remember, and much harder for a malicious user to guess when they attempt to hack. The FBI has suggested that the “extra length of a passphrase makes it harder to crack while also making it easier to remember.”

Even though we may get ahead of this pandemic, cyber-attacks are not going away anytime soon. By minimizing our distractions and setting up a specific time to respond to emails, we can reduce the risk of being the next victim.

headshot of rex johnson

Rex Johnson

Director, Solution Delivery, CAI