Over 3.4 billion phishing emails are sent out to unsuspecting recipients daily. At this rate, over 1 trillion email scams are deployed in one calendar year.
The sheer enormity of these numbers makes it easier to understand how and why employees become victims of phishing email scams.
Their typical email inbox is overflowing with emails from colleagues, partners, friends, family, third-party providers, newsletters, company promotions, and, hidden among those, cyber criminals. Compounding this is the busy workday and the pressure to read and act upon every email.
This scenario is precisely why you need to remind employees to report phishing messages and immediately let you know if someone attempts to phish them or if they have fallen victim to an email scam.
But to be able to flag phishing attempts, you need to give employees actionable information on how to report an email scam. Read on, and we’ll discuss phishing, the signs to look for, and how to report it.
What is Phishing?
Phishing is a cyber crime that uses email scams, websites, and text messages to steal confidential personal and corporate information.
Savvy email scams trick employees into providing personal information such as their date of birth, address, credit card details, account passwords, and social insurance number.
Using social engineering techniques, cyber criminals write convincing emails that trick email scam victims into believing that the phishing email is legitimate.
Phishing happens when an unsuspecting victim responds to a fraudulent request, such as an email that demands action. This action can include downloading an attachment, clicking a link, filling out a form, updating a password, or confirming credit card details.
How To Recognize an Email Scam
To recognize an email scam, remind employees that there are six key indicators that the email in their inbox is an email scam and should not be trusted or clicked. 
Source: Otago Blogs
The six biggest indicators of an email scam are:
1. Sender
Cyber criminals know that people are busy and don't look closely at who has sent them an email. These criminals also know that people are conditioned to trust, making it easy to trick people into believing that the email must be legitimate because they recognize the sender.
- The email sender's name and email address are very easy to fake.
- Just because you know the person who sent the email doesn't mean it's safe.
Remind employees to carefully inspect the spelling of the sender's name and email address. Tell employees to hover their mouse pointer over the email sender's name and check that the name and email address are legitimate.
2. Salutation
Emails are typically personalized and do not use vague salutations such as "Dear Client," "Dear Customer," or "To Whom It May Concern." These greetings should raise suspicion, especially if the email has come from someone you know or a company you've previously worked with.
3. Content
Cyber criminals know how to write emails using savvy social engineering techniques that trick people into taking action and believing that they're doing the right thing by responding. Remind employees to pay attention to these content clues that the email is a scam:
- Poor grammar, spelling, or strange sentence structure.
- It uses urgent and compelling language to create a sense of panic, convincing the target to take action. For example, the account will be locked if the recipient does not respond immediately.
- The email asks for confidential personal or corporate information. Many cybercriminals send emails masquerading as a bank, major online retailer, or government institution that ask the recipient to confirm the account, credit card, or social insurance number details. No legitimate organization will ask for this information through email.
- A password reset is required immediately because the company has been hacked or the database has become corrupt.
- It contains low-quality graphics, fuzzy images, stock photos, unusual formatting, and strange font choices.
4. Link or Button
Phishing email scams typically include a link or button that takes the recipient to a spoofed website. This faked website looks real. However, the domain name is not legitimate. For example, a cybercriminal might recreate the account page for Amazon, but the URL is amazon.accountsupdate.ca instead of amazon.ca/gp/css/homepage.html. Remind employees never to click a link or button in an email. Instead, they should open a new browser tab and manually enter the URL for the website or use a bookmark.
5. Attachment
Cyber criminals use attachments to install malware on the computer and potentially the corporate computer network. This malware can then lock the computer or entire network, install software that records keystrokes and passwords, or install a virus that corrupts files in exchange for a ransom. Remind employees never to open unexpected attachments in email or foreign USB keys and avoid enabling macros in productivity documents.
6. Contact Information
Legitimate organizations and people want a response, and they make it easy for the recipient to contact them. Pay close attention to the salutation, look for a phone number and address, and confirm that the email address in the greeting matches that of the sender's.
Remind employees that when in doubt, contact the sender to validate the request using contact information from a trusted source (e.g., the official website), not the email itself.
Reinforce to employees that it's better to be safe than sorry. During your cyber security awareness training, make it clear that you want employees to be suspicious of the emails they receive.
Most importantly, build an environment where they feel comfortable reporting something even after they've clicked. This simple action helps in quicker incident response and can significantly help contain the damage.
Can You Spot the Phish?
Test your ability to spot a phishing email.
Take this quick 2-minute quiz and see how you score!
How to Report a Phishing Email
To report an email scam, do the following:
Report the email scam to your IT department and manager
Ensure employees are aware of the corporate security policy on reporting an email scam. As part of your ongoing cyber security awareness campaign, remind employees through email newsletters, posters, and other communication tools to report email scams and who they should contact.
Report the email scam to the email provider
Source: Lifescience Global
Most email providers have built-in mechanisms that make it easy to report an email scam. The report phishing button can be enabled in Outlook, Gmail, Yahoo!, and other email clients. If employees are checking their personal email at work, make sure they have enabled the report phishing button and remind them that you want them to be proactive against phishing (even in their personal inbox).
Report the email scam to a governing body
Most countries have a governing body that deals with phishing email scams. In the United States, the email can be sent to the Cyber Security and Infrastructure Agency. In Canada, report the email to the Canadian Ant-Fraud Centre. In the United Kingdom, report the email scam to the National Fraud and Cyber Crime Reporting Centre.
Mark the sender as junk or spam
Add the sender to the junk or spam list in the email client. This forwards emails from this sender to the junk/spam folder, keeping them out of the primary email inbox.
Delete the email
Delete the email and then empty the trash folder. Your users must know what to do when they receive a phishing email. Make it easy for them to report the email and remind them they're doing the right thing.
See How Well Your Employees Can Spot Phishing Email Scams
Your employees are your first line of defense against cyber crimes. Our 2023 Gone Phishing Tournament revealed important and shocking information about how enterprises perform in phishing simulations.
