Over 3.4 billion email scams or phishing emails are sent every day. This adds up to one trillion email scams per year. These numbers make it easier to understand how and why employees become victims of phishing email scams.
The typical email inbox is overflowing with emails from colleagues, partners, friends and family, third-party providers, newsletters, company promotions, and hidden among those, some from cybercriminals. Compounding this is the overly busy workday and the pressure to read and act upon every single email.
And this is exactly why you need to give employees actionable information on how to report an email scam. As part of your phishing awareness training, you need to remind employees that you want them to report phishing emails and to immediately let you know if they have fallen victim to an email scam.
How To Report an Email Scam
To report an email scam, do the following:
Report the email scam to your IT department and manager
Make sure employees are aware of the corporate security policy on how to report an email scam. As part of your ongoing cyber security awareness campaign, remind employees through email newsletters, posters, and other communication tools of how to report email scams and who they should contact.
Report the email scam to the email provider
Most email providers have built-in mechanisms that makes it easy to report an email scam. The report phishing button can be enabled in Outlook, Gmail, Yahoo! and other email clients.
If employees are checking their personal email at work, make sure they have enabled the report phishing button and remind them that you want them to be proactive against phishing (even in their personal inbox).
Report the email scam to a governing body
Most countries have a governing body that deals with phishing email scams. In the United States, the email can be sent to the Cyber Security and Infrastructure Agency. In Canada, report the email to the Canadian Ant-Fraud Centre. In the United Kingdom, report the email scam to the National Fraud, and Cyber Crime Reporting Centre.
Mark the sender as junk or spam
Add the sender to the junk or spam list in the email client. This then forwards any emails from this sender to the junk/spam folder, keeping them out of the primary email inbox.
Delete the email
Delete the email and then empty the trash folder.
It is very important that your employees know what to do when they receive a phishing email. Make it easy for them to report the email and remind them that they’re doing the right thing.
What is Phishing?
To report a phishing email, first you need to know what is phishing and how to recognize one. Phishing is a cybercrime that uses tactics including email scams, websites, and text messages to steal confidential personal and corporate information.
Savvy email scams trick employees into providing personal information such as their date of birth, address, credit card details, account passwords, and social insurance number. Using social engineering techniques, cybercriminals write convincing emails that trick email scam victims into believing that the phishing email is legitimate.
Phishing happens when an unsuspecting victim responds to a fraudulent request, such as an email that demands action. This action can include downloading an attachment, clicking a link, filling out a form, updating a password, or confirming credit card details.
Because many people do not know what the signs of a phishing email are, it’s very easy in the midst of a busy workday to become a victim of an email scam. This underscores the importance of providing employees with phishing awareness training and education. Watch Why Go Phishing? Build Your Business Case For Phishing Awareness and learn how to build a business case for phishing awareness.
How To Recognize An Email Scam
To recognize an email scam, remind employees that there are six key indicators that the email in their inbox is an email scam and should not be responded to, trusted, or clicked.
Six key indicators of an email scam:
Cybercriminals know that people are busy and don’t take a close look at who has sent them an email. These criminals also know that people are conditioned to trust, making it easy to trick people into believing that because they recognize the sender, the email must be legitimate.
- The email sender name and email address are very easy to fake.
- Just because you know the person who sent the email, doesn’t mean it’s safe.
Remind employees to carefully inspect at the spelling of the sender’s name and the email address. Tell employees to hover their mouse pointer over the email sender name and check that the name and email address are legitimate.
Emails are typically personalized and do not use vague salutations such as “Dear Client”, “Dear Customer”, or “To Whom It May Concern”. This should raise suspicion especially if the email has come from someone you know or a company you’ve previously worked with.
Cybercriminals know how to write emails using savvy social engineering techniques that trick people into taking action and into believing that by responding, they’re doing the right thing.
Remind employees to pay attention to these content clues that the email is a scam:
- Poor grammar, spelling, or strange sentence structure.
- Uses urgent and compelling language to create a sense of panic, convincing action. For example, the account will be locked if the recipient does not respond immediately.
- The email asks for confidential personal or corporate information. Many cybercriminals send emails masquerading as a bank, major online retailer, or government institution that ask the recipient to confirm account, credit card, or social insurance number details. No legitimate organization will ask for this information through email.
- A password reset is required immediately because the company has been hacked or the database has become corrupt.
Link or Button
Phishing email scams typically include a link or button that takes the recipient to a spoofed website. This faked website looks real however, the domain name is not legitimate. For example, a cybercriminal might recreate the account page for Amazon, but the URL is amazon.accountsupdate.ca instead of amazon.ca/gp/css/homepage.html.
Remind employees never to click a link or button in an email, instead they should open a new browser tab and manually enter the URL for the website or use a bookmark.
Attachments are used by cybercriminals to install malware on the computer and potentially the corporate computer network. This malware can then lock the computer or entire network, install software that records keystrokes and passwords, or install a virus that corrupts files in an exchange for a ransom.
Remind employees to never open unexpected attachments in email or foreign USB keys and to avoid enabling macros in productivity documents.
Legitimate organizations and people want a response and make it easy for the recipient to contact them. Pay close attention to the salutation and look for a phone number and address and confirm that the email address in the salutation matches the sender’s email address.
Remind employees that when there is a doubt in the legitimacy of message, to contact the sender to validate the request using contact information from a trusted source (e.g. official website), not the email itself.
Reinforce to employees that it’s better to be safe than sorry. During your cyber security awareness training, make it clear that you want employees to be suspicious of the emails they receive. Tell them that it’s best to slow down, to read the entire email carefully, and if there is any doubt or suspicion to contact an internal cyber hero or the IT department.
Make them feel comfortable to report something even after they’ve clicked, this can help contain the damage.
How To Protect Employees from Phishing and Email Scams
The best way to protect employees from phishing, email scams, and other cybercrimes is with consistent messaging that builds cyber security awareness. Your employees are your first line of defense against cybercrimes.
By building phishing awareness and creating internal cyber heroes, you protect your organization and employees from the risks and threats that come with the 3.4 billion phishing emails sent daily.
Build Your Business Case For Phishing Awareness – Free Webcast
Watch the free webcast Why Go Phishing? Build Your Business Case For Phishing Awareness so you can more easily build your corporate business case for cyber security and phishing awareness training.