Over 3.4 billion phishing emails are sent out to unsuspecting recipients every day. At that pace, over 1 trillion email scams are deployed in one calendar year. The sheer enormity of these numbers makes it easier to understand how and why employees become victims of phishing email scams.

The typical email inbox is overflowing with emails from colleagues, partners, friends, and family, third-party providers, newsletters, company promotions, and hidden among those, some from cybercriminals. Compounding this is the overly busy workday and the pressure to read and act upon every single email.

And this is precisely why you need to give employees actionable information on reporting an email scam. As part of your phishing awareness training, you need to remind employees that you want them to report phishing messages and immediately let you know if they have fallen victim to an email scam.

How to Report a Phishing Email

To report an email scam, do the following:

Report the email scam to your IT department and manager

Make sure employees are aware of the corporate security policy on how to report an email scam. As part of your ongoing cyber security awareness campaign, remind employees through email newsletters, posters, and other communication tools to report email scams and who they should contact.

Report the email scam to the email provider

Most email providers have built-in mechanisms that make it easy to report an email scam. The report phishing button can be enabled in Outlook, Gmail, Yahoo!, and other email clients.

If employees are checking their personal email at work, make sure they have enabled the report phishing button and remind them that you want them to be proactive against phishing (even in their personal inbox).

Report the email scam to a governing body

Most countries have a governing body that deals with phishing email scams. In the United States, the email can be sent to the Cyber Security and Infrastructure Agency. In Canada, report the email to the Canadian Ant-Fraud Centre. In the United Kingdom, report the email scam to the National Fraud and Cyber Crime Reporting Centre.

Mark the sender as junk or spam

Add the sender to the junk or spam list in the email client. This then forwards any emails from this sender to the junk/spam folder, keeping them out of the primary email inbox.

Delete the email

Delete the email and then empty the trash folder. Your employees must know what to do when they receive a phishing email. Make it easy for them to report the email and remind them that they’re doing the right thing.

What is Phishing?

Phishing is a cybercrime that uses email scams, websites, and text messages to steal confidential personal and corporate information.

Savvy email scams trick employees into providing personal information such as their date of birth, address, credit card details, account passwords, and social insurance number. Using social engineering techniques, cybercriminals write convincing emails that trick email scam victims into believing that the phishing email is legitimate.

Phishing happens when an unsuspecting victim responds to a fraudulent request, such as an email that demands action. This action can include downloading an attachment, clicking a link, filling out a form, updating a password, or confirming credit card details.

Because many people do not know what the signs of a phishing email are, it’s very easy in the midst of a busy workday to become a victim of an email scam. This underscores the importance of providing employees with phishing awareness training and education.

Watch Why Go Phishing? Build Your Business Case For Phishing Awareness and learn how to build a business case for phishing awareness.

How To Recognize An Email Scam

To recognize an email scam, remind employees that there are six key indicators that the email in their inbox is an email scam and should not be responded to, trusted, or clicked.

The six biggest indicators of an email scam are:

1. Sender

Cybercriminals know that people are busy and don’t take a close look at who has sent them an email. These criminals also know that people are conditioned to trust, making it easy to trick people into believing that the email must be legitimate because they recognize the sender.

  • The email sender’s name and email address are very easy to fake.
  • Just because you know the person who sent the email doesn’t mean it’s safe.

Remind employees to carefully inspect the spelling of the sender’s name and the email address. Tell employees to hover their mouse pointer over the email sender name and check that the name and email address are legitimate.

2. Salutation

Emails are typically personalized and do not use vague salutations such as “Dear Client,” “Dear Customer,” or “To Whom It May Concern.” This should raise suspicion, especially if the email has come from someone you know or a company you’ve previously worked with.

3. Content

Cybercriminals know how to write emails using savvy social engineering techniques that trick people into taking action and into believing that by responding, they’re doing the right thing.

Remind employees to pay attention to these content clues that the email is a scam:

  • Poor grammar, spelling, or strange sentence structure.
  • Uses urgent and compelling language to create a sense of panic, convincing action. For example, the account will be locked if the recipient does not respond immediately.
  • The email asks for confidential personal or corporate information. Many cybercriminals send emails masquerading as a bank, major online retailer, or government institution that ask the recipient to confirm the account, credit card, or social insurance number details. No legitimate organization will ask for this information through email.
  • A password reset is required immediately because the company has been hacked or the database has become corrupt.

4. Link or Button

Phishing email scams typically include a link or button that takes the recipient to a spoofed website. This faked website looks real. However, the domain name is not legitimate. For example, a cybercriminal might recreate the account page for Amazon, but the URL is amazon.accountsupdate.ca instead of amazon.ca/gp/css/homepage.html.

Remind employees never to click a link or button in an email. Instead, they should open a new browser tab and manually enter the URL for the website or use a bookmark.

5. Attachment

Cybercriminals use attachments to install malware on the computer and potentially the corporate computer network. This malware can then lock the computer or entire network, install software that records keystrokes and passwords, or install a virus that corrupts files in exchange for a ransom.

Remind employees to never open unexpected attachments in email or foreign USB keys and avoid enabling macros in productivity documents.

6. Contact Information

Legitimate organizations and people want a response and make it easy for the recipient to contact them. Pay close attention to the salutation and look for a phone number and address and confirm that the email address in the greeting matches the sender’s email address.

Remind employees that when there is a doubt in the message’s legitimacy, contact the sender to validate the request using contact information from a trusted source (e.g., official website), not the email itself.

Reinforce to employees that it’s better to be safe than sorry. During your cyber security awareness training, make it clear that you want employees to be suspicious of the emails they receive. Tell them that it’s best to slow down, read the entire email carefully, and any doubt or suspicion to contact an internal cyber hero or the IT department.

Make them feel comfortable to report something even after they’ve clicked. This can help contain the damage.

Protect Employees from Phishing and Email Scams

The best way to protect employees from phishing, email scams, and other cybercrimes is with consistent messaging that builds cyber security awareness. Your employees are your first line of defense against cybercrimes.

By building phishing awareness and creating internal cyber heroes, you protect your organization and employees from threats that come with those 3.4 billion daily phishing emails.


Cybersecurity Hub

Cyber Security Hub : Access Exclusive Cyber Security Content

For more information on how end users can keep their protect their personal and organizational data, download all the free training kits from the Terranova Security Cyber Security Hub!