Many companies put a lot of time and effort into employee cybersecurity awareness training. Studies show that if employees are given the information they need to properly detect phishing and practice good cyber hygiene that company risk can be reduced.
Changing employee behavior through a good training program reduces the chance of a business having an I.T. security incident by between 45-70%.
But are the managers or “bosses” in your company sabotaging your security efforts unintentionally?
There is one common mistake they may be making that can cause employees to fall for a phishing scam and endanger network security, even if they’ve been well trained.
That mistake is forwarding a phishing email to an employee.
Why You Should Not Forward Phishing Emails to Your Staff
Managers are used to forwarding things to employees to take care of. Such as a meeting request so an appointment can be set up. They may not think anything of forwarding a strange email, figuring that the employee can review it and do whatever is needed.
One true story that happened to a company that resulted in the server running their website and email being taken over, happened because the CEO of a small start-up company forwarded a phishing email.
The email in question appeared to be from the company’s hosting company where they rented the website and email server. It used a spoofed email address that had the hosting provider’s domain. The email warned that the service could be cut off unless some information was updated.
The CEO sent it to one of his staff, one that was particularly tech-savvy and that usually handled things to do with the website administration. There was no explanation given on the email like (“Not sure if this is phishing, can you see?”), it was just forwarded with the expectation that it would be taken care of.
On the other end of the forward, the employee saw the forward from the CEO and immediately stopped what they were doing. The CEO wasn’t known for being particularly patient and got especially agitated whenever the website went down for any reason.
The employee also saw the familiar “from” address from the web host company and assumed the email was legitimate for that reason as well as the fact that it was forwarded from the boss. This made it more of a directive to take care of this because it originated from him.
The employee followed the link to log in to see what information needed to be updated. Normally, they would have called the hosting company to clarify, but were afraid that if they delayed it would mean the website going down and they’d be in trouble for not acting faster.
Within seconds of clicking the link and logging in on a website that looked exactly like the real login page, hackers had stolen the credentials and initiated an automated attack. Even when the employee realized this was a scam, and changed the password about 5 minutes later, it was too late!
It took the company weeks to rebuild its website and clean up its email domain reputation. The hacker had used their domain to send phishing as part of the attack.
Forward Phishing Emails to an I.T. Professional Instead
When anyone receives an email from their supervisor or manager, it immediately elevates the importance of that message and employees will often want to respond fast.
That desire to respond fast so as not to get in trouble (as in the story above) can often cause a person to forget about their phishing training and take action on the forwarded email without reviewing it properly.
An employee might also believe that their boss already reviewed the message, and it must be legitimate because they forwarded it to them to handle.
Emails aren’t just normal emails when they’re forwarded from a person in a position of power. Employees will see that email and think:
- I need to get this handled right away
- I don’t want to make the boss mad
- I’m expected to handle this because it was forwarded to me
- It must be legitimate because my boss sent it to me
- If I don’t do this right away, I could be reprimanded if something bad happens
Where should you forward any suspicious emails instead? Send them to us! An I.T. professional has the experience to review messages that could possibly be phishing. Not only do we have years of experience identifying these scams, but we also have the separation needed to be completely objective, unlike your employees.
Help Reduce the Number of Phishing Emails Hitting Staff Inboxes
One way to mitigate the risk of a cyberattack is to reduce phishing volume. Texas I.T. Pros can help your Denton or Wise County business put email filtering in place that blocks dangerous messages and keeps them out of staff inboxes.
Contact us today to learn more! Call 940-239-6500 or reach out online.