Phishing is one of those universal threats that just about every company has experienced, whether it’s located in Sydney, Australia, or right there in Sturgeon Bay, Wisconsin.
In 2020, 75% of organizations around the world experienced some type of phishing attack. Phishing is used as a delivery method for everything from ransomware to business credential theft.
As part of a good cybersecurity strategy, many companies train employees on how to spot phishing emails and warn them of the dangers of clicking links and file attachments from unknown senders.
But… you might be doing something that causes that training to go out the window, leaving your business more vulnerable to a breach.
You might be wondering when looking at the title of this article, “How could I be doing anything to cause my employees to interact with phishing?” You may even have devoted resources to putting in safeguards like DNS filtering and email filtering.
You actually want to stop employees from falling for phishing scams, so what could you be doing to thwart those efforts?
One simple thing… forwarding a phishing email to your staff.
True Story of a Manager-Caused Phishing Incident
To explain more about what we mean, here’s a true story of how the CEO of a small startup company enabled a phishing attack that took out the company’s web server and caused its email domain to be banned from multiple mail services.
One employee who was known to be rather computer-savvy was working away as usual. Suddenly an email comes in from the CEO of the company. It’s a forwarded email that appears to be from the company’s hosting vendor that hosts its website and emails.
The message warns of a loss of service due if information is not updated on the account. The employee looks over the message header and sees that the email address looks to be legitimate (it was a case of spoofing of the web host’s email address).
Not wanting to upset the CEO, the employee took action. The person thought that the boss obviously wanted this taken care of right away since it was forwarded, plus knew that he is not known for being particularly patient, and has become upset by problems that impacted the website before.
If not for the forwarding of the email by the CEO, the employee would’ve taken time to review the message more thoroughly and even called the web host rather than doing things by email. But time was of the essence as the employee did not want to get in trouble for not reacting quickly and causing the website to get shut down as a result.
The employee clicks the link in the forwarded email and sees the same login page that they always see when accessing the web service (a cleverly spoofed page). Once the employee logs in, they try to find a reference to the issue the email noted, but there was none.
The employee immediately fears a phishing attack and changes the password on the account, but it’s too late. Phishing attackers use automation, so as soon as they receive the credentials they need, they’ve taken over the webserver and begun sending out spam in a matter of seconds.
The company spent the next few days cleaning up the mess, which was a full takeover of their web server, having their website down and emails rejected in the meantime.
Why Are Employees More Likely to Click on Phishing When it Comes From the Boss?
The quick takeaway from this story is that employees are much more likely to click on a phishing email if it has been forwarded to them by a supervisor or someone else in a managerial position.
The manager might not think anything of it and forward the message, thinking, they’ll take care of it if it’s real and delete it if it’s fake.
However, the person on the other end of that exchange might see the email differently. Here are some reasons to avoid forwarding suspicious messages to your employees or employees that you manage. (Send them to Quantum instead for a professional opinion.)
Employees May See It As a Request for Action
If an email is forwarded from a supervisor or someone with a position of authority, an employee sees that differently than another email in their inbox.
They will prioritize those messages and try to take action right away, which causes them to forgo the normal scrutiny they would give an email (such as the case in the story).
Employees Don’t Want to Get In Trouble
The fact that the email is being received from a “boss” puts additional anxiety on the recipient. They now must worry about being seen as non-responsive and they don’t want to get into trouble for not handling whatever the message might say is wrong.
Employees Might Think the Boss Already Scanned the Message
If a person receives a forwarded email from a CEO or manager, they may think that the person already reviewed this for phishing signs and found it to be okay. They may not think they need to provide additional scrutiny.
Need Help Improving Your Phishing Security Strategy?
There are multiple layers to a good phishing security strategy. Quantum PC Services can help your Sturgeon Bay business take a look at your company’s weak spots and improve your overall cybersecurity.
Contact us today to learn more! Call 920-256-1214 or reach us online.