A phishing email asking you to click on a link or share information. Your employees wouldn't fall for that. Right? Many people think they can easily identify phishing emails. Unfortunately, nothing could be further from the truth: every year thousands of people and companies fall victim to scams. And now that more employees are working remotely, the danger has only increased. How do you protect remote workers from a distance? We give 5 tips to keep your employees safe.
During the global pandemic - and the consequence that more people are working from home - there was a significant increase in cybercrime (Europol report). In addition to the fact that attackers gratefully took advantage of a new context (fear and uncertainty about corona) to thrive in, we also became more dependent on digital solutions for work and connection. “When you work remotely, you are probably at home with your own rules and habits for safely handling information," says Jan-Willem Bullée, assistant professor at the University of Twente and research analyst at Awareways. "Rules and guidelines from the organization are sometimes lost sight of.”
"In addition, people are working on private systems and other accounts that are not always at the same security level as the devices at the office. There isn’t always a secure file sharing environment available as well. Furthermore, it’s harder to walk up to a colleague and ask for his opinion on an email.”
Humans are the weakest link
Even if most emails are stopped by spam filters and other security measures, a fake email can always appear in your inbox. Then it's the recipient's turn to act. "Humans are the weakest link when it comes to cybercrime," Jan-Willem explains. "One of the reasons phishing is so effective is that the attacker uses psychological principles to get victims to cooperate in the attack. Also called social engineering." For example, take a look at the email below that a colleague within Appical received on his personal mail. You can see that the sender is using authority by posing as the CEO of Appical. In addition, the recipient is pressured to respond as quickly as possible. This creates scarcity of time.
I hope this email meets you at the right time as I need you for some important task. I will be available via email at this time and will await your swift response.
Hans van Rijnswoud
CEO at Appical
“Attackers and criminals also evolve. Phishing emails are getting better and better and are also moving to other commonly used media, such as Whatsapp", says Jan-Willem. It takes one small moment of distraction, and the consequences can be huge. Opening an email or clicking on a link can cause a company a lot of damage, such as high costs, data theft or damage to the organisation’s reputation. So it's important to recognize a phishing attempt and deal with it correctly.
5 tips to arm your employees against scammers
1. Know how to recognize a phishing email
In the past, phishing mails were full of spelling mistakes and poor English, but nowadays fake mails are increasingly difficult to distinguish from real emails. How do you recognize them? "First of all, check the sender, where the link goes and whether you can expect to receive this email", advices Jan-Willem. "Suppose you share on LinkedIn that you are an HR consultant, then you might find an email about the newest gardening tools suspicious. But with an email that does connect to your personal context, it becomes more difficult to recognize an attack." Knowledge is power. For the attacker, but also for you. First of all, slow things down. It's fine to wait a moment before responding and ask a colleague to check the email. Organizations also often have a hotline for IT security, they can advise you as well.``
2. Notify employees of the reporting procedure
"Employees are the ears and eyes of the organization. They see, hear and experience things. Also things that are suspicious. A strange phone call asking for personal information, an email with a link pointing to an unfamiliar website. When employees report suspicious situations, you get a picture of what is happening within the organization. Communicate about this as well. If employees don't report anything, the security department thinks all is well. But if the organization provides updates on cybersecurity, you’re bringing the problem into focus, and employees see that they’re not the only ones who have experienced something strange.
3. Repeat the message
You've made it clear to your employees how to recognize a phishing email and where to report cyberattacks. Done, right? "If you don't use knowledge or skills often, it will decline", explains Jan-Willem. "Repeat your message, and it will stay top of mind. By continuing to practice, you get better at a skill. Think of writing, riding a bike or driving a car; at the beginning it was a real challenge and now - a few years later - you're doing much better. It's the same for dealing safely with information. So don't make training and awareness a one-off action, but a continuous process. Even after cyber security month."
4. Point out that it can happen to anyone
"Phishing can happen to anyone. People are busy and are not always as alert as they should be. Attackers know this too and take advantage of it. There is also a cognitive fallacy that does not help here. We often think that someone else is more likely to be the target of a cyber attack than we are. This makes you less alert, makes you think security awareness materials don't apply to you and you will pay less attention to them. The danger of this? If you do become a victim of phishing, you're less likely to recognize the attack and be quick to act on it."
5. Provide an open culture
"It's important to make employees feel like they can discuss phishing attempts. "By discussing cyber security with colleagues, you can ask each other for help and keep each other informed. After all, two people know more than one and four eyes see more than two! Checking with a colleague can help you take the urgency (scarcity in time) out of an action.” So check, check, double check!