Company employee cybersecurity awareness training often focuses on identifying phishing attacks and avoiding falling for malicious links and attachments. Phishing is the main driver of all types of cyberattacks and continues to grow as its delivery is optimized by large criminal groups.
In May of 2021, phishing attacks increased 281% and then jumped another 284% in June.
A variety of IT security precautions are taken to combat phishing including email filtering, content filtering and anti-malware protection. However, one of the most effective ways to reduce risks related to phishing attacks is by training your employees. Well-trained employees can reduce the risk of a company succumbing to a cyberattack by 45-70%.
Regardless of how well employees are trained, there is one mistake that those in authority make that can cause employees to fall for phishing emails. This is often done without thinking by managers, CEOs, supervisors, business owners and others in a position of authority.
This mistake is to forward a phishing email to an employee.
Why You Should Not Forward Phishing Emails to Your Employees
A phishing forward is typically done to delegate something that might need to be handled. In the case of one CEO of a start-up company, he was too busy to address an email that appeared to be from their hosting company and was asking for information to be updated. So, he forwarded it to his assistant to “deal with”.
The person on the other side of that forward is now being set up to get caught in a phishing trap. It is a trap that they likely would have avoided if the email had landed in their inbox organically without the added elevation of being forwarded by their boss.
Here are the reasons why you should not forward phishing emails to employees.
When Phishing is Forwarded, Trust is Added Inherently
When a person in a position of authority forwards a phishing email, the employee receiving that email automatically trusts the content at first glance. They see that their boss sent them something and assume that the content is legitimate (unless they are told that it is not real).
Forwards of phishing emails are often done without explanation or a question such as, “Do you think this is fake?”
Employees See the Forward as a Directive to Do Something
When a manager forwards a phishing email, the employee often sees this as a directive to take care of something. They may not even question the validity because of that reason.
Employees receive work from their manager all the time. One more email that appears to need handling would not be out of the ordinary regardless of the content of the forwarded message.
The Recipient May Want to Act Fast So They Don’t Get In Trouble
In the case of the CEO at the start-up company that forwarded a phishing email to his assistant, the assistant’s “urgency meter” went up a few notches when they saw an email from the CEO in their inbox.
In this case, the CEO wasn’t known for his patience and could get upset easily if things were not handled immediately.
It is not unusual for employees to feel a sense of urgency to act fast on a request from their boss. They don’t want to get in trouble or be seen as not taking care of something important quickly. This sense of urgency can lead to employees bypassing the normal scrutiny that they would usually give to an unexpected message like this.
In the case of that assistant to the CEO, she would have normally called the hosting company first to check that the email asking to update details or lose service was legitimate. However, she didn’t do that because of the time it would take to be on hold for an answer. Instead, she clicked the link. The company’s web server was taken over as soon as she logged into the fake login page.
Some Message Details May Be Obscured
When an email is forwarded, sometimes the recipient doesn’t see the full email address of the original sender and can only see the display name. Details like this can be obscured in a forwarded message and makes it more difficult for an employee that is looking to spot phishing.
There Is a Better Option – Ask Your IT Provider Instead
There is a better option than forwarding unknown messages that could be phishing to employees. Instead, you should contact your IT provider (i.e. Sound Computers) if you see anything suspicious in your inbox.
We have the knowledge and expertise to review the message to see if anything looks suspicious and can tell you definitively whether the message is real or fake.
Do You Have Strong Phishing Safeguards In Place at Your Company?
Don’t leave your business unprotected from the most dangerous type of attack. Sound Computers can help your Connecticut company with a multi-layered strategy to combat phishing attacks.
Contact us today to schedule a free consultation. Call 860-577-8060 or reach us online.