How to
Ryan Harnedy
Aug 2016

5 Bad Email Habits that Get Users Phished

Bad habits are hard to break, but when they can cost your company $3.7 million it’s worth a try.

As phishing attacks become more sophisticated, and the cost of being hooked goes up, it's critical for everyone at your company to be on their best email behavior.

The fact is, email is the #1 delivery vehicle for both ransomware and malware in general, so if computers on your network get infected, chances are it will be because someone you work with opened an email and clicked on something they shouldn't have. 

To help you put your users on the path to good email hygiene here are five of the worst email habits users have, and how they can fix them.

Bad email habit #1

Clicking on links without checking the URL first

Cyber criminals often try to hide suspicious URLs by linking them in innocuous text. Think: “Hey, click on this to RSVP!” or “Download this attachment to get started!”

Users need to break the bad habit of immediately clicking on hyperlinked text and replace it with a better habit, instead: hovering over hyperlinks to see the URL first. Here's a post with examples you can check out (to be clicked after you hover over the link, of course). 

Bottom line: If the web address doesn't look legitimate or doesn't lineup with what you'd expect, users should avoid clicking and report the email to IT.

Bad email habit #2

Opening attachments from untrusted (or unconfirmed) sources 

A common tactic of phishers is to attach a document, typically a Word or Excel file, with ransomware embedded. Once the user opens the document it can leverage Office macros to run the malware inside the file.

If your users' jobs involve sending and receiving lots of Office documents that can certainly make protecting them from phishing more difficult, but there are some general best practices that can help lower the risk. 

First, if possible, disable macros. Next, train employees on the importance of scrutinizing sender information in any email they receive that's even slightly out of the ordinary.

Here's an example of a phishing email, with a few red flags pointed out. You can find more sample phishing emails in our new Phishing Field Guide eBook


Click the image to expand and zoom in

Even if an email appears to come from a familiar source, if there's something that seems off (the nature of the request, strange or missing email signature, poor spelling and grammar, etc.), encourage your users to double-check with the sender face-to-face or over the phone to confirm the message is actually from them. 

Remind your users that today's phishing emails aren't just obvious spam messages from fake Nigerian princes. Cyber criminals have gotten frightenly good at impersonating people their targets work with or do business with regularly and writing messages that are convincing if you don't know what to look for.

Bad email habit #3

Sharing sensitive information over email

Phishing scams that are looking to obtain confidential corporate information, such as employee records or W-2s, have become very popular in recent years. These attacks typically take the form of an email impersonating an executive-level employee (often the CEO), or another professional contact asking for some sensitive information to be emailed to them.

To combat this, encourage your organization to consider investing in file-sharing tools like Google Drive, Dropbox, or other document management systems that can help eliminate the need to attach sensitive information to emails and send it. That way, if someone gets a request asking for financial or employee data to be emailed it will much easier to see that it’s a phishing attack.

A more immediate good habit you can encourage your users to adopt is to practice basic two-step verification for any requests involving sensitive information. In other words, simply confirm with the sender — through some method other than email — that the request is real and not a phishing scam.

Bad email habit #4

Being too shy to report a possible phishing email

Getting employees to report possible security issues can be frustratingly difficult. For one thing, people are busy, and they often worry that reporting an issue will result in delays or more work. But it's also natural for people to want to avoid introducing problems, based on concern that it may reflect poorly back on them.

Ex: If they get a phishing email, does that mean they did something wrong? Are they going to be viewed as a problem-causer rather than someone who deserves praise for being vigilant?

In order to promote reporting possible phishing emails as a good habit, you have to proactively address these concerns and work hard to establish the right positive atmosphere where employees speaking up is encouraged. 

Positive reinforcement is key. Let users know they'll be thanked for alerting you to potential attacks. Remind them that anyone can be the target of a phishing email — getting one isn't an indication that they did anything wrong. In fact, by reporting suspicious incidents they'll also be helping you to alert others. That's incredibly important, because the majority of phishing emails are sent out in campaigns. If they receive a phishing attempt, it's likely that others in the company have received one, as well. 

Bad email habit #5

Oversharing on out of office messages

Out-of-office emails are a great way for users to let co-workers, business partners, or potential customers know that they're not around to answer their emails (and not just ignoring them). 

But while they can be considered considerate, the truth is users can develop some bad OOO habits that can provide a lot of valuable information to cyber criminals.

For example, let's say an attacker sends out a phishing email only to receive an out-of-office message complete with detailed information about how long a particular user will be away and who their supervisor is. It's easy to imagine a dozen different ways the attacker can use that information to craft a very believalbe spear phishing email.

To help combat that bad habit, train your users to keep the information they provide in their out-of-office messages to a minimum. If possible, also consider configuring your email so that different out-of-office replies are sent out based on whether the message is going to someone inside or outside your company.

Get more phishing prevention tips that actually work 

Want to learn more about common phishing mistakes and how you can help correct them? Download our Phishing Field Guide and learn how to keep your users out of the phish phry.

Photo by Annie Spratt

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.