How to
Jonathan Crowe
Nov 2016

3 Tips to Prevent Employees from Getting Phished

Photo by Jeremy Jenum


If your organization suffers a cyber attack, chances are it originated with a user opening an email and clicking something they shouldn’t have.

Phishing has become the top delivery vehicle for ransomware and other malware (Verizon 2016 DBIR). That’s partially due to to attackers getting much better at crafting convincing messages.

#1 delivery vehicle for malware? Phishing email attachments


source: Verizon 2016 DBIR

Why is phishing so effective?

The majority of today’s phishing emails are a far cry from obvious spam messages from fake Nigerian royalty. Criminals now do their homework, utilizing information they find on company websites and users’ social networks to create highly believable, customized attacks (ex: see what a real spear phishing email sent to our CEO looked like). 

When you also consider many attacks take the form of urgent requests from one of your company’s high-level executives, it’s hard to blame untrained users for getting duped.

That said, users aren't the only ones to blame for phishing attacks getting through. According to a recent survey we conducted with IT pros who had experienced successful phishing attacks, the traditional security solutions most organizations rely on are having a hard time holding up their end of the bargain, too:

  • 90 percent of successful phishing attacks bypassed the victim's antivirus and email filtering

  • 83 percent bypassed the victim's firewall(s)

  • 55 percent were successful even though the victim had conducted security awareness training 


Phishing criminals are clearly capitalizing on a big gap in security, and it's up to you to fix it. On the technology side, we recommend investing in a solution that provides an additional layer of real-time, behavior-based protection. That's something several vendors aim to provide in different ways (you can find out how we do it here).

Think of it this way: You can surround your castle with a (fire)wall and a moat (antivirus), but you still want to have a guard stationed on your side of the gate should anything start going wrong inside your castle. 

In addition to technology, though, this is still clearly a people problem, too. The question remains...

How do you train employees to avoid phishing emails?

how to train users to avoid phishing emails 2.jpg

Photo by Wilfred Iven

The best way to avoid a malware infection is to prevent it from being triggered in the first place. And the way you do that is by helping employees understand how they're vulnerable and what they can actively do about it. 

Here are three tips for giving your users the tools and know-how they need to better protect themselves and your company.

1) Show them real phishing examples

Telling users to be more watchful isn’t going to do much good if they don’t know what to watch out for. The solution? Show them what phishing emails actually look like by sharing real-life examples and pointing out red flags.

Not only will this help you explain phishing tactics far more effectively by giving you visuals to work with, your users are also going to be much more likely to recognize tactics when they’ve actually seen them in use.

Two places to pick up examples of real-life phishing emails are:


2) Have a process — and rewards! — for reporting suspicious emails

In addition to showing (not just telling) users how to spot potential phishing emails, be sure to give them clear instructions on what to do next. Not only should you provide them with a simple reporting procedure (ex: Don’t click any links or download any attachments, just forward the entire email to IT, then delete it from your inbox), you should also actively reward users for using it.

Rewards can be simple and don’t have to break the bank. They can range from company-wide shout-outs (no budget needed) to gift cards to free lunches to chances to win bigger prize drawings. The point is to keep awareness and watchfulness up beyond one training session. A little incentive and encouragement can go a long way.

3) Actually put users to the test 

In addition to being visual creatures, we also tend to learn best through experience. To help you provide your users with a first-hand learning experience with phishing, several vendors, including KnowBe4 and Gophish offer free opportunities to create your own simulated phishing campaigns and test how your users react.

Note: These tests can be effective at reducing open and click rates for phishing emails, but they need to be administered mindfully.

If users feel fooled they’re likely to lose trust and see the exercise as an example of IT being out to get them in trouble or make them look dumb. When a user fails a mock phishing test, the challenge then becomes moving the focus from "here's what you did wrong" to "here's how we can get better."


Looking for more tips to put security on your company's radar?

You've come to the right place! Take your pick of one of the following, or go ahead and download them both (no judgment here — besides, they're both free): 

The Amazing) Security Awareness Playbook 
See what security really looks like through the eyes of your users, then learn how to apply that perspective to awareness programs they actually engage with and retain.

The Phishing Field Guide: How to Keep Your Users Off the Hook
Help users understand why they’re being targeted and what makes them vulnerable. Then get better at teaching them how to stop taking the bait.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Phishing Emails: A Field Guide

How to recognize, stop, and avoid phishing attacks.

Get my guide


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.