Although phishing has been a problem for years, it's not going away. Phishing is the most commonly deployed attack vector for data breaches, making it a go-to source for hackers.
Because a large number of phishing emails target victims every day, it is more important now than ever to remember The Golden Rule of Email. This modern version of the well-known principle states that you should treat every email as if it were a phishing attempt.
Implementing The Golden Rule of Email
Although those in the cybersecurity field have been preaching phishing training for years, it remains a threat to organizations of all shapes and sizes. To address this recurring issue, organizations should shift their training approach towards building habits instead of one-time lessons. Building a repeatable process can have a more significant impact than solely teaching specific details to look for. It’s not the security awareness training alone that makes the difference, but the repeated steps taken while investigating an email.
There are three steps to implementing The Golden Rule of Email concept in any organization:
-
Introduce and apply the concept company-wide.
-
Build phishing awareness skills.
- Take accountability
Step One: Introduce and Apply the Concept Company-wide
The first step in implementing The Golden Rule of Email is establishing it as part of onboarding techniques and general practices, similar to how employees comprehend a company's mission or values. Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools for every employee to master.
Suppose every employee was prompted to recite The Golden Rule of Email and the process of spotting phishing, with everyone responding promptly and accurately. In that case, employers and businesses might get a better sense of how their company stands when it comes to defending against phishing attacks.
Step Two: Build Phishing Awareness Skills
Once the initial concept of the rule is adopted across the company, it's time to start building the skills necessary to support it and act against any suspicious activity. A crucial step in helping employees avoid phishing emails is asking the three Ws - who, what, and why- and then verify.
Train employees to consider questions similar to the following for every email received:
Who?
- Do I know the sender?
- Is this someone I usually communicate with?
- Is the email sent to an unusual group of people?
- Is the email address spelled correctly?
- Does the email address match the email in the signature?
What?
- What action does the sender want me to take?
- Does the email contain bad grammar, odd styling, or typos?
- Is the email written in a style consistent with the sender?
- Is the action something you’d expect from the sender?
- Is it an urgent request?
Why?
- Why do they want me to click on a link, download an attachment, or send information?
- Are they presenting a sense of urgency?
- What is the consequence they are threatening if no action is taken? Is it something I should expect?
- Have they presented an unusual situation? Is it something I should expect?
Verify
- If you've gone through the who, what, and why questions and you have any doubts, you should verify the email.
- To verify the validity of a suspicious email, contact the sender via phone, internal chat software, or in-person conversation. Do not reply to the suspicious email asking for verification.
It’s also important to be wary of different phishing types:
- Email phishing: Emails using fake domains to collect private and financial information.
- Spear phishing: A more malicious email targeting specific people. Hackers typically have private information about the individual in which they’re targeting, like their name, job title, and email address.
- Whaling: Emails targeting senior-level staff and management, using scams and spoofed website links to pry into bank accounts, financial information, and personal details.
- Smishing and vishing: Instead of emails, this form of phishing utilizes texting and over-the-phone conversations where scammers pose as fraud investigators warning individuals of “breached” accounts. Scammers will also ask for payment details to verify identities and attempt to transfer funds.
- Angler phishing: Hackers use social media to gain sensitive information and download malware. They can also use data from social media to create more advanced and targeted attacks.
In addition to warning employees of the various ways to phish, organizations can implement technical controls to help filter down phishing emails and security controls to ensure emails are coming from valid sources.
Step Three: Take Accountability
The final step in the process is accountability. Each employee should know exactly what steps to take when they spot a phishing email. Anyone who accidentally clicks on a phishing email and realizes it should immediately report the incident to their respective IT or security department(s) for faster identification and response times.
The goal is for The Golden Rule of Email - treating every email as if it’s a phishing attempt - to become second nature for everyone. If you habitually follow this rule, you will instinctively verify certain elements before taking any action on an email. It becomes more than just another rule to follow; it’s a habit backed up by a process.
