Although phishing has been a problem for years, phishing emails have increased by an estimated 600% over the past two years. Setting a record number of cyber-attacks in that time, phishing continues to be a go-to source for hackers.
Because of the mass number of phishing emails targeting victims every day, it is more important now than ever to remember The Golden Rule of Email. This modern version of the well-known principle is to treat every email as if it’s a phishing attempt.
The cybersecurity field as a whole has been preaching phishing training for years. October of 2021 marked the 18th year of Cybersecurity Awareness Month, yet we still see record-breaking attacks and losses.
To help fix this recurring problem, organizations should consider modifying their training approach to focus on building habits versus one-off lessons. Instead of solely teaching specific details to look for, focusing on building a repeatable process can have a more significant impact. It’s not the security awareness training alone that makes the difference, but the repeated steps taken while investigating an email.
Implementing The Golden Rule of Email
There are three steps to implementing The Golden Rule of Email concept in any organization:
Introduce and apply the concept company-wide.
Build phishing awareness skills.
- Take accountability
Figure 2: The Golden Rule of Email process
Step One: Introduce and Apply the Concept Company-wide
The first step in implementing The Golden Rule of Email is establishing it as part of onboarding techniques and general practices, similar to how employees comprehend the mission or values of a company.
Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools to be mastered by every employee.
Suppose every employee was prompted to recite The Golden Rule of Email and the process it takes to spot phishing, with everyone responding promptly and accurately. In that case, employers and businesses might get a better sense of just how their company sits when it comes to defending against phishing attacks.
Step Two: Build Phishing Awareness Skills
Once the initial concept of the rule is adopted across the company, it's time to start building the skills necessary to support the rule and act against any suspicious activity.
A crucial step in helping employees steer clear of phishing emails is asking the Three Ws - who, what, and why. You should consider questions similar to the following for every email received:
- Do I know the sender?
- Is this someone I usually communicate with?
- Is the email sent to an unusual group of people?
- Is the email address spelled correctly?
- Does the email address match the email in the signature?
- What action does the sender want me to take?
- Does the email contain bad grammar, odd styling, or typos?
- Is the email written in a style consistent with the sender?
- Is the action something you’d expect from the sender?
- Is it an urgent request?
- Why do they want me to click on a link, download an attachment, or send information?
- Are they presenting a sense of urgency?
- What is the consequence they are threatening if no action is taken? Is it something I should expect?
- Have they presented an unusual situation? Is it something I should expect?
- If you've gone through the who, what, and why questions and you have any doubts, you should verify the email.
- Contact the sender via phone, internal chat software, or in-person conversation to verify the validity of a suspicious email. Do not reply to the suspicious email asking for verification.
It’s also important to be wary of different phishing types:
- Email phishing – Emails using fake domains to collect private and financial information.
- Spear phishing – A more malicious email targeting specific people. Hackers typically have private information about the individual in which they’re targeting, like their name, job title, and email address.
- Whaling – Emails targeting senior-level staff and management, using scams and spoofed website links to pry into bank accounts, financial information, and personal details.
- Smishing and vishing – Instead of emails, this form of phishing utilizes texting and over-the-phone conversations where scammers pose as fraud investigators warning individuals of “breached” accounts. Scammers will also ask for payment details to verify identities and attempt to transfer funds.
- Angler phishing – Hackers use social media to gain sensitive information and download malware. They can also use data from social media to create more advanced and targeted attacks.
In addition to warning employees of the various ways to phish, organizations can put technical controls in place to help filter down phishing emails and implement security controls to ensure emails are coming from valid sources.
Step Three: Take Accountability
The final step in the process is taking accountability. Each employee should know exactly what steps to take when they spot a phishing email. Also, anyone who accidentally clicks on a phishing email and realizes it should immediately report the incident to their respective IT or security department(s) for faster identification and quicker response times.
The goal is for The Golden Rule of Email - treating every email as if it’s a phishing attempt - to become second nature for everyone. If you habitually follow this rule, you will instinctively verify certain elements before taking any action on an email. It becomes more than just another rule to follow; it’s a habit backed up by a process.