getty

In any cybersecurity strategy, accounting for human error is essential. By some estimates, phishing attacks – in which a bad actor attempts to obtain personal information from a target using deception – account for approximately 90% of business security breaches.

With the volume and complexity of phishing attacks increasing year after year, businesses need to continually educate their employees and leaders on how to recognize and handle them. Below, 20 members of the Forbes Technology Council share essential lessons and principles about phishing that companies should share with their team members and leadership group.

1. Attackers often seek to imitate authentic organizations and people

Spear phishing is one of the most common phishing attacks today. Attackers can impersonate an authentic organization, such as a third-party partner, or an individual, such as another employee. For example, an employee may receive a phishing email in which an attacker pretends to be the CEO and requests sensitive company information, credentials, or money transfers. -Jean Fay, ThreatX

2. Phishers can find a lot of information online

It is important to understand that there is a wealth of personal and organizational information available through search engines, social networks, and business resources. Phishers often use social media and company websites to gather personal information – information that helps them craft incredibly branded, personalized attacks that trick recipients into lowering their guard and providing a quick response. Can help. – Dustin Verdin, Zipline Logistics

3. Beware of email spoofing

A common phishing attack is email spoofing. This happens when an attacker sends an email that appears to come from a trusted source. These emails often contain credible logos, sender names, and content, and the goal is to trick recipients into clicking malicious links, downloading malware, or providing sensitive information. – Anne Lise Wall, AIBA

4. Don’t let yourself be rushed

Phishing scams often depend on urgency. The malicious message will give you a time-bound reason to log in to a trusted platform, such as, “Log in to confirm your account within 24 hours or it will be deactivated.” Don’t let yourself be rushed; When in doubt, take the time to access your account through the login page, never the link provided in the email. – Daniel Chong, Harpy

5. Always check the domain name in email links

Companies should educate their employees about how to deal with potential phishing emails. For example, many phishing emails impersonate businesses (such as LinkedIn, Twitter, etc.) or individuals (such as coworkers, superiors, or acquaintances). Always check domain names before clicking on email links. Be especially cautious if the email or subsequent website requests personal information or money. -Tim Liu, Hillstone Network

6. Phishing also happens through text messages

It is important for businesses to educate their team members about “smishing”, aka text message phishing. Although it is not possible to prevent these scams completely, there are simple solutions to prevent and report these types of threats. However, it is most important that organizations take the first step: educate employees that smishing exists. – Miles Ward, Saada

7. Don’t automatically trust messages from ‘the boss’

Many phishing attacks use hierarchical leverage, in which the attacker impersonates someone in a higher position in the organization than the recipient. This can be a highly effective way for a threat actor to elicit a quick, almost-automatic response from employees. – Tim Phemister, NetExperts

8. Keep your Microsoft 365 account secure

The most sought-after credentials by cyber threat actors are for Microsoft 365 accounts. Phishing attacks typically try to obtain these credentials, usually through a password reset or account confirmation request. Businesses should educate their teams that these emails attempt to communicate a sense of urgency that an account will be terminated or deleted or some other serious consequence if action is not taken. -Andrew Hollister, Logarithms

9. Work closely with the security team

Threat actors are increasingly relying on social engineering to break into an organization’s security systems. Employees should exercise due diligence when interacting with any suspicious email, phone call, text or other form of communication. Bad actors rely on employees who are the weakest link. It is important that you work closely with your security teams and always practice good cyber hygiene. – Kevin Lynch, Optiv

10. Make sure names and email addresses match

The biggest red flag for any employee should be when they are contacted via an email address that has not been used to contact them before. Regardless of the type of phishing attack, just ask everyone to check that the name and email address match. Support it with your own “white hat” phishing campaigns. – Martin Taylor, Content Guru

11. Even emails with a ‘personal’ touch can be phishing attempts

Today, pervasive attacks include emails that appear as if they come from your coworkers, asking for approval for things that may seem normal. These emails are often friendly, include a “personal” touch and, in many cases, seem legitimate. Using artificial intelligence capabilities, attackers are improving their techniques, and “time sensitive” requests make them very effective. Solution? Always double-check the request with a phone call. – Ofir Katzir, SensIP

12. Avoid opening email attachments and links

The problem is that with AI, phishing attacks not only look like legitimate emails, but they are created from legitimate emails. This means that it is almost impossible to rely on awareness to prevent phishing. Phishing attacks are successful because organizations allow attachments and embedded links to be placed in emails. Unless these are removed, no amount of awareness will stop advanced phishing attacks. – Eric Cole, Secure Anchor Consulting

13. ‘Wishing’ is on the rise

While much attention is focused on phishing via email and text, voice phishing (aka “vishing”) is on the rise. Human-to-human voice contact has very high power of persuasion. Awareness training is essential, but for added security, it should be combined with modern technological solutions designed to detect tell-tale call behavior that indicate the presence of a vishing investigation. – Roger Northrop, Mutare, Inc.

14. Keep an eye on unexpected messages or emails from sellers

Vendor email compromise is a subset of the traditional business email compromise scam, where attackers impersonate vendors to request payment for fraudulent wire transfers or fake invoices. They are highly successful because they take advantage of trusted vendor-customer relationships. Additionally, because discussions with vendors often involve payment, it becomes harder to detect attacks that mimic these conversations. -Mike Britton, Paranormal Security

15. Notify IT about ‘account expiration’ messages

One of the most common technical concerns is phishing related to account expiration. Employees will receive a message stating that the business or personal account will be expiring shortly and credentials or credit card information is required to continue services. Employees should always report these messages to their IT teams, as most successful breaches start with this type of misleading notification. – Danny Allen, Veeam Software

16. Deepfakes are becoming increasingly credible

With generic AI becoming easily accessible, deepfakes are becoming increasingly credible. From emails to texts to phone calls, bad actors can create perfect imitations that can fool even the most experienced professionals. Employees need to be aware of and educated about these attacks, but CISOs need to be equipped with passwordless and high-assurance, identity-based approaches to ensure the security of their data. – Anudeep Parhar, Trust

17. Senior officials may be targeted

A common high-risk phishing technique is “whale phishing”. It targets senior executives, potentially giving attackers valuable access to financial resources and the entire network. Perceptions of high-level security can be misleading; There is no such thing as 100% awareness. Businesses should prioritize comprehensive cybersecurity training at all levels of the organization. – Almog Epirian, Siolo

18. There are many ways to learn more about cybersecurity

It is always important for organizations to raise awareness about cyber security incidents, phishing and any malicious activities reported by employees. A number of methods can be used for this purpose, including e-learning, lectures by security experts, phishing drills and allowing employees to be informed of the company’s legal obligations and the risks associated with non-compliance. – Miran Gallese, Scytale

19. Real-world simulations can increase employee awareness

Cybercriminals are using AI to make phishing emails appear more realistic than ever, significantly increasing the likelihood that victims will click on a malicious link or open an attachment. Organizations should deploy real-world simulations to test employees’ awareness and vigilance of phishing threats and to help train and reinforce proper practices when users encounter targeted attacks. -Michael Xie, Fortinet

20. Always report phishing attempts (including successful attempts)

Users need to feel safe. They need to know that they can report phishing attempts without any negative ramifications, including if they are the victim of an attack. Rapid detection and response is critical to removing attackers from the environment and (more importantly) preventing the breach. -Tim Medin, Red Seas