While some of those assumptions may not be entirely incorrect, at the same time taking a complacent attitude to the threats of phishing attacks in the current digital environment is risking negligence.

We’re not going to quote high-level global figures for the financial damage phishing attacks bring to bear on businesses each and every day, as that’s been done to death elsewhere (including on our very own site).

But in this and a series of other similar articles on email security and phishing attacks, we’re looking more closely at the human factors involved in the attacks – and the inherent vulnerabilities this brings to both companies and public sector organisations’ cyber defences.

In this first article, we focus on the danger of complacency, and real-world scenarios in which the best laid IT policies and training hit the rails (pun intended, as you’ll find out if or when you read on!).

Our company is well prepared – what risks could there be?

Although many companies now have sound policies, IT charters, formal staff training and awareness programmes, processes in place for reporting and managing security breaches (or suspected breaches), and largely and increasingly tech-savvy employees, there are still risks.

The first of these risks is the ever-increasing quality of phishing emails and the human factors that entails.

It’s always someone else that gets phished…. right?

Wrong.

Just yesterday, this author, an extremely tech-savvy professional with nearly 20 years working in the IT industry, came extremely close to clicking a link in what turned out to be a phishing email notification that appeared to be from SharePoint. It appeared to be so genuine that the only thing that prevented a click-through and the consequences that could have ensued was the fact that I knew that my colleague was on summer vacation, and would not be working.

Otherwise, I’ll be honest, if I did not know that the supposed sender was on holiday, I would have clicked it. We don’t have additional security layers on our email system, just the standard features included in Microsoft 365 (more on that later).

This is just one example, and it actually surprised me that I came so close to falling for it, and then experiencing the strange feeling one gets when something that never happens to you then happens to you.

So however clued up you think your users are, IT teams should be wary of sitting pretty and thinking that everyone has been through the training, signed up to the IT charter, and knows where to report things. That is all great practice – but a safety net is also needed.

Would you like that to go sir?

The situation that occurred yesterday was on a PC with a decent-sized screen at a desk in a fully focused working environment (or as close as this author gets to the latter). In other words, I saw the email come in, looked at it on a 16-inch monitor, and almost fell quite literally hook, line and sinker for it. It was only because I was lucky that I knew the sender well and something didn’t look quite right.

So imagine the situation where a busy salesperson (not to pick on sales people, but just to paint a picture) is on the train, standing because he didn’t manage to get a seat, with coffee in one hand and smartphone in the other.

That same email comes in. The sales guy hasn’t spoken to his colleague that’s actually on holiday, so has no idea she wasn’t at work. He sees that same “SharePoint” email come in, and as he’s got time to kill he has a look to see if it’s some new sales collateral or product information that might be useful. You know how this one ends.

While the salesman on the train part is fictitious, the question to ask is whether it’s outlandish or fanciful. If you still think it is, we challenge you to take our 2-minute test to find out how good your email security actually is – not how good you think it is.

Phishing is obviously a hot topic at the moment, so there’s plenty of further reading on MYREDFORT. Over the coming weeks in this series of articles on the theme of the human factors of phishing attacks, we’ll be examining how staff can become targets as a result of company databases being breached, the risks of relying solely on Microsoft 365 security, emerging trends in phishing, and a “how to of hackers”, so stay tuned.

For now, this article in particular outlines 4 steps to safer emails.