One of the most effective ways to protect your organization is by sending phishing awareness emails to your employees. So what should you include in these emails in the first place?
Have you ever received a suspicious email that you ended up ignoring or immediately deleting?
If I had to guess, most of you would probably say yes, at least to the part about receiving a suspicious email. And hopefully, you also answered yes to ignoring or deleting it. Why do I hope that?
Because chances are that these were phishing attempts. In 2020, these emails were the most common tactic by cybercriminals to steal data, so a majority of people probably received one. And 30% of these phishing messages get opened.
If you engaged with the message, then it’s possible you ended up with malware on your device or had your data compromised. For companies, this can result in massive financial impacts.
To prevent this from happening at your company, you want to make sure that all of your employees know what phishing is, how to identify an attempt, and how to avoid it. You can do this with more steps than just your annual cybersecurity training.
One way is by sending phishing awareness emails to your employees. This will remind them to stay vigilant of attacks so that your company doesn’t end up suffering a breach. So what should you include in these emails in the first place?
By the sounds of it, people might get confused if they hear the word phishing.
What do fish have to do with our company?
That’s not the kind of phishing we’re talking about when we’re referring to cybersecurity and data. But not everyone might know what these attempts entail.
So the first step to your phishing awareness emails is to explain that. If people don’t know what they are, then they’ll more likely fall victim to a phishing attempt.
It’s also important to explain these because not all attacks come through email. Sure, this is the most common method. According to Tessian, 96% of attacks come through malicious emails.
But hackers try other methods too, and your employees need to be aware of them. There are almost 20 types of phishing methods, including…
For instance, this diagram shows how they use the pharming technique…
Each of these uses different tactics by hackers to try to steal sensitive information, so employees should be aware that phishing attempts can come through other methods besides email.
But how will employees know how to identify a potential threat? Even the most common tactics through email can get overlooked by people and result in a breach. And now they have to pay attention to 10+ other methods?
Yes, that’s right. This can be overwhelming if someone doesn’t know what they should be paying attention to.
Because of this, you need to explain in your phishing awareness emails what kind of techniques to be cautious of. Break down each of these phishing methods with the risks to identify so that your employees will recognize them as an attempt.
Other phishing awareness emails should include statistics about these attempts. How often do they occur, and how many people get affected?
In 2020 alone, 75% of all organizations worldwide experienced a phishing attack. Unfortunately, many of these attempts are successful in stealing organizations’ data and have negative consequences for them.
By including statistics within awareness emails about how often attacks happen and what the impacts can be, employees realize how serious these incidents are. They’ll understand the importance of your emails and why they need to remain vigilant against phishing attempts.
Hackers like to use shock value in their attempts to grab the recipient’s attention and create a sense of urgency.
Likewise, you can add shock value to your emails too so that employees get the sense of urgency to stay vigilant. Some of the statistics that you add will do this already.
For instance, shock your staff by telling them the cost of phishing attempts. This gives them a stronger inclination to watch out for attempts since they don’t want to be the result of so much money lost.
Phishing awareness emails shouldn’t stop at educational information about this type of breach.
They also need to update your team on any current threats. If anyone notices a phishing attempt within your company, you need to email your team about it.
This way, they stay extra cautious about what they click since they know that there’s an active risk. They’ll be less likely to let in a malicious hacker if you’ve given them a heads up about the attempt.
So how do you know that your work is paying off by putting in the effort to send these phishing awareness emails? You don’t want your staff to ignore them. That would make it a waste of time for you and pose a risk if recipients aren’t paying attention.
Well, there’s a simple solution: simulate a phishing attempt. You’re sending awareness emails anyway, so why not turn one into a phishing attack simulation?
Subject: Urgent Task Request
Body:
Hi [Employee's First Name],
Are you available at the office? I have a task I need you to complete right away. Can you please print this letter and leave it on my desk for when I return from lunch?
Thanks,
[Your First Name]
Have your administrative team create a fake email that appears legitimate from someone at your company. Of course, it isn’t actually that person, it just looks that way. But that’s the whole idea…to spoof the recipients into thinking it’s that person.
Then, send your employees an email from that account. Again, you want this to look like a legitimate message. Maybe it’s an urgent request from who appears to be the general manager. Or perhaps you send a downloadable attachment which, if it was a real phishing attempt, would include malicious code.
Once you send these simulations, you’ll notice which team members have been paying attention to your phishing awareness emails.
Did the employee verify that the sender’s name matched their company email address before clicking download? Did they instantly reply, engaging with this spoof account? Or did they inform the IT department that they suspected a phishing scam?
Regardless, creating a simulation will help identify how effective your awareness emails are and who has learned from them.
Now that I’ve given you some ideas for your phishing awareness emails, where do you start? It can be overwhelming trying to come up with effective messages since there’s so much information that’s important to include.
The first step is to break it down. Don’t try to cram all of these details into one email. No one’s going to read all of that. Research shows that it’s best not to go over 125 words in an email, and between 75 and 100 words is most effective. It isn’t necessary to stay within this range if it would compromise the importance of the message, but click-through rates decrease after 200 words.
So you’ll want to break up the information into several emails anyway. Let’s take a look at some options that you can use.
Subject: If It Smells Fishy, It's Probably Phishing
Body:
Team,
With data breaches on the rise, I wanted to take the chance to remind you to stay vigilant against phishing attempts.
Hackers use fraudulent practices to spoof people into giving up their data. The most common technique is email phishing. Hackers send messages that appear legitimate or look like they're from someone you trust so that you engage with the message or click on malicious attachments.
If something seems fishy...it's probably phishing. Here are some tips to keep in mind to avoid falling victim so that we protect our company and its data:
Thank you in advance for your vigilance,
[Your First Name]
This email summarizes what phishing is and explains the most common type of threat (email phishing). It also gives tips to watch for so that the recipients’ don’t fall victim.
Subject: $1.52 Million in Lost Business
Body:
Team,
I know what you might be wondering.
"How did we lose that much business?!"
Well, we didn't lose that much yet. With your help, we never will. Breaches cost an average of $1.52 million in lost business. And a phishing attack costs an average of $4.65 million.
Because of these steep financial losses, we need to remain vigilant against phishing attempts. If you suspect any unusual activity, especially in your inboxes, please notify the IT team or management immediately. Remember, do not engage with any suspicious messages until we deem them safe.
Thank you for your cooperation,
[Your First Name]
This message uses shock value to grab employees’ attention. The subject line takes the recipient by surprise. We lost how much business?!
Then, the message goes into explaining the cost of falling victim to a phishing attack. This emphasizes why it’s important to be cautious against attacks and watch out for threats.
Subject: $1.52 Million in Lost Business
Body:
Team,
This morning, we received the following phishing attempt:
[Insert screenshot of phishing attempt here]
Luckily, one of our team memebers recognized that this was a suspicious email and immediately notified our IT team. Hackers often make multiple attempts to compromise company data.
Please be on guard against phishing attacks in general. I have blocked the domain of the sener from sending us more emails. Should you receive a suspicious email, DO NOT engage with these messages, DO notify our team, and DO delete them from your inbox.
Thank you,
[Your First Name]
In the image above, administrators emailed the team to warn them about an active attempt. An employee noticed a phishing scam in her inbox so she informed management. They then sent an email to the entire team, just in case the hackers were targeting any other employees.
That way, everyone on the team knows that there are messages they need to watch out for. And it’s a nice reminder to always stay cautious since anyone can become a target.
Because of the financial and business costs of a phishing attempt, staff must know how to identify and avoid these threats.
Email phishing campaigns are the most common technique by cybercriminals, and they’re the second-costliest type of breach.
But these threats don’t need to be inevitable. As with anything in cybersecurity, training is necessary. And you can continue to offer this training through phishing awareness emails that you send to your employees.
That way, they continue to get reminders of how to recognize attempts and avoid falling for scams. With just a little bit of effort, providing these details to employees helps them prevent these threats so they can keep your company data safe.
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.