If I had to pick the most important hint, the single most suspicious red flag to me is a strange-looking hyperlink which does not directly point to a valid, trusted domain; especially if it goes out of its way to fraudulently appear as if it points to a legitimate domain or trusted brand (e.g., microsoftustechsupport@outlook.com, techtalk@google.com.rogueserver.biz, returns.amazon@amazongproducts.ru, etc.). I think teaching people to always hover over ANY URL links and how to recognize bogus links is one of the single best training topics possible. If you can teach this single skill, you’re going to stop a lot of phishing from being successful.

The second most important sign is simply recognizing unexpected requests, which if performed, could lead to something bad. It could be a request to do many different things, including:

  • Open and read a document
  • Click on a link
  • Visit a website
  • Provide login credentials
  • Process an invoice
  • Change banking or payroll information
  • Buy gift cards

Stressor Events

Most phishing emails contain a “stressor event”, which is a statement from the sender that if the user doesn’t perform the requested action now, then there will be very negative consequences. For example, the invoice has to be bought now or the important business deal is off; or your password must be verified now otherwise your account will be permanently locked. Train your employees to spot stressor event requests and how they should make them stop, look, and think before acting.

In order for training to be effective, it must be done more than once a year or once a quarter. Ideally, training should be done at least monthly to get the most bang for the buck. We know that security awareness training is best when done at least once a month along with simulated phishing campaigns to test your user’s ability to spot potential phishing emails. Organizations that do this routinely take the percentage of users who will click a phishing email from about one-third or higher to about 5%. That’s a HUGE decrease in risk!

If you haven’t seen or used our Social Engineering Red Flags PDF, I encourage you to download and distribute.