Employees Just Keep Falling into Phishy Email Traps

July 19, 2022

Envelope caught on fishing hook

Just two years ago, the U.S. Federal Trade Commission received more than 2.2 million fraud reports from consumers, and a high number of business owners have reported an uptick in ACH fraud this summer. Many can trace the fraud back to a phishing email.


Notably, these are smart, sophisticated, security-aware leaders who say even the most up-to-date security practices are failing to mitigate 100 percent of the risk.


That’s because fraudsters are nothing if not iterative. When one scam runs its course, they simply pivot to another. Not long after that, they return to their original tricks, targeting a new set of victims with the same old traps.


While it’s true that intrusion technology can fail, humans continue to present the weakest link in the battle to keep cybercriminals at bay. Therefore, putting in place strong policies and procedures – and continually training employees on those policies and procedures – is an employer’s best chance at reducing the fallout of phishing emails. In fact, a new study found that after one year of security awareness and phishing training, the percentage of employees who clicked on a simulated phishing email drops significantly, to as low as four percent.


Here are three prevention concepts to consider including in your training to help employees avoid falling into phishy email traps.


1.     Team Up with Transparency

Transparency is your friend when it comes to fighting fraud. Recent phishing methods have deployed the use of employee and vendor impersonation. Cybercrooks pretend to be trusted sources to obtain sensitive information, like account numbers or passwords.


Equipping your team with information regarding vendor and team terminations, new contracts and other pertinent business relationships can help your employees more easily spot fraud attempts in real time.


2.     Stick to the Phone


Fraudsters can deceive businesses into updating account information electronically or administering a direct deposit/debit authorization, resulting in losses in the tens of thousands.


Beware of emails that appear to be providing new account information or links to updated materials. Use caution even if the email seems to be coming from someone you know. Fraudsters are adept at spoofing legitimate companies and individuals.


Anytime you receive an email including or requesting otherwise confidential information, pick up the phone and call the sender. However, do not use any numbers contained within the email. Instead, use a number you have on file or one you have tracked down independently.


3.     Have a Contingency Plan

Despite all efforts to protect your business, you may still become a victim. This risk necessitates having a recovery plan in place.


Seventy-five percent of companies worldwide have experienced some form of phishing attack, forcing many leaders to take a “When-Not-If” stance to cybersecurity strategies. Banking partners can be strong resources and collaborators in the development of policies, procedures, training and recovery plans.


One of the first steps in your contingency plan should be notifying your bank team so they can begin working to recover any stolen funds as quickly as possible. Bank Iowa’s Treasury Management team regularly guides companies through the process and helps create contingency plans.