You’ll want to provide training for the people in your organization so they develop a healthy level of skepticism toward incoming email. You can put the training together yourself or hire an outside firm. Your best defense is vigilant colleagues. Most phishing attacks spread a wide net, so increasing the likelihood that even one person notices the deception allows you to respond and get the word out sooner. We’ll cover phishing responses later in this chapter.

Here are the basic points you’ll want to emphasize in your anti-phishing training.

Don’t embarrass your colleagues.
Be extra skeptical about emails with urgent deadlines.
Be suspicious of strange-looking domains in links and email addresses.
Be skeptical about attachments.
Consider whether the premise of the email makes sense.

Let’s look at each of these points.

First, you need to make sure that if people get phished they’ll feel safe enough to report that right away. People won’t feel safe if they’re teased or blamed for getting phished. They won’t feel safe if they see those things happen to someone else, either. The sooner you find out that someone handed over their credentials, the less damage there will be. If your colleagues are worried that they’ll get in trouble for coming forward and announcing that they got phished, they are more likely to just clam up and hope the whole thing blows over without telling anyone.

A trait common to many phishing emails is a sense of urgency to get the victim to act quickly. One example of this is a phishing email that was forged to appear to be sent by a company executive who needs help handling an important customer request right away. Another example is a phishing ...

Social Defense