You’ve done a baseline phishing test to see the risk to your organization, you’ve started a simulated phishing program to expose your employees to safe malicious-training emails, and you’ve scheduled regular online trainings. With today’s changing security landscape, a “set it and forget it” approach may not be enough.

Regardless of your company’s specific security infrastructure, educating your employees can have a significant impact on your level of vulnerability. High value targets such as Finance and Exec level employees can be trained in person for more targeted learning and to allow them the time to clarify issues and ask questions.

Simply going through the parts of a received email and demonstrating a few things to check will boost their security awareness and therefore your company’s security.

Date: Maybe this is from someone you know but does the time make sense? Was it received in the middle of the night and not urgent?

From: Do you know this person? If your answer is yes, does their email match what you know it do be? I often see emails with our CEO’s first and last name, but closer inspection shows a random email address.

Subject: Subjects are pretty harmless but be on the lookout for Re: Re: Example Subject making it seem as if the spammer is replying to an email you sent them. A simulated reply is easy to spoof in an outgoing email.

To: Do you know the other people the email was sent to? Are they your usual teammates or a random sampling of company employees? Or are they just people whose last name begins with the same letter?

Message: The text often contains the main trick of a crafted phishing message. Is the email threatening or embarrassing in any way? Is the grammar or word choice (especially the greeting) unusual in any way? Are there any links to click on? If yes, hover your cursor over the link without clicking and see if the link preview matches what it says it should be.

Attachments: Be wary of any attachments. If all of the above is true, and you’re not expecting any emails like this, there’s a good chance that attachment can link you to malware, or it could itself contain a destructive payload, such as backdoor access into your computer. Even if you know the person, if you aren’t expecting the attachment, at least check the email header and verify that it came from who it says it’s from.

I recently conducted an in-person training based on these ideas to a team of high value targets that up to that point, had a higher-than-average rate of clicking on simulated phishing emails. They have been phished weekly for the past 3 months and I am pleased to report the entire group has clicked on exactly zero of the simulated phishing emails.  It proves that some basic knowledge of how phishing emails are crafted and repeated exposure to social engineering can improve any organization’s security posture.