Image Alt Text
Running a business

Train Your Employees to Recognize Phishing Emails

Recognizing fraudulent emails and phishing scams is no easy task. It is important for you and your team to understand the dangers of falling prey to these scams. Read about how you can protect your company from malware and other phishing-related dangers through education and reporting.

You do a great job protecting your workplace with locks on the doors, cameras keeping an eye on inventory, and background checks on your employees — but you may have given little thought to protection against scams. Today’s online scam artists often use phishing techniques that threaten your company’s security. Simply training your staff to recognize a phishing email and deal with it appropriately can add an important layer of protection to your business, possibly even saving it thousands of dollars.

What is Phishing?

Phishing is an online scam where cybercriminals impersonate a legitimate company or organization in an attempt to steal sensitive information or money. This is usually done through phone calls, emails, text messages, or pop-up advertisements.

Information that may be lured out of your employees can include their personal data like SIN, credit card, and banking information, or company data like client lists and your clients’ financial details and account passwords.

What Do Phishing Scams Look Like?

Cybercriminals have gotten far more sophisticated than the “Nigerian-princes-offering-you-money” scams of old. Now, one of the top schemes used to steal your money or sensitive data is that of phishing. A phishing email tricks you into clicking a link that leads you to a fraudulent webpage. Once you’re on that page, the fake site collects personal information — possibly including private identity data, bank account information, or passwords — and often installs malware in your computer. In fact, 91% of all malware arrives via phishing emails.

Phishing emails are sometimes easy to spot due to misspellings or fake logos that shouldn’t fool anyone. Sometimes, though, they are extremely sophisticated, filled with personal information that leads you to believe they’re real, or written in an urgent tone that demands a response — That panic-inducing message from your bank claiming your account has been compromised is actually probably a phishing email that tempts you to click just to see if everything’s okay.

Tips for Recognizing a Phishing Email

You may feel that you’re able to recognize fraudulent emails and therefore you’re safe. While that may be true, your company can be in big trouble if one of your employees fails to spot a phishing attempt when they see it. Just one click, and suddenly cybercriminals could have access to your entire network.

Teach your employees how to identify phishing campaigns and emails by looking for the following signs:

  • Look for email addresses that are close but not exact — For instance, a phishing address may end in “.co” rather than the expected “.com” or “.ca”.
  • Verify all links included in the body of the email by hovering over the link to see what URL it actually goes to.
  • Look for logos that feel a bit off, as well as misspellings or grammatical errors in emails from reputable institutions such as banks or government offices.
  • Be suspicious of emails that request passwords, personal information, or money.

The most important rule: Don’t click on a link, and don’t download attachments unless you’re positive you know the sender — and feel free to check with that sender before clicking on anything.

What Other Forms Do Phishing Attacks Take?

It is important for you and your employees to remain vigilant when it comes to phishing attacks. There are other forms of phishing scams other than emails. Here are other types of phishing scams to be on the lookout for:

  • Spear Phishing: These attacks target specific individuals within an organization. Rather than sending malicious emails through a mailing list, these emails target specific employees at specific businesses and organizations. These emails are usually more personalized, which can trick the victim into thinking they have a legitimate relationship with the sender.
  • Whaling: This is similar to spear phishing, but instead of targeting any employee within a company, scammers will specifically target senior executives, like the CEO or CFO. They target high-ranking executives due to their access to more sensitive information than lower-level employees. These emails tend to be more urgent or high-pressure, such as a threatening lawsuit, which will make the victim more likely to click on any malicious links or attachments.
  • Smsing: Much like email-based phishing, smsing uses text messages to carry out an attack. Scammers will send texts from what seem to be legitimate sources that contain threatening links. These links can be disguised as coupon codes or giveaways.
  • Vishing: Just like smsing, vishing attacks are conducted via the phone. This scam consists of an automated caller disguising itself as an authoritative company asking for personal information such as SIN information, banking information, or other financial information. These attacks are usually directed towards your clients, so it is imperative that your client or customer information is secure.
  • Clone Phishing: This type of phishing uses a replica of a recent message you’ve received by resending it from a seemingly credible source. Any links or attachments from the original email are replaced with malicious ones.
  • Evil Twin Phishing: This form of attack involves cloning a WiFi network which lures victims to a phishing site when they connect to it. Once they arrive at the site they’re usually asked to enter private data, such as login credentials, which will then go straight to the scammer. Once they have this data they can take control of it and find ways to steal sensitive information.
  • Social Media Phishing: This is when hackers use social media sites like Facebook, Instagram, or Twitter to get victims’ sensitive data or convince them to click on malicious links. They do this by creating fake accounts impersonating someone the victim knows or they may impersonate a brand’s customer service account. It is important to be vigilant about anyone who might be impersonating your small business online.

How to Protect Your Business From Phishing Scams

You can protect your business from the malicious effects of phishers by, first, training your employees to recognize phishing emails and to dispose of them properly. To do this, each employee should delete any phishing email from their mailbox and from the trash as well. If any employee mistakenly clicks on a link in a phishing email, they should immediately run anti-virus software to get rid of any malware on their system.

Make sure employees feel comfortable reporting the small mistake of clicking on a spam link by establishing a simple protocol for reporting phishing incidents. You don’t want to end up permitting great damage to be done to your proprietary information and your network out of an employee’s fear of getting in trouble. In addition, help protect others by reporting phishing attempts to the Spam Reporting Centre of the Canadian Anti-Fraud Centre.

You can also conduct phishing awareness training that will help your employees recognize phishing scams before they fall victim to them. Have cybersecurity experts come to the office to do a free training session, or even have your HR department conduct seminars for your staff.

How to Report a Scam Number or Email

As previously mentioned you can contact the Canadian Anti-Fraud Centre through their online reporting system, which is redirected to RCMP’s online services. Before you report phishing attacks, here are some steps you can take:

  1. Collect your thoughts and data: It is important to stay calm and gather any information that can help the investigation. This could include copies of the emails and text messages, documents, receipts, and phone numbers.
  2. Contact your HR department: If you suspect you have been a victim of a phishing attack it is important that the HR department is aware. They can let the company know so that your co-workers or employees won’t fall victim to the same scam.
  3. Contact any clients: Be sure that any clients who might be a casualty in the phishing attack be made aware of what is happening. Ensure them that you are taking the proper steps to keep them safe and are contacting the proper authorities.
  4. Contact the Canadian Anti-Fraud Centre at 1-88-495-8501 or the RCMP.

It's important that you or your employees don’t feel embarrassed by falling victim to phishing attacks. These scams are becoming more sophisticated and harder to detect. This is why it is imperative that you have security awareness training and a reporting system in place and that everyone is aware of the protocols.

When you train employees to recognize scan emails and establish a protocol for reporting email scams, you add a valuable layer of protection to your online activities and data. You can also use software that is protected for an extra layer of security. QuickBooks Online offers users a secure way to run their business.

Related Articles

Looking for something else?

Get QuickBooks

Smart features made for your business. We've got you covered.

Firm of the Future

Expert advice and resources for today’s accounting professionals.

QuickBooks Support

Get help with QuickBooks. Find articles, video tutorials, and more.