Phishing emails can be very convincing, especially if you are busy, stressed or distracted. Being phished can happen to anyone, but it can be very embarrassing to own up to being fooled.
Many people are deeply embarrassed about being tricked. This is true in people’s private lives, but the embarrassment may be even worse at work. Your staff may be concerned about their reputation—even their jobs—and may not like to report it.
We recommend providing regular security awareness training for your staff—ideally, little and often, so that it is fresh in people’s minds. That training should emphasise the reasons why anyone who thinks they’ve fallen prey to a phishing lure should report it—and who they should report it to.
These reasons are primarily:
- For the employer
- So that any bad consequences resulting from this phish can be minimised as quickly as possible, and defences strengthened
- So that colleagues can be alerted to the nature of the most recent phishing attacks—in case anyone else in the organisation receives the same type of attack—and reducing the risk to the business
- For the wider business community
- So that people in the wider community can be alerted to the most recent phishing types, reducing the risk that other people may be tricked (and reducing the possible value of the scam for the scammer)
- For the wider security community
- So that people in the wider security community can work to establish defences against that type of phish—and perhaps even track down the scammers by putting together lots of small pieces of information provided by those who have experienced that attack.
The shameful act isn’t being phished—it’s the scammer who should be embarrassed. Reporting phishing attempts not only to your own security personnel, but also to Action Fraud and the NCSC, for example, can help spread the word and protect others.
We recommend that you reassure your staff that they won’t be punished for reporting such problems, and make it clear who they should report it to, and why. Need help? Contact us using our contact form or the phone number on this page.
