This is how you protect your remote workers from phishing
Editor's note: This post was originally published in October 2022 and has been updated for comprehensiveness.
Remote work has become increasingly common in today's work culture. In fact, according to a survey by Pew Research Center, about one-third (35%) of employees who can work remotely are now doing so full-time, with another 41% following a hybrid schedule.
However, with the increase in remote work due to Covid-19 also came an unfortunate rise in cybercrime, as noted by a report by Europol. Considering the fact that many of us are still working from home, it becomes even more crucial to prioritize cybersecurity measures in remote work settings.
Different level of security at home
"When you work remotely, it's likely that you're at home following your own rules and habits for handling information securely," explains Jan-Willem Bullée, an assistant professor at the University of Twente and a research analyst at Awareways. "Sometimes, the organization's rules and guidelines can be overlooked."
"In addition, people are working on personal systems and other accounts that may not have the same level of security as our office devices. Additionally, secure file-sharing environments may not always be readily available. Moreover, seeking a colleague's opinion on an email becomes a bit more challenging when we are working remotely."
Humans are the weakest link
Even though spam filters and other security measures may stop most emails, it is still possible for a fake email to make its way into your inbox. When this happens, it becomes the recipient's responsibility to take action. "Humans are the weakest link when it comes to cybercrime," Jan-Willem explains. "One of the reasons phishing is so effective is that the attacker uses psychological principles to get victims to cooperate in the attack. Also called social engineering."
For example, take a look at the email below that a colleague within Appical received in his personal email. You can see that the sender is using authority by posing as the CEO of Appical. In addition, the recipient is pressured to respond as quickly as possible, creating a sense of time scarcity.
I hope this email meets you at the right time as I need you for some important task. I will be available via email at this time and will await your swift response.
Hans van Rijnswoud
CEO at Appical
“Attackers and criminals also evolve. Phishing emails are getting better and better and are also moving to other commonly used media, such as Whatsapp", says Jan-Willem. It takes one small moment of distraction, and the consequences can be huge. Opening an email or clicking on a link can cause a company a lot of damage, such as high costs, data theft or damage to the organization’s reputation. So it's important to recognize a phishing attempt and deal with it correctly.
5 tips to arm your employees against scammers
1. Know how to recognize a phishing email
In the past, phishing emails were full of spelling mistakes and poor English, but nowadays fake emails are increasingly difficult to distinguish from real emails. Especially now that attackers can use AI to craft flawlessly spelled emails
So, how can you spot fake emails? "First of all, check the sender, the destination of the link and whether you can expect to receive this email", advises Jan-Willem. "Suppose you share on LinkedIn that you are an HR consultant, then you might find an email about the newest gardening tools suspicious. However, if the email is related to your personal context, it can be much harder to recognize a potential attack."
"Knowledge is power. For the attacker, but also for you. First of all, slow things down. It's perfectly okay to wait before responding and to reach out to a colleague for an extra set of eyes on that email. Don't forget, that many organizations have a dedicated hotline for IT security. They can advise you as well."
2. Notify employees of the reporting procedure
"Employees are the ears and eyes of the organization. They see, hear and experience things. Also things that are suspicious. A strange phone call asking for personal information, an email with a link pointing to an unfamiliar website. When employees report suspicious situations, you get a picture of what is happening within the organization.
Communicate about this as well. If employees don't report anything, the security department may assume everything is fine. However, when the organization regularly updates employees on cybersecurity, it helps to bring the problem into focus. This reassures employees that they are not alone in their experiences of something strange happening.
3. Repeat the message
So, you've already educated your employees on how to spot phishing emails and where to report any cyberattacks. You're done, right? Well, not quite. "If you don't use knowledge or skills often, it will decline", explains Jan-Willem. "Repeat your message, and it will stay top of mind."
"By continuously practicing, you'll master a skill. Just think about writing, riding a bike, or driving a car. Remember how challenging it was at the beginning, but now, after a few years, you've improved significantly. The same principle applies to handling information securely. So, don't treat training and awareness as a one-time thing, but rather as an ongoing process. This holds true even beyond cyber security month."
4. Point out that it can happen to anyone
"Phishing can happen to anyone. People are busy and are not always as alert as they should be. Attackers know this too and take advantage of it. There is also a cognitive fallacy that does not help here. We often think that someone else is more likely to be the target of a cyber attack than we are.
This makes you less alert, makes you think security awareness materials don't apply to you and you will pay less attention to them. The danger of this? If you do become a victim of phishing, you're less likely to recognize the attack and won't be quick to act on it."
5. Provide an open culture
"It's important to make employees feel like they can discuss phishing attempts. "By discussing cyber security with colleagues, you can ask each other for help and keep each other informed. After all, two people know more than one and four eyes see more than two! Checking with a colleague can help you take the urgency (scarcity in time) out of an action.”
So check, check, double-check!
Join 6.956 HR and onboarding specialists!
Have all our latest onboarding news delivered to your inbox. Sign up for our monthly newsletter.
Digital accessibility: How to make your digital product inclusive?
An estimated 1.3 billion people – about 16% of the global population – currently live with some form of disability (WHO).
Vic's Learnings: Onboarding is always about people
Discover the importance of personalization in onboarding and how it contributes to the success of new employees in this blog post.
7 Tips for writing onboarding content with AI (+ Prompt Examples)
Discover 7 tips to enhance onboarding content with AI! Learn how Artificial Intelligence (ChatGPT) can create captivating, experiences for new hires.