Company 
Team 
Local Government Partners 
Case Study
Company News 
Team Member Spotlight 
Managed IT Services
Co-Managed 
Managed Security Services 
Data Backup + Disaster Recovery 
Compliance as a Service 
SharePoint
Power BI
Web Design + Hosting
Application Development
Businesses 
Municipalities 
Local Government Services 
Healthcare
Manufacturing
Aerospace and Defense
Case Studies
Guides
News
Events
Municipalities
Healthcare
Managed IT Services
Compliance
Cybersecurity
Business Email Compromise (BEC) is a formal term that basically means someone’s email was used as part of a cyberattack.
The FBI calls BEC “one of the most financially damaging online crimes.” According to the cybersecurity awareness training company KnowBe4, more than 90% of successful data breaches began with an email tactic called phishing.
Phishing is an email scam designed to trick a person into doing some kind of action, like clicking a link or downloading a file, to get access to your organization’s network.
Email is a prime target for cybercriminals and it continues to be a necessity in business, even though executive concerns about email security are increasing.
And improving email security isn't as easy as installing a new spam filter. (Although, if you're not using advanced tools to filter email, that's an area that needs attention.) Cybercriminals can still sneak around spam filters and your other cybersecurity measures with email phishing.
So, how do you prevent your employees from inviting cybercriminals into your network? Through interactive, fun, and engaging ongoing training.
There's no surefire way to block all phishing, so training employees how to spot these types of email scams is critical.
Why is email security awareness important?
Before we get into the specifics of email security training, it's important to understand the tactics that hackers use to manipulate your people.
To start, let’s take a minute to understand phishing.
- Phishing is the leading security threat used in social engineering attacks. Phishing is an email scam that, if successful, allows hackers to access your organization’s confidential information.
- Spear phishing is a more sophisticated, targeted attack. Spear phishing attackers use social media sites to gather information about users, executives, and companies. Compromised email accounts on either end of the correspondence can also be used. Cyberattackers tailor the phishing email with specific information, dollar amounts (when trying to trick someone into paying them), or even learn the email mannerisms of a person to really make it seem like they wrote the message.
With phishing, humans are your biggest threat to email security. The better informed your team is about social media and email security, the better chance your organization has to protect itself from these attacks.
What can I do to help my team become security aware?
Because so many data breaches happen as a result of human behavior, it's not realistic to expect your IT department to ward off all cyber threats. The high-tech security measures are important and should be in place, but nothing is foolproof from human error.
The first thing you need to do is to make sure that any member of your team with access to your network (like email) is aware of the risks and implications that can happen with every CLICK.
Many executives are taking action against phishing attacks with awareness and protection application. Here at VC3, we include security awareness training as part of our managed IT services to help our clients train their employees to recognize and identify the signs of dangerous phishing emails.
What is email security awareness training?
With email security awareness training, you can create tests that spoof your own domain so they look like internal emails. This happens for real ALL the time, so it's important to train employees to spot them.
Because their emails look so authentic, phishing tests are highly effective. Email security training can be done right at your team’s own workstation or phone.
Here's what a phishing simulation can look like:
Looks legit, right? That's the idea.
How does email security awareness training work?
Training begins with a customized simulated phishing test to your team.
The first simulated phishing campaign will give you a baseline for how likely your employees are to fall for phishing scams overall, and who specifically is most "phish-prone."
Let me give you an example: We recently ran a phishing simulation campaign for a healthcare provider with 100 employees. Out of those 100 employees, 22 people clicked on the phishing scam. The email looked like password reset instructions sent by their IT team. Of those 22 who clicked, 13 people entered their username and password into the website that fake email sent them to. THIRTEEN!
So, now that company knows who needs some extra training.
Here are a few things you can do with email security awareness training:
1. Customized Phishing Tests
When your objective is to train your team, you want a program designed with those people in mind—and who knows them better than you?
- By Department – Email test templates can be customized based on your specific email threats. For example, accounting folks will be more susceptible to scams that claim to be the CEO asking them to send money somewhere.
- Frequency – Schedule how random, how often, and how specific you want the test emails to be delivered. There are hundreds of thousands of emails so users can never get the same test in the same year.
- Consequences – Choose the landing page a user sees if they fail the test. You can choose to show your user which red flags they missed or redirect them to an error page.
The executives we work with typically choose to randomize their simulated phishing tests to be sent at different times of the day, on different days, and to different people. Most of our clients are set up on the automated customization for the tests to be delivered 1-2 times a month.
2. Specified Training Options
In addition to training with simulated phishing tests, training can be delivered as informational emails.
- Training Videos – Executives can request employees to watch training videos. Summary reports tell you who watched the training and who didn't.
- Articles - Employees can read articles about cybersecurity, including up to date issues and threats they might be facing.
- Vishing – A combination of voice and phishing, simulated vishing attacks are also available. These automated calls can be delivered to your team to test their vulnerability to phone scams.
3. Data Summary Reports
Let's say you think this training is a good idea and you roll it out. How will you know if this approach to email security training is working?
Enter: Monthly reports!
You receive a summary report PDF and a link to a full detailed report of the test results each month.
This report will show you how users responded to the simulated phishing tests and help you identify which members of your team are putting your organization at risk.
Final Thoughts
Whether or not your team eventually catches on that you are testing them, they'll still be gaining the skills and tools necessary to recognize real phishing attacks. Your priority is to get your team more aware and mindful of email security, and we can help you do that.
If you’re not sure where to start, feel free to reach out to us here at VC3 any time. We’re here to make your life easier through fast, friendly, frustration-free IT services.
