What the Most Tech-Savvy Employees Don’t Know About Phishing

A close-up view of a man's hands typing on a black laptop keyboard as the sun shines through the background.

Phishing and other types of cyberattacks are always evolving and becoming more sophisticated. These types of attacks are hard to resist, as they prey on our need to receive and respond to information as quickly as it arrives. And although companies may routinely test employee awareness, there are plenty of tactics from attackers—and haphazard reactions from employees—that can make even the most security-minded company fall prey to phishing scams that can cost millions.

Cybersecurity is a never-ending game of cat and mouse. As soon as one phishing method stops working, a more sophisticated tactic soon takes its place. Workplace phishing tests, cybersecurity learning modules, and education about cybersecurity basics unfortunately only go so far. The best way to prevent phishing and cyberattacks is an empowered, smart and vigilant workforce.

Although it's impossible to predict every kind of phishing attack before it happens, there are certain approaches to phishing expeditions that safety-minded employees can learn to identify and avoid. Here are a few common attacks that even your most tech-savvy employees might be susceptible to, and how you can help your team stay safe and smart.

1. Email Address Spoofing

Commonly, hackers will change the email address and name of the sender to mimic an executive, human resources department or other high-level employee. These spoofed addresses are typically indistinguishable from their real-life counterparts, making it challenging for average employees to differentiate fake senders from real ones.

Employees should know that these emails are often vague, do not include the recipient's name, or may include text intended to cause rushed action. For instance, some emails will prompt recipients to quickly to review materials or provide sensitive information.

To prevent these attacks, employees should slow down and read communications carefully—especially for any message that pressures recipients to respond quickly. Misspellings are a dead giveaway of something amiss, and can signal that the message may be inauthentic.

2. Disguised Links

Common phishing attempts rely on disguising URLs so they appear to be from within an organization's existing websites, whether on a company intranet or at a publicly accessible address. Although the link address that appears in an email may seem safe, a common yet effective strategy is linking the email text to a different, predatory destination.

Some phishing attempts may even include the name of the company somewhere in the URL, albeit in the wrong location or by using different characters. Subtle tactics like these are meant to catch employees off-guard while they're trying to quickly get through their day-to-day tasks.

Encourage employees to examine links before clicking (hover over the text to see the full destination). If the address is outside of your organization, difficult to read, or uses a URL shortener that obscures the actual address, there's a chance it's a phishing attempt. If the company name appears in a link, be sure it is:

  • Spelled properly
  • Does not use unusual characters to represent letters or symbols
  • Appears directly before the domain suffixes known to be associated with the company (.com, .net, .org, etc.)

3. Fake Wi-Fi Networks

Business travelers are always on the hunt for wireless connections. And although free Wi-Fi networks proliferate—and can be helpful for those on the road—these networks are not always secure. It's easy for attackers to spoof a Wi-Fi network name to mimic that of a coffee shop, airport, or any other kind of establishment, meaning that nefarious actors can trick people into connecting. Once connected, these bad actors can then access sensitive information as it travels across the network.

In order to keep a safe connection, employees should use a company-mandated VPN network to obscure all web traffic from Wi-Fi networks. (This is also a good idea for any kind of non-business WiFi network.) And, when in doubt, employees can protect themselves by staying off of networks until they reach a trusted establishment, such as a hotel.

For ultimate cybersecurity, you may want to provide employees with portable hotspots so they can stay off of public networks altogether.

4. Personal Account Vulnerability

Even if employees are extra diligent on their work computers, they may apply less secure standards to their own personal devices. That's a big risk—because as soon as a company document or email leaves its corporate computing ecosystem, it is at risk of landing in the hands of someone who should not see it via a personal-account attack.

Hundreds of hacks have begun with an employee's compromised personal email address, so workers need to make sure that they apply the same level of vigilance to their own computers and accounts as they would to a work machine.

5. Skipping Two-Factor Authentication

Even strong passwords are only so good at keeping an account from being hacked. Leaks happen often—and if employees repeat passwords, or keep data on compromised sites, their data can be at risk.

That's why cybersecurity experts insist on two-factor authentication. Also called "2FA," this system forces users to authenticate their identity in a secondary matter, whether it's with a code received via a phone call or text, tapping a button on another device, or generating a passcode from an app. Most enterprise applications offer two-factor authentication options, making them easy to adopt.

Businesses can also use code-generating apps that provide access information for two-factor applications. These provide a unique string of numbers that changes with each access attempt, which is only accessible to the employee attempting to login. They may also want to consider physical security keys, which enables employees to plug in a USB key in order to validate that they are authorized to access a computer.

Cybersecurity isn't an abstract threat that only affects certain kinds of companies or employees. Rather, it is an ever-changing threat to your company's information and bottom line. Don't adopt a false sense of security, both in terms of underestimating the efficacy of countermeasures and exercises as well as the savviness of employees. Even if the business world relies on quick answers and instantaneous communication, the best way to prevent phishing and cyberattacks from being successful is to encourage employees to react slowly, think deeply, and remain skeptical of the communications they receive.

The views expressed by the author are not necessarily those of Fifth Third Bank, National Association, and are solely the opinions of the author. This article is for informational purposes only. It does not constitute the rendering of legal, accounting, or other professional services by Fifth Third Bank, National Association or any of their subsidiaries or affiliates, and are provided without any warranty whatsoever. Deposit and credit products provided by Fifth Third Bank, Member FDIC.