Recognizing the Unusual: Practical Tips for Spotting Phishing Attacks
We’ve all seen the phrases in our Acceptable Use Policies or onboarding materials: “Report anything unusual” when working online. But what exactly is “unusual”? What might seem odd to one person could be normal to another, and security professionals like us are naturally inclined to view everything through a lens of risk.
In my last blog, I talked about the importance of personalization and context in security messaging. When it comes to phishing attacks, we can use this same approach to help employees identify what’s truly suspicious. Here are a few ways to tailor security guidance:
- Specific to your organization and its tools.
- Specific to an employee’s role.
- Specific to home life, though this advice will be more general.
What Does “Weird” Look Like at Work?
For security professionals, phishing is a broad term. But for employees, breaking it down with real-world examples—especially within the context of your company’s rules—can be far more effective. Let’s take a look at some of the key “weird” signs:
- Unexpected Software Installation Requests: Did you get a prompt to install new software? In most cases, employees aren’t asked to install software themselves. If there hasn’t been prior communication from IT, don’t proceed with the installation. No communication, no install!
- Multi-factor Authentication (MFA) Prompts: MFA prompts should only appear when you initiate an action, like logging in from a new device or after a long break. Don’t approve the prompt if you didn’t perform any of these actions. Attackers may try to trick you into approving it to bypass MFA. Always click “Deny” and alert the security team—it could be part of a larger attack.
- New Online Collaboration Tools: If you’re invited to use a new tool, ensure it’s been approved by IT. Even if the invitation seems to come from within the company, don’t click links or enter credentials unless IT has communicated about the tool.
- Suspicious External Services: Tools promising quick data analysis, like AI services, are tempting for employees looking to boost productivity. But before using any external tool, verify it with IT. Never test these services with company data on your own.
Tailoring Advice for Specific Roles
Different departments may face unique threats, so providing role-specific guidance is important. For example, if you’re in Legal:
- Document Signing Procedures: “We only sign documents through DocuSign*.” If you receive a request to sign through another service, flag it with the security team.
Keeping Your Home Safe
When it comes to personal cybersecurity, I like to keep it simple. Here’s one tip I share, especially with older generations:
- Treat Digital Communication Like a Knock at the Door: Whether it’s an email, SMS, or phone call, ask yourself: Do I know this person? Can they prove who they are? Was I expecting this? If not, it’s okay to decline or ignore the request.
Building Positive Security Habits
To drive lasting behavior change, remember how people learn: through direct experience or the ability to relate to a situation. Giving employees relatable examples they can apply to their work and home life is crucial to building a security-first mindset.
For more on how to shift cybersecurity awareness from passive attendance to active understanding, check out my previous blog, Moving Beyond Attendance: Understanding Cybersecurity Awareness.
*For example only; other document signing tools are available.
Want more insight? See my previous cybersecurity awareness post, Moving Beyond Attendance: Understanding Cybersecurity Awareness.