Why You Should Not Forward Phishing Emails to Your StaffManagers are used to forwarding things to employees to take care of. Such as a meeting request so an appointment can be set up. They may not think anything of forwarding a strange email, figuring that the employee can review it and do whatever is needed. One true story that happened to a company that resulted in the server running their website and email being taken over, happened because the CEO of a small start-up company forwarded a phishing email. The email in question appeared to be from the company’s hosting company where they rented the website and email server. It used a spoofed email address that had the hosting provider’s domain. The email warned that the service could be cut off unless some information was updated. The CEO sent it to one of his staff, one that was particularly tech-savvy and that usually handled things to do with the website administration. There was no explanation given on the email like (“Not sure if this is phishing, can you see?”), it was just forwarded with the expectation that it would be taken care of. On the other end of the forward, the employee saw the forward from the CEO and immediately stopped what they were doing. The CEO wasn’t known for being particularly patient and got especially agitated whenever the website went down for any reason. The employee also saw the familiar “from” address from the web host company and assumed the email was legitimate for that reason as well as the fact that it was forwarded from the boss. This made it more of a directive to take care of this because it originated from him. The employee followed the link to log in to see what information needed to be updated. Normally, they would have called the hosting company to clarify, but were afraid that if they delayed it would mean the website going down and they’d be in trouble for not acting faster. Within seconds of clicking the link and logging in on a website that looked exactly like the real login page, hackers had stolen the credentials and initiated an automated attack. Even when the employee realized this was a scam, and changed the password about 5 minutes later, it was too late! It took the company weeks to rebuild its website and clean up its email domain reputation. The hacker had used their domain to send phishing as part of the attack.
Forward Phishing Emails to an I.T. Professional InsteadWhen anyone receives an email from their supervisor or manager, it immediately elevates the importance of that message and employees will often want to respond fast. That desire to respond fast so as not to get in trouble (as in the story above) can often cause a person to forget about their phishing training and take action on the forwarded email without reviewing it properly. An employee might also believe that their boss already reviewed the message, and it must be legitimate because they forwarded it to them to handle. Emails aren’t just normal emails when they’re forwarded from a person in a position of power. Employees will see that email and think:
I need to get this handled right away
I don’t want to make the boss mad
I’m expected to handle this because it was forwarded to me
It must be legitimate because my boss sent it to me
If I don’t do this right away, I could be reprimanded if something bad happensWhere should you forward any suspicious emails instead? Send them to us! An I.T. professional has the experience to review messages that could possibly be phishing. Not only do we have years of experience identifying these scams, but we also have the separation needed to be completely objective, unlike your employees.