Wizer Free Security Awareness Blog

Phishing And Other Cyber Attacks: How To Report It

Written by Ayelet HaShachar Penrod | Jul 13, 2022 8:14:27 AM

The basics of any cybersecurity awareness training will include the dangers of the phishing attack. Whether via email or text message, more users are becoming familiar with these attempts to trick them into clicking, downloading, or logging in to hack them. However, one aspect to improving security is teaching employees the importance of reporting any identified attempts or accidental clicks.

Reporting Builds More Informed Security

Reporting a suspicious link - even if uncertain - contributes to better informed security teams who can adjust defenses as needed. Plus, tracking reporting trends in an organization also provides good insights for the security awareness team to assess the impact of their programs.

What are some suspicious incidents to communicate to employees to report?

  • Mouse moving without the user physically touching it
  • Random browser pop-ups or toolbars the employee didn't add
  • Ransom messages
  • Phishing emails or texts - even if they are certain it's malicious 

Wizer's latest video can help jumpstart that awareness:

Include Employees as Part of the Incident Response Team

Through communicating the value an employee provides when they report suspicious activity can create ownership for security across the organization. Increased reporting provides better insights for security teams and strengthens its ability to respond quicker to minimize risk.

In sharing insights from their own successes in building a strong security culture, Dennis Legori and Paula West shared the importance of helping employees understand the stages of reporting. Even if an employee accidentally clicks on a phishing link, there are still remediations that can be implemented to reduce impact as long as the employee communicates as soon as possible.    

 

"There's all these points where you can act to stop things from happening...looking at business email compromise, there are 10 steps from someone researching [a target] to someone actually compromising a system, Steps 2-10 there's a spot along the way at every one of those steps for a human to say "wait, somethings off" and report it at that point and make a huge difference. I think it's important knowing that it's not just 'an event', it's multiple places that you can interject and turn things around." - Paula West, Carrier

Security Culture Affects Reporting

In the past, the trend was to 'motivate' employees to adopt safe practice through penalizing the individual in some fashion. However, it's rarely effective and cultivates resentment as opposed to adoption. For employees to feel confident in reporting an incident, they must not only understand the importance, but also feel comfortable doing so. It's crucial to ensure employees know their actions are contributing positively to a security incident, regardless if they made a mistake by clicking or engaging.

While it should go without saying, part of ensuring confidence in reporting simply lies in the communication of what the steps are for your employees to report. Is there a phishing button they should use? Send an email to the security team or a particular individual? Being clear on the where and how will reduce barriers for reporting and give confidence.

General Reporting

Wizer Phish Alert Button Allows end-users forward potential phishing emails to your internal security team for analysis, making it easy for the employees and your admin.
 
If you're a small business that does not have a designated security team, reporting can still make a difference for the community at large. Some resources include:

Whether through internal reporting or reporting to public entities, building a habit of reporting is beneficial to everyone.