Skip to main content

Three "E"s of Modern Email Security for Phishing: #2 Employee Focus

June 26, 2014

The first "E" of modern email security for phishing is Enhanced technology that works to limit the delivery of phishing emails to users within your organization. The second component of the three-pronged approach to mitigate phishing attacks is Employee focus.

It is important that your employees are educated, aware and engaged in preventing a phishing attack. Relying on enhanced technology alone will never make you 100% successful in blocking phishing emails. Individuals need to know how to identify and react appropriately to a phishing email when they are targeted.

General Education and User Awareness On-click education awareness is a great tactic to employ. Here’s how it works: your organization sends a fake phishing email to its employees, and if they take the bait (e.g. click a link, download a file, enter information, etc.) they receive just-in-time education. Think about it the same way you would teach young children – when they misbehave, you can’t punish them a few days later; you have to discipline them at that time so they understand what they did wrong. I’m not saying your employees are children, but in our busy lives we all make mistakes, and the same principal applies. If an employee clicks on a malicious link, education should be delivered right away, so they can take the time to learn from the mistake, and then get on with their job. I have found this approach is much more effective than bringing employees into a room for an hour, telling them that they should worry about phishing, and providing information about some things they should do.  In this second instance, the message doesn’t resonate because it isn’t top of mind. In fact, most of the time the employees glaze over the presentation and are more focused on the free coffee and doughnuts.

Three E's of Modern Email Security

When you catch employees in the act, it tends to make a greater impact and stick with them, curbing the behavior in the future.


Incentive Programs Creating programs that incentivize your employees can be a fun and effective way to get them involved in securing your organization’s environment. They turn every employee into security personnel, and provide an avenue to escalate events for incident response.

“Catch of the Day” is an email bounty program where employees are encouraged to send any suspicious emails they receive to the IT security response team. The emails are then analyzed by the team and every month, the best one from across the organization is chosen. The winning employee is recognized and rewarded for their efforts in identifying the phishing attack. The prize can be something as simple as a $100 gift card – a small investment for your organization, but enough to get employees excited and motivated to participate.

Continuous Testing Once you have put training and educational programs in place, it is important to test their level of success on an ongoing basis. You should send out different types of phishing emails to your employees and capture the results of these “tests.” The aggregated results can help you understand the effectiveness of the programs you have in place and make any necessary changes to improve them. If you notice that people are more susceptible to download a file versus enter sensitive information in a form, you can use that data to tailor your education efforts.

When employees are educated on phishing tactics, it reduces your organization’s attack surface. In my next blog post I will discuss the third and final "E" of modern email security for phishing, Enterprise visibility.

    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

June 30, 2014

Three "E"s of Modern Email Security for Phishing: #3 Enterprise Visibility

In response to the persistent threat from phishing attempts, a three-pronged approach focusing on the “Three 'E's of Modern Email Security for Phishin...

See Details

June 25, 2014

Three "E"s of Modern Email Security for Phishing: #1 Enhanced Technology

Every day, over a billion emails are sent containing malicious links and attachments, tempting users to take the bait and effectively launch an attack...

See Details

December 13, 2012

Preparing for the Next Spear Phishing Attack

If you need proof that any organization can be hacked, even the most secure ones, just do an Internet search for “spear phishing attacks.” You might b...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

September 16, 2014

Phishing with Smitty: A Unique Tool for Solicitation Attacks

This post will introduce you to the Smitty SMTP utility, which is a fully featured email client. We use this tool as a means to effectively deliver em...

See Details

November 25, 2014

'Tis the Season for Phishing

It’s that time of year again, the holiday season. A time filled with friends, family, good food, and celebration. But of course it has its downsides a...

See Details

March 08, 2017

Be on Alert for Phishing Scams during Tax Season!

Once again tax season is upon us, and with it brings increased phishing attempts targeted at obtaining tax information from both for-profit and non-pr...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.