The Five R's of Phishing

The Five R's of Phishing

Don’t think something you played as a child is relevant to cybersecurity? Think again. The seemingly harmless games of our childhood – red rover, duck-duck-goose, king of the hill – are often deemed too dangerous for twenty-first-century youngsters. And it’s a shame, really. After all, another oft-banned children’s game — dodgeball — teaches applicable skills to avoid phishing threats.


The tactics of dodgeball can be summed up with five D's: dodge, duck, dip, dive and defend. Why am I going down this road? In dodgeball, it’s about avoiding the ball. In phishing, it’s about avoiding the bait. And the tactics for evading a phish can be summed up in five R's: read, review, recognize, react and report.


October is Cybersecurity Awareness Month (CAM), a great time to revisit the five R's of phishing.




One must give a thorough look to avoid the hook.


Email inboxes are flooded with communications all day, every day. How long do you spend reading each email you receive to ensure it’s legitimate? If you’re not reading every single word in your messages, you could be missing big clues that can indicate phishing. Some phishing emails create a sense of urgency, but it’s important to take your time and read carefully.




One must look beyond the lines and see the signs.


Is the sender unfamiliar, their address unusual or their communication out-of-character? Are there strange links or suspicious attachments? If there are images or logos within the message do they align with what you would expect in quality and relevance?




One must be aware to avoid the snare.


Many phishing emails are easy to spot. Others are more sophisticated. Security awareness training can help prepare you for the threats in your inbox. Training can be formal or informal—the important thing is to keep yourself educated.




One must slow phishing traction with the appropriate action.


When a phishing threat is recognized, it should not be ignored. Know your organization’s policies regarding phishing emails if you receive one at work. Outside the office, have your own policy for handling a potential phish.




One must share to clear the air.


Don’t just delete. Protect others by reporting suspected phishing emails immediately. Reporting helps notify others that there’s a phish in their midst and alerts them to specific threats. In addition, your report allows internal support or your email provider to block future phishes that follow a similar pattern.


For CAM, just remember, cybersecurity topics aren’t always complicated. In fact, like those games from the good old days, they’re often elementary. 

Rutherford is a Security Awareness Training Specialist at Optiv. He is a learning management system (LMS) and threat emulation platform administrator for Optiv’s security awareness training programs. He assists clients in testing and training their populations on the dangers of cyber threats. Rutherford holds a master’s degree in educational administration and previously worked in the field of higher education for seven years. He is also a published author of two full-length novels and a children’s book.