You work hard to craft your messages and training to get people to recognise and respond appropriately to phishing emails. You research, pilot, purchase, and manage phishing education and phishing simulators to provide the best chance for everyone to internalise the skills and behaviours they need to protect themselves and your organisation.
Phishing Torpedo incoming …
Then some other department in your organisation sends out an officially sanctioned mass email with every single phishing red flag one could possibly cram into an email.
Yep – that’s a legit message…
What do you do? Well, I mean, what do you do once you are finished exhausting yourself from screaming at the top of your lungs? If you need to step away to get some water and catch your breath, you can do that. I’ll wait.
“… the girl from Ipanema goes walking …” oh good, you’re back.
It’s important to remember that you are in charge of crafting and maintaining a consistent awareness message across your organisation. Everyone else doesn’t have that burden. Even though the individuals in these other departments may have gone so far as passing phishing training with flying colours, they cannot be expected to naturally use those skills when writing their own messages.
There is a cognitive gap between reading and listening (receiving an email) and the process of composing and speaking (writing an email). If you have ever studied a second language, you know exactly what I mean.
You need to be the one that bridges that gap for them by providing targeted training to these teams. This doesn’t have to be complicated, or even very long. I propose a one-page checklist.
The Sanity Checklist
Every time you send out new messages or training about phishing, write a short companion email to your internal communications departments. Relate your new material to how they should compose emails to avoid including those same problems.
It depends on your organisation, but it could look something like this:
Today, we sent out new phishing training to teach our colleagues about Subject X. That means that the organisation will be on the alert for those elements in any internal and external communication.
If you don’t want your emails, texts, or other internal communications to look like a phishing attempt, here is a handy checklist you can use to avoid potential problems:
– don’t Subject X element 1
– don’t Subject X element 2
– do Subject X element 3 mitigation
And, as always, all properly formed messaging should:
– Best practice 1
– Best practice 2
If you have any questions, I can be reached at …
This can do wonders in helping your other messaging teams reduce everyone’s stress: yours, theirs, and especially the end users. It will also reinforce you as an expert that they can come to if they have questions. “Maybe we should run this new email past [you] before we send it out …”
But wait, there’s more!
There is a huge hidden bonus in sending this email. If you have read my book, you might be able to see it already. By bridging the gap between passive activity (reading emails) and proactive activity (composing emails), you actually make them far, far better at the passive activity. Again, if you have studied a second language, you know how much better you get once you start to compose in that language (in fact, language experts insist that composing is the fastest way to learn a new language).
In short, with this extra note, your messaging teams have a high chance of becoming your phishing awareness champions.
So, add this simple, one page checklist to your to-do list when sending out new phishing training or materials. It will take only a few minutes, and the potential gains are huge.