Skip to main content

Cybersafe Series: Expanded Employee Training Guide: Phishing & Social Engineering

By September 1, 2025September 3rd, 2025Cybersafe Series

📘 Expanded Employee Training Guide: Phishing & Social Engineering

Brought to you by Atlas Insurance as a helpful resource for strengthening your team’s cybersecurity awareness.

Objective:
To help employees recognize, avoid, and report phishing and social engineering attacks through real-world examples and best practices.

1. What is Phishing?

Phishing is a type of cyberattack where attackers impersonate trusted sources to trick you into revealing sensitive information like passwords, credit card numbers, or access credentials.

2. What is Social Engineering?

Social engineering manipulates people into breaking standard security practices. It can happen via email, phone, text, or even in person.

3. Common Tactics & Real-World Examples

📧 Email Phishing

  • Example: You receive an email from “Microsoft Support” saying your account will be locked unless you verify your password. The link leads to a fake login page.

  • Red Flag: Urgent tone, suspicious URL, and request for credentials.

📱 SMS Phishing (Smishing)

  • Example: A text message claims your bank account is locked and provides a link to “verify your identity.”

  • Red Flag: Banks don’t send links via SMS for login verification.

📞 Phone Phishing (Vishing)

  • Example: A caller claims to be from your IT department and asks for your login credentials to “fix a system issue.”

  • Red Flag: IT should never ask for your password over the phone.

👤 CEO Fraud / Business Email Compromise

  • Example: You get an email from your “CEO” asking you to urgently wire money to a vendor.

  • Red Flag: Unusual request, especially involving money or sensitive data.

📎 Malicious Attachments

  • Example: An email from a “client” includes an invoice attachment. Opening it installs malware.

  • Red Flag: Unexpected attachments, especially from unknown senders.

🌐 Fake Websites

  • Example: You click a link in an email that looks like your payroll provider, but the URL is slightly off (e.g., payrol1.com instead of payroll.com).

  • Red Flag: Slight misspellings in URLs or domains.

4. How to Protect Yourself

  • Verify requests through a second channel (e.g., call the person).

  • Use strong, unique passwords and enable multi-factor authentication (MFA).

  • Don’t reuse passwords across work and personal accounts.

  • Keep software updated to patch known vulnerabilities.

5. What to Do If You Suspect a Phishing Attempt

  • Do not click on any links or download attachments.

  • Do not reply to the message.

  • Report it immediately to your IT team or designated contact.

  • If you clicked a link or entered information, change your password and notify IT right away.

 

Tags:

Skip to content