Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

5 Common Phishing Emails

Phishing email

about the author

Share this post

Phishing, in all its forms, from malicious emails to SMShing (text phishing) to social post phishing to Vishing (phone call phishing), is now part of the daily life of an organisation.

However, phishing emails are by far the most common form of phishing.

What Are Phishing Emails?

Phishing emails are fraudulent messages sent by cybercriminals impersonating legitimate entities, aiming to deceive recipients into divulging sensitive information or performing harmful actions, such as clicking malicious links or downloading malware.

According to research from Cisco’s “2021 Cybersecurity Threat Trends Report,” around 90% of data breaches begin with phishing emails. Worryingly, the report suggests that in 86% of organisations, at least one person will click on a phishing link. But, of course, it only takes one click to become infected with ransomware or the exposure of sensitive data, etc.

Understanding the tactics used in some of the most common forms of phishing email attacks and how employees can avoid them helps to reduce cyber risk. Here are five examples of phishing emails and how to stop employees from taking risks.

The Fake Invoice Scam

A favourite amongst phishers is the fake invoice scam. Fraudsters send out emails containing fake invoices, hoping to catch out an unaware employee. Unfortunately, if the fake invoice is paid or a query about the invoice is made to the scammer, money or personal data will likely be stolen.

The type of invoice included in the phishing emails varies, but examples include the following:

Billing for security products such as anti-virus software

  • Overdue invoices from fake suppliers
  • Domain payment expiry emails warning that if you do not act, your website and emails will not be available 
  • Fundraisers and charity invoices, often offering an ad placement or article in a charity publication
  • Business Email Compromise (BEC) is a highly sophisticated and targeted form of fake invoice scams

How to Avoid Fake Invoice Scams

Invoice scams can be very sophisticated, with fraudsters targeting specific persons, such as those working in accounts payable or CFOs. The emails will look genuine, often including an urgent ‘pay now or suffer the consequences’ type of message.

Use simulated phishing that provides role-based training to target the types of users most at risk of fake invoice scams. Role-based phishing simulators will allow you to tailor your simulated phishing campaigns to reflect real-life challenges that specific departments and personnel face.

example 1

Fake Technical Support Emails

Creating a sense of urgency and compliance are two of the manipulative techniques used by scammers to trick employees into clicking malicious links or downloading infected attachments. An example of these behavioural manipulations is seen in phishing emails that pretend to be from technical support.

In the example below, you can see staff being urged to move to a new web portal to access important personal and company information – including their payslips. The email reminds staff that they have only 24 hours to comply.

The email contains a link to a malicious website. If the employee clicks this link and navigates to the website, they will be requested to enter their existing login credentials and personal data. If they do so, these details will be stolen, and the fraudsters will use the login credentials to log in to the actual portal.

How to Avoid Fake Technical Support Emails

All staff are at risk from this type of general speculative phishing email. General Security Awareness Training should be used to educate all employees, across all departments, about how to be secure online.

Education on how cybercriminals manipulate human behaviour is crucial in training employees on the tactics used by fraudsters when creating phishing emails. Effective Security Awareness Training programs will use point-of-need learning that uses opportunities to retrain poor security behaviour.

General Security Awareness Training should be used alongside simulated phishing exercises that specifically tackle this type of phishing threat. That is emails that look like they are from internal departments and that use tactics such as urgency and threats of discipline if not acted upon. 

example 2

Tax Scams

Tax scams often increase in volume during tax season, but they can happen anytime. Often, these emails will offer a tax refund. However, HMRC states explicitly on its website: “HMRC will never send notifications by email about tax rebates or refunds.”

Tax scam emails are typically realistic looking and often well-composed. The scammers use the HMRC logo and related branding to help make phishing emails look legitimate. There is usually a link to the HMRC Gateway login page. The webpage that the link navigates to is a spoof website that is used to gather data and send it to the fraudsters behind the scam. Sometimes, these websites also contain malware, and anyone navigating that website could end up with an infected device.

How to Avoid Tax Scams

Tax scams can be untargeted, being sent to anyone in an organisation. However, the most effective tax scams will be sent to specific employees in financial departments. Therefore, while it is important to include tax scams in your simulated phishing exercises for everyone, you should also focus on educating anyone in the finance department about them. In the run-up to tax season, double down on your training to ensure that employees, particularly those in the finance department, are ready for the likely onslaught of these phishing emails.

Email Account Problem Phishing Email

Suppose an employee receives an urgent-sounding email informing them that their email account is about to be suspended or that it must be urgently upgraded. In that case, they may feel compelled to click the link to fix the ”issue.” However, this email could be a phishing scam that leads to stolen credentials.

The phishing email example below shows how the Microsoft brand has been used to add weight to the claim that the user’s email account is at risk. The link in the email is malicious and takes them to a website that looks like a Microsoft Office 365 login page.

Microsoft is often in the top five most spoofed brands used in phishing messages. According to Cisco, the top five spoofed brands in Q1 2022 are:

  1. LinkedIn (relating to 52% of all phishing attacks globally)
  2. DHL (14%)
  3. Google (7%)
  4. Microsoft (6%)
  5. FedEx (6%)

How to Avoid Microsoft Email Problem Phishing Email

Fraudsters often use Microsoft and other well-known brands to give employees a false sense of security. Brand loyalty and trust are used to ensure that victims engage with the email message and click the malicious link. This is where simulated phishing exercises can train employees to be wary of branded emails that include behaviour manipulation tactics such as urgency.

example 3

Google Docs Scam

Businesses regularly use Google docs to capture documents and ideas and collaborate with colleagues. In 2020, Google GSuite had over 6 million businesses subscribed to the service. These many users make Google a desirable proposition for scammers.

A recent novel use of a phishing-based attack that uses GSuite to hook a target shows how innovative hackers can be. In this scam, a fraudster creates a Google Document and then comments within it using the @ notation to target a specific user. This initiates Google to send a notification email to the target’s inbox about the comment. The email from Google is genuine, but it has an embedded comment. This comment typically contains malicious links that, if clicked, will take the employee to a malicious website.

Google has recently updated comments so people can see who has left the comment. However, scammers are constantly updating their tactics, and a new GSuite scam may appear soon.

How To Avoid GSuite Comment (And Similar) Scams

Cleverly disguised phishing emails may piggyback on legitimate emails and similar services, as is the case of the GSuite comment scam. These sophisticated scams make it hard for employees to recognise a scam.

Security Awareness Training should reflect company policies, including using cloud-based document repositories and who can and cannot collaborate on company documentation. When carrying out security training, ensure that you have the most up-to-date scam intelligence and that the content reflects the latest scams.

Use Security Awareness Training and a simulated phishing platform that provides excellent support in building training programs that are role-based and that offer multiple languages and accessibility support.

Also, it is essential to recognise that fraudsters regularly change their tactics to avoid detection. Therefore, it is vital to carry out regular Security Awareness Training throughout the year.

Risk of ransomware

Other Articles on Cyber Security Awareness Training You Might Find Interesting