Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Building a Culture of Security: Practical Tips to Spot Phishing

How to spot phishing tips

Technologies exist to limit and spot the number of phishing emails that come into your business. Still, humans are the last line of defense against social engineering attacks like this at the end of the day. 

At some point, you’re going to “be beat” as an employer or MSP. Instead of locking everything down and slowing business communications, staff from the c-suite on down need to be equipped to identify phishing emails, so the worst happens in a training environment and not the real thing.

To start, employees should be educated on the elements that make up a social engineering phishing attack and how they can be aware of where their information is published across the internet. 

Elements of a Social Engineering Phish

Examining your digital footprint

The best cybercriminals will take time to do their homework on their next victim. By scrolling through social media feeds associated with the person’s name and scouring Google for any available information on the potential victim, they can piece together information about the individual’s habits.

For bigger social engineering phishing hacks I can imagine things start to look a bit like this:

Examples include places they frequent, like a gym or favorite restaurant, and even gathering personal information like date of birth or home address.

Imagine if you repetitively post about how much you love a local coffee shop on social media. A post about that local coffee shop may even be on your story as you read this post. 

The attacker could create a convincing phishing email that appears to be a coupon code coming from that local coffee shop or a vendor they partner with.

With this sort of information floating around the web, victims are more likely to fall for scams that leverage this type of personal information. 

Creating social pressure to click

“Human behavior is hard to change. Humans are always consistenly vulnerable to certain things and as current events pop up it changes the way people are vulnerable and how they react.”


Connor Swalm, CEO & Founder at Phin Security


In many cases, attackers will use social pressure to make the average user click without thinking twice. 

Some examples of this include phishing emails, including asks from an executive to a new employee during their first few weeks on the job.

Other cases might lean more on emotion leveraging a friend or colleague who requires immediate attention to get out of a bad situation. 

Both examples lean on using social pressure and raw human emotions to make the victim prioritize clicking over their security training. 

Practical Tips to Identify a Phish

If you see something, say something.

Reporting a potential phishing email should be the golden rule here, even if the employee opened the email or downloaded an attachment. The employees must have a supportive process and environment when reporting potential phishing emails they have identified or opened. 

Don’t make the environment a negative one or one that resembles hazing an employee when they report a phishing email. 

On a recent MSP Live Chat that included a phishing challenge of other IT pros, Connor Swalm CEO at Phin Security took this even further by saying:

“Don’t make your employees aware of a phishing test on a particular date or time. If you do, they just won’t open any of their emails on those days reducing business efficiency and communication.”


Connor Swalm, CEO & Founder at Phin Security


Connor talked about the risks of “punitive phishing training” on our MSP Live Chat, view the clip here:

Hammer home the most common types of phishing attacks

The more familiar employees are with all the types of phishing attacks, the better-armed they’ll be when it comes to reporting the real thing. 

The Federal Trade Commission put together this list that outlines the most common types of phishing attacks. Including how some social engineering phishing schemes may include emails, text messages, and even phone calls to collect the necessary information to execute a hack. 

That being said, don’t create a long technical list of threats. Instead, translate the most common threats, so they are digestible from the c-suite across the organization. Real-world examples like the ones displayed on our MSP Live Chat also help add color while helping staff relate to the realities of the issue. 

Encourage caution and lean on company policy when possible

Company policy around fund transfers, communications from the CEO, and the generation of new logins provide an excellent guide for employees to identify a phishing email. 

According to company policy, suppose one-off fund transfers for additional services are not accepted by your business. In that case, this can be a straightforward way for a staff member to spot a phish. 

On top of this, we recommend outlining in policy what employees should expect in terms of communication from the CEO for time-sensitive requests. This way, when new employees come in and see an urgent request in their inbox for $600 in Amazon gift cards, they know that the CEO wouldn’t ask for this sort of thing via email. 

MSP Live Chat regular Ray Orsini, CEO of OITVOIP unpacked this example around employee gift cards, watch the clip below: 

Security Culture Beats Security Training

“Culture is the most powerful force in humanity.” — Kanye West

All businesses should schedule regular security training on employees’ calendars, but when security becomes part of your organizational culture, you’ve made it inescapable and consistently on the top of employees’ minds. 

Keep the rules simple and easy to understand so your team knows what is expected and that they aren’t just taking part in defending the organization from bad actors but are one of the most integral parts of that defense. 

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).