Phishing Awareness: Spot and Prevent Attacks

Published On: October 23rd, 20254 min read

We are in Cybersecurity Awareness Month, a time to emphasize not only the broad topic of cybersecurity but also the everyday, perhaps less exciting, aspects of information security that are important all year round. When we think about Information Security, or InfoSec in short, it is necessary to understand the framework, which is best illustrated with a few key numbers.

Cyber fact: 95% of data breaches start with human error.

Globally, phishing attacks remain the dominant threat, with an estimated 80% of security incidents attributed to phishing, making it the number one attack vector. Statistics show that only 8% of employees are responsible for 80% of security incidents. Besides these, other statistics indicate that such attacks, which then escalate into security incidents, are often not technically complex but rather target the human factor— a little carelessness, a short lapse in concentration, leading to escalation.
Here, we can conclude that our security chain is only as strong as its weakest link.

Various Types of Cyber Attacks Aimed at People

Looking at the situation not only from the InfoSec perspective but also from the organizational aspect, people are the greatest asset and also the biggest potential attack vector for every company. There are various types of attacks aimed at people: Phishing, Business Email Compromise (BEC), Spear phishing, Vishing (voice phishing), AI social engineering, Smishing (phishing via SMS), social engineering, and similar.

In a world that is becoming increasingly insecure daily, whether through the rapid expansion of AI, the rise of various types of warfare in an increasingly tense geopolitical situation (Including Information and psychological warfare, cyber warfare, and hybrid warfare), or cybercrime driven by simple motives such as pure financial gain. In this worsening situation, the question remains: how to invest in people?

Phishing awareness: How to prevent email phishing

Some of the methods that we practice and recommend to every organization are:

  1. Attack simulations (phishing tests)
  2. Regular education and training
  3. Developing security awareness and culture
  4. Valid risk assessment and compensatory measures
  5. Developing a good security culture within the organization, measurement and control, and adjusting security measures

I would like to note here that organizational security does not rely only on InfoSec, ICT or other technical departments but is the responsibility of all of us, especially in the context of human and organizational security measures.

How to Raise Awareness About Phishing Among Employees

Phishing remains the most common type of cyberattack, and as a company, we are not exempt from this threat. That is why ASEE has implemented regular training and exercises for employees through the Cybeready platform, and we are pleased to see increasingly better results and faster response times within our organization.

We have also launched an initiative Cyber secure @ ASEE where each month is dedicated to a specific topic related to everyday situations. One such topic is the use of corporate email.

The Phishing Trends Report published by HoxHunt shows just how prevalent and sophisticated such attacks continue to be. Below is a brief reminder of the acceptable and unacceptable uses of corporate email, as it represents one of the primary lines of defense against phishing.

how to prevent email phishing

In this blog, I am sharing with you the ASEE Group guidelines for the use of email, which should be universal across any organization:

Acceptable use of email services:

  • The corporate email service is established to serve business needs and interests.
  • Users must use the corporate email service for business-related messages.
  • All use of the email service must comply with all Group business policies and procedures, such as the Code of Ethics and HR policies and procedures.
  • All use of the email service must align with Group policies and procedures related to ethical conduct, security, compliance with applicable laws, and appropriate business practices.
  • Emails sent from the company’s email system should include a proper corporate signature and contact information at the bottom of each outgoing message.

Unacceptable use of email services:

  • The corporate email system must not be used to create or distribute disruptive or offensive messages, including comments that are offensive or discriminatory based on race, gender, disability, age, sexual orientation, political beliefs, or national origin.
  • Using the corporate email service and company-owned email addresses for personal communication.
  • Using another user’s email account without:
    a) that user’s knowledge and permission – which should occur only in exceptional circumstances,
    b) approval from company management in the event of an investigation, or
    c) when such access is part of the employee’s regular job responsibilities.
  • Sending messages that disrupt the work environment or create a hostile workplace atmosphere. This includes sending spam, solicitations, chain letters, pyramid schemes, or information not suitable for a professional business environment.
  • Attempting to impersonate another person or forging email headers.
  • Conducting non-company-related business through corporate email.

Conclusion

Cybersecurity is everyone’s responsibility. By staying informed, cautious, and proactive, we can all contribute to building a safer digital environment — both for ourselves and our organization. It’s a continuous process of learning, adapting, and staying vigilant. We’ll continue to regularly share useful insights and reminders on these topics to help all of us stay informed and alert.

Ivan Vedak

Ivan Vedak is an accomplished IT professional and Information Security Manager with over 20 years of experience spanning project management, IT security, computer networks, fintech, and application development.

Share

Tags:

More from ASEE