How do you stay vigilant and prepare your team?
First, your IT department or company, if outsourced, should have emails that come from outside the organization flagged. Visually, this can look different based on what your company uses for email. The word EXTERNAL can be in the subject line, in the body of the email, and/or out to the side of the email in your inbox, as seen below.
The [External] tag does not mean the message is a scam. It is to help the recipient remember to stop and consider if they know the sender and if they were expecting an attachment or link sent from them prior to opening/clicking on anything. If the email appears to be a scam, the recipient should notify their systems administrator, who can contact the IT department so the team is all on notice.
There are several security training platforms your IT company can investigate and implement at your firm. These platforms will proactively train your team on how to identify a phishing email or encrypted attachment by automating simulated phishing attacks for your team. Reporting is often provided to show how the team did. This helps management identify weak areas to focus on and provide additional training as needed. If you’d like to go a step further, which we recommend, many of these companies also offer compliance training software. As with any new software implementation, it is important to communicate the why behind it to your team. You want them to understand this is an additional layer of protection for the firm and clients. This is not being used to track their computer, and it is not a reflection of their work.