Table of Contents

Phishing Emails:A Field GuideHow to recognize, stop, and avoid phishing attacks

Introduction: Understanding the Lure of Phishing Scams

Jack Danahy, co-founder and CTO at Barkly

Twenty years ago, hackers attempted to breach organizations by breaking holes (or finding them) in the network perimeter of organizations, or in exposed and critical servers. In response, security became focused on locking those things down. The result: a “hard, crunchy outside” that unfortunately still left internal users, systems, and networks unprotected.

Modern attackers have long since realized the easiest way to deliver their attack tools is to focus on the “soft, chewy, center” of the organization. And the very softest part is the ambulatory, 98.6 degree system: the user. By setting their sights on employees, criminals increase their odds of compromising an organization considerably. After all, why go to the trouble of trying to break through strong, digital defenses when you can simply trick someone on the inside into opening the door and letting you in?

What is phishing and who does it target?

Users are susceptible to all manner of phishing scams, from free software to fake websites, from unsolicited photos to Nigerian fortunes. They unwittingly type their credentials into fraudulent screens. They click on malicious links that install system monitors, keyloggers, ransomware, backdoors, and bots.

It’s hard to blame them. Social networks, particularly LinkedIn and Facebook, serve up all the information, contacts, and backstory necessary to make a targeted spear phishing attempt or spoofed email look real. When that message appears to come from a high-level executive — a tactic referred to as a business email compromise (BEC) scam — it’s very easy for any employee at an organization to be duped.

Any organization — big or small, regardless of industry — can be the target of a phishing attack. That's because many phishing messages are delivered via mass email campaigns, with attackers understanding that even a small success rate spread out over a large number of attempts can still generate them a profit. 

According to Wombat Security's 2016 State of the Phish report, 4 out of 5 organizations have experienced phishing attacks, and the frequency of those attacks is increasing.

Phishing statistics: attacks are on the rise

wombat_phishing_stats.jpg Source: Wombat 2016 State of the Phish

Why learning how to protect yourself from phishing attacks is so important

According to the Verizon 2016 Data Breach Investigations Report, email attachments have become the #1 delivery vehicle for malware, with email links coming in at #3.

Email attachments are the #1 delivery vehicle for malware

Top_5_malware_delivery_vehicles.png Source: Verizon 2016 DBIR

Infecting a single user with malware can give attackers everything they need to launch a much more substantial penetration into your organization's network, stealing credentials, disrupting critical processes, or — in the case of ransomware — encrypting data and making it inaccessible until ransom demands are met.

Nearly 97% of phishing emails delivered ransomware in Q3 2016

Locky ransomware email attachments.png Source: Proofpoint Q3 2016 Threat Summary

The cost of phishing attacks is in the hundreds of millions of dollars and mounting. Their profitability continues to spawn new criminals and increasingly sophisticated new tools.

Preventing these losses starts and ends with supporting your organization's users — protecting them from themselves, and, while they develop better habits, protecting the organization from their mistakes.


This guide will help you to develop and deliver messages that will raise the priority of security in the organizational mind. It will also give you some concrete steps to take in blunting the sharp edge of the phishing trend and its dangers. Weakness has taught attackers to phish. Now it’s time to teach our users to resist the lure.

Are you counting on your users being perfect?

Learn how to automatically block phishing attacks even when one of them takes the bait. Training users to avoid falling for phishing emails is a must, but knowing you're protected even if they do get fooled? That's even better. Find out how Barkly can help you stop phishing attacks automatically, before they do any damage.

Protect your company

The Executive

"The Whale"Big Shoticus Exectatum


Corner Offices, Board Meetings, Conference Keynotes

Prized For

Confidential Information, Financial Data, Executive Credentials



CEOs, CFOs, and other executives are some of the biggest phishing targets at your company. As high-ranking decision-makers, they’re prized for their access to sensitive corporate information as well as their authority to sign-off on things like wire transfers. Attacks targeting these high-ranking individuals are called spear phishing or whaling attacks

Habitually busy and no strangers to urgent requests, executives often don’t have time to closely inspect every email they get when they’re rushing from one meeting to the next. Many have assistants to help them manage their day-to-day, and those employees can be popular phishing targets, too (more on them later).

Whale of a target: why and how executives get phished

Their authorization and access privileges make executives extremely popular — and potentially very lucrative — phishing targets. Because they have higher public profiles than lower-level employees, it’s also often easier for attackers to find information online (executive team bios, LinkedIn connections, etc.) they can use to make their phishing emails more convincing and specific.

Phishing attacks on executives typically take the form of a request for sensitive information from a trusted source. It could be someone they regularly do business with, a fellow executive at their company, or even the CEO. By commandeering or spoofing a CEO’s email, attackers can make requests to other executives that are far less likely to be turned down. After all, who says “no” to the boss?

Whaling prevention tips

  • Make additional authentication or verification steps required for any sensitive requests like wire transfers.
  • Encourage execs to limit what they share and who they connect with on social networks.
  • Make it policy not to share confidential information over email.

How to be a “Whale Whisperer” and keep execs safe

  • Nothing gets executives’ attention like reminding them how important they are. Explain why they’re such prized targets. Underscore the havoc it can wreak on the company if they personally get compromised.
  • Remember, with execs, numbers talk. Make the business case for mandatory security awareness training tailored specifically for them. Have stats ready to back yourself up.
  • Try appealing to their leadership instinct by conducting company-wide phishing tests and making them accountable for improving their departments’ results. For an added boost, make it competitive.

How to spot a whaling email (example)

Here’s an example of a whaling email your CFO might receive requesting he/she share financial information in advance of a board meeting (for a real-life example, see this social engineering attempt sent to our CEO).


Administrative Assistant

"Administrative Angelfish"Knowicus Everythingilus


Front Desks, Company Functions, Anywhere a Whale is

Prized For

Access to Whales, Con dential Information, High Email Volume



Masters of multitasking. Lords and ladies of logistics. Keepers of the calendar and phenoms of the phone screen. Administrative assistants are the unsung heroes of the corporate sh school. They handle all the behind-the-scenes scheduling, organizing, and gatekeeping that keeps everything running smoothly and enables executives to do their jobs.

Because of their supporting role, admin assistants often have access to company and individual executive accounts, and it’s not uncommon for them to sign o on transactions or make payments on an executive’s behalf. They take the job of managing their executives’ time and day-to- day tasks very seriously, but they can also be habitually accommodating and deferential, not to mention in a rush.

The perfect assist: why & how admin assistants get phished

With the possible exception of executives, admin assistants are some of the most highly-prized phishing targets in your organization. That’s because, thanks to their close association with executives and access to their accounts, attackers tend to view them as softer targets who can still give up the keys to the kingdom.

Phishing attacks on administrative assistants often take the form of a request from another executive or a vendor they do business with. A common spear phishing tactic is to say the executive they support already approved a request and the admin just has to review an attachment or send along some information.

How to protect admin assistants from phishing damage

  • Provide them with a clear procedure for how to deal with suspicious emails and report them to IT (or to US-CERT, directly).
  • Make sure you have good email/spam filters in place.
  • Limit assistants’ access and privileges to the minimum they need to do their jobs (read: don't let your admins be admins).

How to make admins more phishing aware

  • Assistants tend to be protective of the execs they’re reporting to. Leverage that protectiveness by emphasizing it’s their job to keep their bosses (and themselves) safe by being on the lookout for phishing attacks.
  • Assistants also hate to waste their boss’s time. Reassure them being a little proactive now can save time as well as major headaches down the line. Execs would much rather deal with the occasional veri cation check-in or delay than nd out they’ve been hacked.

A spear phishing email example for admin assistants

Here’s an example of a spear phishing email an administrative assistant might receive asking them to download and review an unpaid invoice that's actually a malicious attachment.


The Salesperson

“The Sales Shark”Alwaysicus Be Closingtatum


Sales Floor, On The Road, Golf Course

Prized For

Responsiveness, Email Optimism, Risk Taking



Salespeople are the inside salespeople, business development managers, and account executives who are on the hunt for your company’s next big deal. They interact with prospective and existing clients in person, over the phone, and via email all day long to drum up new business and keep revenue coming in.

The average day for a salesperson involves a large number of small tasks — making calls, sending quotes, meeting clients, and closing deals. They’re always on the lookout for emails from prospective customers. Salespeople want to be attentive and responsive to help close business, so they like to reply quickly to any incoming email or phone call.

Why & how salespeople get phished

Salespeople are always chasing the next deal. To them, time is money, and they won’t think twice about taking risks and bending the rules if they believe it will help them move faster. They’re also prospect-pleasers, and their eagerness to oblige can make them prime phishing targets.

As more and more companies conduct business using digital signatures and online forms, salespeople can easily be convinced to visit an insecure site or download an infected file. By the nature of their jobs they can also be incredibly easy to get a hold of. Phishers can typically find their name, phone number, and email address readily available online, and they can be reasonably confident any message they send a salesperson will be at the very least be opened.

How to protect salespeople from spear phishing

  • Talk with your purchasing department about how to transfer POs and invoices through methods other than email.
  • Some varieties of ransomware and other malware require Microsoft Office macros to be enabled. Disable macros across your network to keep a salesperson from accidentally enabling them.
  • Remind salespeople to double-check any linked text they receive in an email. Hovering over the link will show them the URL. If it looks sketchy, they shouldn’t click.

How to pitch salespeople on being more aware

  • Remind salespeople about the downtime a phishing attack can cost them. If their computer or phone needs to be cleaned and restored that’s potentially hours or even days of calls, demoes, and closes they’re going to miss out on.
  • Salespeople are very concerned with how your company and its products are perceived. Remind them that if they do get compromised by a phishing attack it could severely damage your company’s reputation with prospective customers.
  • Habit is your best friend when it comes to training salespeople. Breaking down best practices into small, easy-to-follow instructions will help them be more security conscious.

A spear phishing email example for salespeople

Here’s an example of a phishing email a salesperson might receive asking them to provide product information by lling out a form.


Human Resources

“The Human Resourcetapus”Benifitus Talkalotis


Interviews, Benefits Meetings, Long Talks

Prized For

Cofidential Info, Tax & Payroll Records, Eagerness to Please



Human resources professionals are the people people of your company. Their specific roles can vary, but generally they’re focused on recruiting and onboarding employees, helping them navigate company policies and procedures, and managing the company’s payroll system and benefits programs.

Their jobs require HR professionals to be some of the most highly connected people in your organization. They spend much of their day communicating with current and potential employees, building out their network, and collecting information the company can use to better manage its workforce.

Why & how HR pros get phished

By their very nature, members of the HR team are people who like helping others. Their role is often built around sharing information, and they have access to a lot of it. Payroll data, W-2s, employee benefits information, the list goes on...

Phishers can take advantage of this by posing as an employee looking for help accessing their own info, or a high-level executive asking for larger amounts of information. During the 2016 tax season alone, over 50 organizations were tricked into leaking their employees’ W-2 forms by phishing emails impersonating requests from CEOs.

How to protect HR from spear phishing

  • Invest in benefits software and employee portals so employees never have to send confidential documents over email.
  • Remind members of the HR team that any requests they receive from an employee asking for sensitive information should be verified either over the phone or face to face.

How to hook HR reps on being more aware

  • HR is a job that appeals to people people. Take some time to remind them of the potential harm phishing attacks can cause other team members if they aren’t vigilant.
  • HR is also a role that appreciates policies and procedures. They’re more likely to be receptive to a clear list of things to do and not to do than “Did you know” information about how phishing attacks really work.
  • W-2 scam emails targeting HR have been well-documented. Show them real-life examples so they understand phishing isn’t theoretical.

A spear phishing email example for HR

Here’s an example of a phishing email purportedly from the CEO asking a HR professional to forward copies of employee W-2 forms.


Every Employee

“The Phisherman's Platter”Everyoneicus Even Youtum


Desks, Offices, Corner Offices, Meeting Rooms, the Water Cooler

Prized For

Lack of Security Awareness, Travels in Large Groups



So far, we’ve been focused on phishing attacks that target specific employees (what many refer to as “spear phishing” attacks), but the truth is mass phishing attacks are still just as popular as ever.

Before we wrap up, then, here’s a quick reminder that anyone at your company — from the CEO to entry-level assistants — can be the subject of a phishing attack. That means your training programs and security measures really need to be addressed to everybody, even other folks in IT. The more people you can get involved (and the easier you can make it for them to get involved), the better.

Why & how anyone can fall victim to targeted phishing attacks

While sending personalized emails to specific targets can be far more convincing and effective, it also takes work, and plenty of attackers still prefer to do things the old fashioned way — send out a generic email blast, and see what casting a wide, indiscriminate net can reel in.

These emails may not be as successful on an individual basis, but with an average success rate of 12% (Verizon DBIR 2016), many criminals are content to simply blast out a high volume of phishing emails and play the odds. After all, it only takes one employee to make a mistake for an attacker to gain access into an organization.

How to protect all employees

  • Utilize spam/email filtering solutions and make sure you have additional endpoint security installed that covers the gaps in antivirus protection.
  • Actively encourage employees to contact IT anytime they run across an email that looks suspicious, and provide a clear policy for doing so.
  • Make sure you have a company-wide backup strategy and that you’re limiting user account privileges.

How to encourage everyone to be more aware

  • For starters, actually take the time to talk! Get to know what their day-to-day looks like and what their goals and challenges are. Talk about security with those things in mind, and use examples that directly apply to them.
  • Give actionable tips, not lectures.
  • Make training about helping them (not just the company), and show employees how they can help keep their friends and family safe by being more secure outside of work, too.
  • Positive reinforcement works. A company-wide thank-you email praising employees who report suspicious emails can be more powerful than 10 email reminders about not downloading .exe files.

One more example of a phishing scam email

Here’s an example of a mass phishing email posing as an update from HR.


Conclusion: How to Prevent Phishing

So, now you’ve taken a closer look at some of the users swimming in your corporate aquarium (sorry, had to) and learned what makes them valuable and vulnerable from a phisher’s perspective. Feel free to print out the sample phishing emails we’ve provided, along with the bonus checklist at the end of the guide, to help train your users on what to watch out for.

It’s important to remember, however, that while user education can do a lot to limit cyber attacks, no training program can guarantee protection from every threat all of the time.

With that in mind, here are some additional steps you should take to protect your organization from phishing attacks and the malware they deliver:

1) Add a layer of runtime malware defense on top of antivirus

Antivirus solutions are great for blocking malware when they know what blacklisted files to look for, but with more than 390,000 new variations of malware created every day, they have a very hard time keeping up. By looking at system behavior to identify malware instead of matching file signatures, Barkly’s runtime malware defense stops attacks from doing any damage, even if a phishing attempt is successful in getting a user to click.

See what it looks like when a user triggers an attack with Barkly installed:

Barkly blocks phishing attacks.png 

2) Have a solid backup strategy and test it properly

If you’re hit with a cyber attack, especially a ransomware infection, your best bet is to wipe the computer and then restore from your last good backup. That assumes you have a good backup to restore from. To make sure you’re prepared, build out a backup that is 3-2-1 compliant — keep three copies of your data in two separate locations, one of which is o site, and test it at least quarterly. Remember: when it comes to backup you’re only as good as your last good snapshot.

3) Let users know what to do if they do have an infection

If you fail to prepare you prepare to fail, especially when it comes to cyber attacks. When you speak to your users about avoiding phishing attacks also remind them what to do if they suspect their machine has been infected: unplug the ethernet cord, shut off the wi-fi, shut down the computer, and report the infection to IT immediately.

4) Disable Microsoft Office macros 

Since a common tactic by cyber criminals is to deploy malware through Office macros, newer versions of Microsoft Office and Office 365 will enable the IT team to block documents from enabling them. Check to see if your version of Office supports macro blocking and, if possible, adjust your Group Policy settings to disable macros from running.

5) Configure user settings to show file extensions by default

One way attackers disguise malware and get users to open it is by hiding the true file extension. Many users may know to be suspcious of .exe files, but since Windows actually hides extensions by default, that opens the door for trickery (ex: naming an executable file "presentation.xlsx.exe" so it appears to be an Excel file). Make sure users are seeing full file extensions by opening Control Panel > Appearance and Personalization, then File Options > View tab and uncheck "Hide extensions for known file types." 

ABP: Always be patching

Update your software as often as possible and remind your users to do the same. Even better, look into automating patch management and installation.

Free Checklist5 Tips to Stay Off the Hook

Download this checklist & give it to your users to help them spot a suspicious email.


AppendixPhishing Prevention Tools & Resources

Phish your own users with these free phishing tests


Find out what percentage of your users are “phish-prone” with KnowBe4’s free phishing security test.


Create your own simulated phishing campaigns and track results with this easy-to-use open source platform.

Anti-spam and email filtering tools

Email Exposure Check (KnowBe4)

Criminals love nding legitimate business email addresses they can use to launch social engineering and spear phishing attacks. Find out how many of your company’s email addresses are exposed on the Internet along with where they can be found. Check your exposure here.

10 Spam Filtering Solutions

The folks at Sitepoint have put together a list of 10 free and paid options that can help you create a spam-free inbox or even stop spam at the server end. See the list.

Examples of real-life phishing emails

Phishing Interactive Learning Module (Security Awareness Company)

Give your users the opportunity to see what real examples of phishing emails look like first hand, then test their knowledge by asking them to sort legitimate emails from phishing ones. Get the test.

Phishing email repositories

Several universities also keep online collections of phishing emails their students and faculty have actually received. These are great to share with your users as real-life examples of what to watch out for.

Protection for users who do take the bait


We don’t mean to brag, but Barkly's runtime malware defense is designed to stop the attacks that sneak past users and antivirus. Consider it a last line of defense you can rely on even when something else slips. See how it works.

Bonus PrizeBuild Your Own Barkly Submarine

Go on the hunt for malware with your very own 3D paper Barkly submarine.


We'll send it right to your inbox!

Stop worrying about your users getting phished
Block phishing attacks