How to protect staff from cyber fraud

We have recently heard of an employee falling victim to a scam that saw him conned out of hundreds of pounds, after responding to a scam email that he believed to be from his manager. Cyber scams are now all too common and your staff could be at risk if you don’t have adequate measures in place to protect them. We would highly recommend incorporating IT security policies into your company handbook so that staff all follow the same guidelines.

Here are some of the essentials to include in your policy to protect staff from cyber fraud:


  • Create a secure password

Hackers are becoming more sophisticated in how they guess passwords and access systems. They can now use software that runs through numerous combinations in an attempt to crack your password.

Here are some key considerations when creating your passwords:

  • Password Length
    • Short passwords are easier to crack (a 3-character password can take less than one second to crack using software!). It’s recommended to keep your passwords as long and complex as possible.


  • Making your password a nonsense phrase or word
    • Passwords that have random words or letter combinations that are not in the dictionary are harder to crack.


  • Include numbers and symbols
    • Using numbers instead of letters or @ symbols help make the password more complex.


  • Avoid including obvious personal details
    • Birthday, pets’ names, addresses, all this information is available for hackers to find online if you they are wanted to guess your password. Also, if you are asked security questions as part of systems access or password resets use personal info that is not easily available online.


  • Don’t reuse passwords or old passwords
    • Some hackers buy and sell data and many companies have had breaches of data and whilst you might not have been impacted at the time, they might try old passwords on new systems. Also, use unique passwords for separate systems.


  • Using a password manager to remember all your passwords and store them safely
    • The challenge in following all the guidelines is that it makes it hard to remember all the passwords to every system and also to store them safely. It’s recommended to use a password manager.


Change passwords regularly
It’s recommended to change your password every 8-12 weeks especially when using systems that access sensitive data.

 Use a password manager

There are numerous systems available to help securely store passwords for staff. not only ensures that the information is safe it is also accessible to colleagues during illness or holiday cover.

Lock your device

When leaving your device unattended, or on leaving the office, you should make sure that you log off or lock your screen to prevent access in your absence.  All staff should be advised to do the same.

If your computer is lost or stolen

You should advise your staff that in the case of a lost or stolen laptop or phone they should notify their line manager immediately.

Protecting data when sharing

Remind staff to be mindful when sharing personal data (data that can identify a person, eg their name, address, job title or salary). Ideally, anonymise data where possible and also make sure any confidential documents are password protected.


From time to time we all receive emails or texts that seem to be official but are actually attempts to get us to click on links downloading malware onto devices.  If you receive an email that you weren’t expecting or contains numerous spelling mistakes, poor grammar or broken English (and that’s not what you were expecting from the sender) then do not click on any links and encourage staff to report it to their line manager.

Social Engineering 

Scammers have started to use other ways to get money or access to systems, social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Phishing (emails purporting to be from reputable companies or people in order to induce you to reveal personal information, such as passwords and credit card numbers) is one example. Other examples are using personal emails seeming from people you know asking for money to be transferred to their account in an emergency or for you to pay for business items for which you will be reimbursed.

Clearly brief your staff, in person and in your company handbook, that you will never email them asking for money or for them to pay for business items unless previously agreed. If they receive an unexpected email, encourage them to call the sender to check it’s from them and report any suspicious activity to their manager.

Read more about Cyber security on the NCSC website.

We can help advise on what else should be included in a company handbook, get in touch to find out more.



Download one of our free guides

Over 75 to choose from with free templates.

Sign up for our weekly newsletter

Free tips and advice for your company.

Get 15 mins free HR advice

Book in with one of our HR consultants.