How to train staff to look for scams

Cybercrime is the most common crime affecting businesses in the UK, with 49% falling prey to it, compared to 31% globally. According to Aviva, one in ten small businesses experienced a cyber attack or incident in 2023.  It estimates that businesses are 67% more likely to have experienced a cyber incident than a physical theft. Worryingly, one in five businesses do not know what to do in the event of an attack. Small businesses can often be a vulnerable target due to typically having fewer resources and budgets to protect against and deal with such threats. Cybersecurity is now a collective responsibility that extends beyond just IT, it now involves individual employees and management. So, collaboration with your staff is critical. We’ve put together this guide with Cubit Technology to help you train your staff to look for scams and build a culture of cybersecurity within your business.

Understanding the threats

Cybercriminals employ various tactics, including phishing, malware attacks and social engineering to compromise valuable business data. The consequences of these can be severe, from financial losses to reputational damage. The three most common include:

• Phishing – which is usually a malicious link or attachment to an email or message. Once the victim clicks on the link malware is downloaded and ransomware activated.
• Ransomware – this involves a malicious code that encrypts files with a ransom note, demanding payment in exchange for stolen data.
• Exploiting vulnerabilities such as insecure data or conning a member of staff to make a transaction that is not authentic.

Ralph Harrison, Sales and Marketing Director at Cubit Technology highlights, “Another concern is finding that your identity is being used by cybercriminals in their attempts to scam others. There are protective measures to reduce the chance of this.” For more information, get in touch and we can advise on how far these have been set up for your domain.”

The human role in cybersecurity

Your staff play a pivotal role in protecting your business against scams. Educating them about the risks, and training them to identify personal threats is therefore essential. Here are just some ways can train staff to help protect your business and themselves.

1. Recognising phishing attempts

This remains one of the most prevalent scams, often tricking employees into divulging sensitive information. According to The Egress Email Security Risk Report 2024, 94% of respondents fell victim to phishing attacks – a 2% increase from the previous year.

Encourage staff to identify these threats by:

• Scrutinising email addresses or numbers – ensuring that they are from the actual sender before taking action.
• Hovering over (without clicking on) links to check they are authentic.
• Checking for grammatical errors, although these are becoming less common with AI technology.
• Analysing the language use – phishing messages often use urgent or threatening language to encourage immediate action.
• Avoid opening unsolicited attachments.
• Verifying the legitimacy of unexpected requests for personal or financial information.
• Trust instincts: if something feels wrong or equally too good to be true, it probably is.

Training tip: conduct simulated phishing exercises to provide practical experience. Platforms like  KnowBe4 allow you to create realistic scenarios to test and train your staff.  It’s video-based training with regular tests to help keep everyone aware of threats and encourage a change of behaviour.

2. Awareness of social engineering

Social engineering training involves making staff aware of divulging confidential information through phone calls, emails, or even in-person interactions. Train staff to approach any unexpected requests or changing of information (such as paying an invoice to a new bank account) with caution. They should identify the identity of the requester through established channels. Scams are becoming ever more sophisticated here, with the recent well-documented case of an employee who attended a video meeting with two ‘deep faked’ colleagues and who ultimately cost the business $25 million.

Training tip: encourage staff to engage in role-playing exercises recreating real-world scenarios.

3. Identifying malware threats

What could look like seemingly harmless attachments or downloads pose a significant risk to businesses. Staff should be trained to always exercise caution before opening attachments, especially if they are from unknown sources. Always have up-to-date antivirus software and regularly conduct system scans. Ensure staff do this regularly, particularly important if you have a hybrid workforce.

Training tip: provide practical guidance on recognising signs of malware infection (these include slow system behaviour and performance or unexpected pop-ups).

Other tips:

• Encourage staff to use strong passwords or use password managers.
• Use multi-factor authentication where possible.

Create a cyber-aware culture within the company

Training extends beyond a one-time event, particularly as threats evolve and scams become more sophisticated. This means creating a culture of cyber awareness within the business.

• Host regular training sessions to keep staff informed of the latest scams and cybersecurity best practice.
• Have an instant response plan that details who to contact, a list of all devices on the network and any devices containing personal data.
• Stay informed: sign up to useful newsletters – such as the monthly round-up from Cubit for updates.

By creating a culture of awareness and providing ongoing training and support, you can safeguard the business and build a resilient workforce. A well-informed team is your greatest asset.