Employee Cybersecurity Training – Avoiding Email Scams

Most of us have been working from home for a year now, and as we move into some hybrid types of business environments, it’s important to remember that hackers are still out in force looking to take your business and your money and your attention. 

Today, we’re talking about how to keep them away from your material and intellectual assets. 

The topic is cybersecurity training for your architecture, engineering, and design teams. We help our clients defend their businesses so they can focus on what they do best and not get hacked. 

We’re looking at cybersecurity as a whole, but in this piece, we’re focused on email scams. Email is a popular way to get attacked by hackers and scammers.  

We’ve got some examples of those attacks and some advice on how to defend yourself and your company. 

Email Attacks and How to Shift Your Mindset 

About 95 percent of all email is bad email.  

That leaves you with only five percent of emails that need to be read, opened, and acted upon. If you can adopt the mindset that every email could potentially be a bad email, you’ll take a big step towards protecting yourself.  

This is difficult because as humans, we’re trusting creatures. But, you should expect each email to prove itself to you before you open anything in it.  

Even the email from your most common contacts should be treated with suspicion. Maybe it looks odd in some way. If so, someone could be baiting you.  

Email attacks are the most common way to get a virus, give away your information, or find yourself hacked. Treat each email like it’s suspicious.  

Types of Email Attacks 

Hackers are always evolving. Right now, however, there are three common email attack types.  


You might get an email from an institution you recognize with the notification that a file has been shared with you. Or, maybe it’s from your bank notifying you of a withdrawal. You click on the button provided and it takes you to a site that looks familiar, so you put in your credentials. That information is shared with the bad guys, and any of your personal information on that site has been compromised.  

Spear Phishing 

Similar to phishing but more direct, spear phishing is used by attackers that already have some of your information. They’ll take the information they found about you from LinkedIn or another source, and they’ll use it to target their message to you specifically. There’s a sense of urgency, and you probably won’t pay attention to why you shouldn’t respond. If you’re the CFO of a company, for example, the email could look like one from your CEO, asking you to transfer money. It feels real because it’s so targeted.  

Virus / Ransomware 

The whole purpose here is to infect your computer or your business with something that allows the attacker to take your money or your files. This email will usually be something that looks like a contact sharing a file or asking you to confirm something. You’ll click on the provided file or link, and then nothing happens. Three hours later, your files may be encrypted and you can’t access them.   

Examples of Email Scams

We provided three examples of each one of these email scams:  

  1. In the Virus example, you can see that someone is asking you to perform an action. They want you to click on a link and the name associated with this email looks right.  
  2. In the Spear Phishing example, you can see that the email appears to be coming from the bank. There’s a sense of urgency and they want your bank information. 
  3. In the Phishing example, the email is from Microsoft and it looks legitimate. They want you to secure your account, claiming that someone has used your log-in information.  

How to Defend Against Email Attacks  

There are a few things you can do to ensure the email is valid.  

First, try not to take any action on emails from your phone. Do it from your computer where you have the tools to do some extra checking.  

Next, check the email address. The name might look right, but if you take a look at the full email address, you’ll see that it’s not associated with the company or the person who is claiming to be emailing you. Examine the email address carefully.  

Then, hover over the link with your mouse. On a valid email, the link you’re being sent to will be associate with the company. On a bad email, the URL will not be familiar.  

If there are any telltale signs, delete the email or send it to your IT department. You can also send it to us, at ArchIT. We ask our clients to share these emails so we can continue to log the threats.  

Three things can be done to better secure yourself against these threats.  

  1. Do all the standard stuff really well. Make sure there is some advanced threat protection in place so you have an extra level of security when it comes to email.  
  1. Look for those red flags in every email, you receive. Never assume it’s a good email – instead, assume it’s part of the 95 percent of bad emails coming through your system.  
  1. Stay up to date on all the new threats emerging. 

We have an entire guide with additional examples on email threats and shoring up your cybersecurity training. Download that for free, and contact us at ArchIT we specialize in providing IT services for architecture, design, and engineering firms.