The 2019 Verizon Data Breach Report identified phishing as the number one cause of data breaches and the most disruptive type of cyberattack. These schemes are common because:  

• They're easy. Even novice criminals can execute a phishing scheme.
• They're flexible. Email schemes can be used to deliver malicious payloads (like ransomware), steal user credentials, steal crown jewels data, and instigate phony wire transfers.
• They're valuable. Phishing schemes cost companies well over half a billion dollars each year in fraudulent transactions, lost data, revenue, and productivity.
• We're really bad at stopping them.  They prey on our "click first" mentality and the onslaught of emails we skim through a daily basis.
  

In a Hurry? Get our Cyber Awareness Email Template in your inbox in seconds.

The First Step of Cyber Awareness...

...is communication. Regular, consistent, and informative communication.

Everyone (yes, every. single. person.) in your organization needs to know what hackers are trying to do, and what role they can play in stopping them.

We often get asked for tips on communicating with employees about these topics - from ransomware (a top concern after WannaCry) to basic phishing to password best practices.

So, in that spirit, we've decided to bust our cyber awareness email templates out of the vault, and post them here for you to use in your organization.

Below, you can find email templates for the four most common cyber awareness topics: ransomware, phishing, whaling, and password tips. Feel free to use, share, and remix. 

Please note that any [bracketed] text is meant to be replaced with your company-specific information.

Ransomware Awareness Email Template

Ever since the global WannaCry incident in 2017, ransomware has been one of the most talked-about security topics in the country. Ransomware is a popular attack choice because organizations continue to pay to free up their data - with the average payment reaching upwards of $84,000. As long as hackers keep getting rewarded for their efforts, ransomware will continue to be a go-to strategy, just ask the 70+ state and local governments that were hit by ransomware in the U.S. in 2019. Stopping it isn't easy - but it starts by knowing what to look for.  The email below can help educate your employees on the warning signs of a ransomware attack.

Dear team,

In an effort further enhance our company’s cyber defenses, we want to highlight a common cyber-attack that everyone should be aware of – ransomware.

Ransomware is increasingly being used by hackers to extort money from companies . Ransomware is a type of malicious software that takes over your computer and prevents you from accessing files until you pay a ransom.

Although we maintain controls to help protect our networks and computers from this type of attack, with the quickly changing attack scenarios we rely on you to be our first line of defense.

Here are some simple things you can do to help [COMPANY NAME] avoid a ransomware/malware attack:

Think Before You Click

The most common way ransomware enters corporate networks is through email. Often, scammers will include malicious links or attachments in emails that look harmless. To avoid this trap, please observe the following email best practices:

• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types.
• Do not provide sensitive personal information (like usernames and passwords) over email.
• Watch for email senders that use suspicious or misleading domain names.
• If you can’t tell if an email is legitimate or not, please [INSERT COMPANY PROTOCOL].
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.

If Something Seems Wrong, Notify IT

If your computer is infected with ransomware, you will typically be locked out of all programs and a “ransom screen” will appear. In the unfortunate event that you click a link or attachment that you suspect is malware or ransomware, please notify IT immediately.

To contact IT, please [INSERT COMPANY PROTOCOL].

Thanks again for helping to keep our network, and our people, safe from these cyber threats.

Please let us know if you have any questions.

Regards,

[NAME]

Phishing Awareness Email Template

Phishing is the most common tactic employed by hackers, as it requires the least amount of effort and generally preys on the less cyber-aware. In fact, the FBI estimates that more than $1.75 billion was lost to business email scams like phishing in 2019. It's also the most common way for organizations to be exposed to ransomware. Phishing can take many forms, and the following email can be used to brief your organization on some of the common ways that phishers target companies:

Dear team,

In an effort to further enhance our company’s cyber defenses, we want to highlight a common cyber-attack that everyone should be aware of – phishing.

"Phishing" is the most common type of cyber attack that affects organizations like ours. Phishing attacks can take many forms, but they all share a common goal – getting you to share sensitive information such as login credentials, credit card information, or bank account details.

Although we maintain controls to help protect our networks and computers from cyber threats, we rely on you to be our first line of defense.

We’ve outlined a few different types of phishing attacks to watch out for:

• Phishing: In this type of attack, hackers impersonate a real company to obtain your login credentials. You may receive an e-mail asking you to verify your account details with a link that takes you to an imposter login screen that delivers your information directly to the attackers.
• Spear Phishing: Spear phishing is a more sophisticated phishing attack that includes customized information that makes the attacker seem like a legitimate source. They may use your name and phone number and refer to [COMPANY NAME] in the e-mail to trick you into thinking they have a connection to you, making you more likely to click a link or attachment that they provide.
• Whaling: Whaling is a popular ploy aimed at getting you to transfer money or send sensitive information to an attacker via email by impersonating a real company executive. Using a fake domain that appears similar to ours, they look like normal emails from a high-level official of the company, typically the CEO or CFO, and ask you for sensitive information (including usernames and passwords).
• Shared Document Phishing: You may receive an e-mail that appears to come from file-sharing sites like Dropbox or Google Drive alerting you that a document has been shared with you. The link provided in these e-mails will take you to a fake login page that mimics the real login page and will steal your account credentials.

What You Can Do

To avoid these phishing schemes, please observe the following email best practices:

• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types.
• Do not provide sensitive personal information (like usernames and passwords) over email.
• Watch for email senders that use suspicious or misleading domain names.
• Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
• Do not try to open any shared document that you’re not expecting to receive.
• If you can’t tell if an email is legitimate or not, please [INSERT COMPANY PROTOCOL].
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.

Thanks again for helping to keep our network, and our people, safe from these cyber threats.

Please let us know if you have any questions.

Regards,

[NAME]

Whaling Awareness Email Template

Whaling can be much easier to fall for than your typical phishing attack and has the potential to be much more destructive. SnapChat fell prey to whaling when an employee thought they were sharing payroll information with the CEO, but instead disclosed it to a malicious attacker. While we briefly touched upon whaling in the phishing e-mail, it merits its own e-mail due to its more convincing nature and potential for significant financial impact. The e-mail below will provide your employees with the necessary knowledge to identify and avoid whaling attacks:

Dear team,

In an effort to further enhance our company’s cyber defenses, we want to highlight a common cyber-attack that everyone should be aware of – whaling.

Whaling is a type of scam aimed at getting an employee to transfer money or send sensitive information to a hacker acting as a trusted source via email. Whaling is extremely easy to fall for and can result in significant financial losses.

These e-mails can be difficult to catch because they appear to be harmless, and have a normal, friendly tone and no links or attachments. They will appear to come from a high-level official at the company, typically the CEO or CFO, and often ask you to disclose sensitive information or initiate a wire transfer.

A few things to watch out for in a typical whaling attempt:

• Doppelganger: Whalers may utilize fake e-mail domains that look similar to our domain. Watch out for things like: [EMAIL]@[VARIATION ON COMPANY DOMAIN]
• A hurried tone: Whalers will often ask you to send money immediately, stating that they’re busy or in a meeting, and can’t do it themselves.
• E-mail only: Since whaling relies on impersonating an employee via a fake, yet similar email address, they will ask you not to call with questions and only reply through e-mail.

If you receive an e-mail that you suspect to be a whaling attempt, or if you are unsure of an e-mail’s legitimacy, please do not respond. Instead, [INSERT COMPANY PROTOCOL].

Remember, nobody from [COMPANY NAME] will ever request personal information, usernames, passwords, or money from you via email.

Thanks again for helping to keep our network, and our people, safe from these threats.

Please let us know if you have any questions.

Regards,

[NAME]

Password Tips Email Template

We get a ton of questions about what makes a good password policy, so many that we even published a blog post on the topic and a guide to help you weed out weak passwords within your organization. While the cheat sheet is an excellent resource for anyone to use, the following e-mail is an excellent resource to help you educate your company on password principles:

Dear team,

The easiest way to protect yourself, and [COMPANY NAME], from cyber threats is by having a strong password. It’s simple – the longer and more complex your password, the more difficult it is to crack. Shorter and simpler passwords take less time and resources for hackers to compromise.

Traits of a Bad Password

Hackers have created databases of the most common words, phrases, and number combinations that they can run your password through to find a match. The following are some common password themes that you should avoid:

• Birthdays;
• Names;
• Phone numbers;
• Sports teams;
• [COMPANY] information; and
• Simple obfuscation of a common word (“P@$$w0rd”).

What Makes a Good Password?

To start, your password should be at least [INSERT COMPANY PROTOCOL] characters long, with at least one capital letter, one number, and one special character (“@”, or “%”, etc.). As an added layer of security, change your passwords on a regular basis to ensure that you stay ahead of the hackers. And, whenever possible, you should use multi-factor authentication, such as Google’s “Two Step Verification” to add an extra layer of security.

Remember, the best passwords contain as much randomness as possible – using unlikely combinations and random characters is a great strategy. Be creative!

Bad: Fuzzydog82

Better: %FuZZyD0G#8254!

Best: myFuzzyDog-eats4bones!Aday-BIG$

It’s important to remember that you should not use the same password for multiple accounts – no matter how strong it is – because if one account gets compromised, then they’re all compromised.

Thanks again for helping to keep our network, and our people, safe from these cyber threats.

Please let us know if you have any questions.

Regards,

[NAME]

Want more awesome templates like this?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.