10 Phishing Awareness Tips to Keep the Grinches Away
Cybercriminals don’t take a break during the holidays. Here are 10 phishing awareness and prevention tips from experts to help compaines and consumers stay safe this season and in 2025
In the Dr. Seuss book “How the Grinch Stole Christmas,” the cruel Grinch sets out to ruin Christmas for the people in the town of Whoville. He does this through a form of social engineering — by dressing up and pretending to be an authority the Whos would trust (i.e., Santa Claus).
Likewise, cybercriminals love to use various social engineering tactics to masquerade as loved ones, managers, company executives, or even legal authorities and carry out phishing attacks.
In some ways, Phishers make the fictional Grinch look as good and kind-hearted as Dolly Parton. Recent phishing statistics show the devastating costs associated with phishing scams. But until these cybercriminals are arrested — and, ideally, get prosecuted — they’re free to wreak havoc on unsuspecting consumers and organizations alike.
Knowing this, we’ve asked four industry experts to share their best phishing awareness tips for businesses and consumers. Ideally, these insights will enlighten and help prevent you and your company from being scammed during the holidays (and in the year to come).
Let’s hash it out.
Before Diving into Phishing Awareness Tips: What Is ‘Phishing Awareness?’
We asked our group of experts to define “phishing awareness.” While there are differences in terms of how it’s commonly defined for consumers versus organizations, there is some overlap as well.
Avesta Hojjati, Chief Technology Officer at SecurityScorecard, describes phishing awareness as “the ability to recognize and respond appropriately to deceptive attempts, typically via email or messaging (e.g., WhatsApp or SMS), aimed at stealing sensitive information or gaining unauthorized access.”
Similarly, Jacob Duane, CEO at the email security and deliverability firm Stellastra, says that phishing awareness boils down to being familiar with the deceptive actions and behaviors associated with social engineering. “The primary objective of it is to cultivate a proactive mindset toward cybersecurity threats by educating individuals and organizations on how to effectively detect and respond to phishing attempts.”
Another expert, Dave Hatter, Cyber Security Consultant at Cincinnati-based IT company Intrust IT, broke things down more in terms of phishing awareness for businesses and organizations versus consumers:
- Phishing awareness for businesses: “Phishing awareness is education and training that helps employees identify deceptive emails, texts (smishing), or calls (vishing) and avoid the attempts to steal sensitive data, credentials, and money or deploy malware that come with them.”
- Phishing awareness for consumers: “Phishing awareness helps consumers recognize and avoid criminals posing as legitimate entities who trick individuals into disclosing personal or financial information or clicking on malicious links delivered via email, text, or phone calls.”
Let’s jump right into what you came here to read: 10 phishing awareness tips for businesses and consumers. After that, we’ll cover a handful of the most common phishing scams and explore what makes people more susceptible to them.
Phishing Awareness Tips for Businesses and Other Organizations
Phishing Awareness Tip #1: Provide Regular and Just-in-Time Training
Providing regular cyber security training can help employees keep cyber security threats top of mind. However, Duane encourages companies to move beyond annual security awareness training that just checks the box. Companies can make training more valuable by enhancing it with phishing simulations that enable companies to not only monitor progress but also provide more focused training.
Furthermore, these simulations also give companies an opportunity to provide additional timely trainings based on demonstrated gaps in phishing awareness and knowledge:
“Just-in-time learning is particularly effective: it ensures that more phishing-aware staff don’t feel their time is wasted while offering immediate training for those who fall for a simulated phishing email. If an employee clicks a malicious link or downloads an attachment during a simulation, they can instantly receive targeted training to address their phishing awareness blind spots.” — Jacob Duane
Related Resources: Cybersecurity & Phishing Awareness Training
Phishing Awareness Tip #2: Conduct Regular Phishing Simulation Tests
All the experts agree that phishing tests are a great way to gauge your employees’ cyber awareness and their ability to put that knowledge to use. Hojjati said that hosting regular, realistic phishing simulations is a great way to help prepare employees to face these real-world threats in a safe environment.
Hatter agrees and recommends companies implement these tests often:
“Institute unannounced phishing simulations on a regular cadence (at least monthly) to train staff in on what to look for and how to react. This helps employees learn through experience, improving their response to actual phishing attempts and reinforcing previous learning as well as the importance to being aware and prepared.” — Dave Hatter
Phishing attack simulations can be done in-house or by hiring third-party vendors.
Phishing Awareness Tip #3: Make Reporting Phishing Easy
While regularly educating employees and testing their ability to apply the knowledge is important, building up these skills only solves part of your pain points. Employees also need a quick and easy way to report phishing concerns. Hojjati suggests establishing “clear reporting protocols so employees know how to escalate suspected phishing attempts quickly.”
However, employees need to feel confident that they can report such concerns without fear of reprisal if they admit that they fell for a phishing scam. Hatter has a suggestion for how to achieve this: “Deploy an easy-to-use system for employees to report suspected phishing attempts. Ensure that employees are encouraged to report suspected phishing and provide feedback and insights in a non-judgmental way.”
One approach is to provide a button in their email client that allows them reliably report suspicious messages quickly and easily. For example, by using a reporting button that’s available through Microsoft Outlook email clients (pictured below):
Related resource: How to Report a Phishing Email in Apple Mail, Gmail, and Microsoft Outlook
Another approach is to set up a specific email account to forward suspicious messages to (e.g., soc@yourcompany.com or phishing@yourcompany.com).
Phishing Awareness Tip #4: Use Digital Identity Verifications to Enhance Security
Duane says describes multi-factor authentication as a way to add another layer of security to your employees’ accounts: “While not infallible, multi-factor authentication significantly reduces the risk of certain phishing attacks, particularly those aimed at stealing user credentials.”
Hojjati adds to this that using unique authentication factors helps add another layer of protection to accounts, even if the credentials have already been compromised.
Jeremy Caban, a DevOps Engineer at TheSSLstore.com and our former IT administrator, emphasizes the importance of businesses using digital identities to their advantage.
“Incorporating certificate-based digital identity into your emails goes a long way in strengthening your organization’s email security. However, you must also educate employees, so they know where to look for these digital identities and how to verify their authenticity.” — Jeremy Caban
So, what are some examples of these methods? We talk about ‘em frequently:
- Digitally signing your emails. Adding your cryptographic digital signature to outbound messages gives recipients a way to verify that your message is authentic and hasn’t been tampered with since it was sent.
- Displaying your company’s logo in the sender’s field of emails. Displaying your verified logo in the email sender field goes a long way in building trust. You can do this by implementing BIMI and installing a Mark Certificate on your email server. A Common Mark Certificate (CMC) displays your logo to Gmail users, and a Verified Mark Certificate (VMC) displays it in multiple email clients while giving the added bonus of a verified checkmark.
Phishing Awareness Tip #5: Teach Employees That Anti-Spoofing Tools Aren’t Foolproof
Duane calls out the importance of businesses using email security protocols like the sender policy framework (SPF), domainkeys identified mail (DKIM), and domain-based message authentication, reporting, and conformance (DMARC). However, he’s quick to mention that they’re not infallible.
“Every owner of the approximately 300 million custom domains in existence (e.g., amazon.com, thesslstore.com, shopify.com) is responsible for securing their domain against phishing by implementing anti-spoofing protocols like SPF, DKIM, and DMARC. Despite significant progress in recent years, full adoption of these protocols is still ongoing. All staff should understand that technical safeguards can fail.” — Jacob Duane
This is why employees must rely on their cyber awareness, gained through training and testing, intuition, and digital identities to verify the authenticity of any outreach or request as much as possible.
Phishing Awareness Tips for Consumers
We’ve talked about ways that businesses and other organizations can beef up their organizations’ cyber defenses by hardening their “human firewalls.” But this brings us to addressing phishing awareness in another key group: consumers.
Phishing Awareness Tip #1: Don’t Overlook the Obvious Signs of Phishing
While it’s true that phishing messages are becoming increasingly complex and believable, Caban emphasizes the importance of not overlooking the basic signs of phishing.
“Be on the lookout for anything out of the ordinary in the emails and texts you receive. For example, messages littered with typos, or that contain incorrect contact information or file attachments with unusual or gibberish names.” — Jeremy Caban
Phishing Awareness Tip #2: Be Skeptical and Verify Using Other Channels
Trust your gut. If it says something’s “off” or not right.
According to Hatter, demonstrating healthy skepticism can go a long way in helping you avoid falling for social engineering and phishing tactics. It’s important to pause for a moment before acting.
“Slow down, take a breath and always verify the legitimacy of emails, texts or social media about deals, shipping notifications, or requests for personal information. In other words, verify out of band, don’t click the links, or call the phone numbers provided, instead directly visit the official website, or use another a known contact method before making a purchase, sharing sensitive information like credentials or downloading an app.” — Dave Hatter
Phishing Awareness Tip #3: Use Other Methods to Verify a Contact’s Identity
There may be times when you receive a text message or email from a friend or loved one that says something’s wrong or that they need your help. When this happens, your initial instinct may be to jump straight into action to help them. But that emotional response is precisely what cybercriminals are counting on, and this can get you in trouble.
According to Duane:
“If you get strange texts from loved-ones, asking for money transfers, take measures which reduce risk, ask them knowledge-based questions. If they message you from a new number, try calling their old one, ask their friends and family to verify.” — Jacob Duane
Phishing Awareness Tip #4: Pay Attention to Urgency
If someone sends you an unexpected text or email that expresses a sense of panic or urgency, ask yourself why. Hatter described urgency as a major red flag for consumers:
“Scammers use social engineering to create a sense of urgency that demands immediate action. If an email or message requires immediate action, assume it’s a scam. Stop what you’re doing, think about it, and then verify the legitimacy before responding or clicking any links. An ounce of prevention is worth a pound of cure.” — Dave Hatter
The reason social engineers love to use urgency to their advantage is it gets people to act without thinking. This is why all of our experts agree that urgent messages should be treated immediately with suspicion and require stringent verification. Hojjati emphasizes the need to “verify links by hovering over them before clicking. Trust but verify!”
Phishing Awareness Tip #5: Beware Fake Parcel Delivery Notices
The holiday season is traditionally viewed as a time of giving and receiving gifts. This creates a perfect shipping scam opportunity for cybercriminals to exploit.
“People are sending more parcels around Christmas time. You might be more likely to open a phishing email about a parcel delivery, considering it to be either something you ordered, or something a distant family member may have sent to you.” — Jacob Duane
However, it’s important to remember that these shipping and parcel scams can happen any time of the year. Here’s an example of a fraudulent message pretending to represent the United States Postal Service (USPS). The SMS text contains a fake URL message that starts with “usps.com” and then includes other false and unrelated domain-related information, which is a big red flag (see image).
Top Scams Observed in 2024
There are plenty of common phishing scams that everyone must be aware of nowadays to avoid falling victim to them:
- Seasonal or holiday-themed scams
- Phony shipping and delivery notifications
- Employment scams
- Fraudulent login-scams
- Fake ads for gifts (which take users to phishing or malicious sites)
- Relationship / “pig butchering” scams
- QR code phishing scams
- Watering hole and “typositting” sites impersonating brands
- Freebie offers / too good to be true deals
What Makes People More Likely to Fall for Phishing Scams?
We asked the group of experts what they think are the biggest “blind spots” employees and/or consumers have when it comes to identifying/recognizing phishing scams and tactics. Here’s what they had to say:
- Technologies make phishing communications more believable. Generative AI is advancing rapidly and deepfake scams are increasingly sophisticated, making it harder to differentiate real emails, calls, and texts from fake ones. Spoofing tools help make phishers’ outreaches seem more genuine. AI-generated content often lacks the tell-tale indicators of phishing messages (e.g., poor grammar, missing punctuation, and ESOL nonsensical phrasing) and is easily personalized using stolen data.
- People are increasingly familiar with brands. According to Hatter: “People can be too trusting of communications that appear to come from well-known or familiar brands, not checking the details like email domains or URLs. And it’s trivially easy for bad actors to copy content from legitimate brands to use in spoofed emails, texts, or even entire websites. If it seems too good to be true, it most likely is. Stop, think, and verify out of band.”
- Users are more confident than they should be. Hojjati describes the Achilles heels of most users as “overconfidence in their ability to spot scams and the assumption that phishing only comes from external sources, ignoring potential compromises within trusted networks.”
Meet the Experts (Listed Alphabetically by Surname)
- Jeremy Caban, DevOps Engineer at TheSSLstore.com and the company’s former IT admin
- Jacob Duane, Chief Executive Officer (CEO) at Stellastra
- Dave Hatter, Cyber Security Consultant at Intrust IT
- Avesta Hojjati, Chief Technology Officer (CTO) at SecurityScorecard
thanks for info.