Cybercrime is an issue of digital safety
When we talk about safety we generally confine our conversations to the physical world. But as our lives become increasingly digital, bringing more and more workplaces online, new dangers are emerging. While cyberthreats might seem like intangible forces that only affect computer systems and are too abstract to have real-world consequences, the fact is they all have a human element involved. Identity fraud is one of these digital threats, and research shows that it is producing deadly consequences.
While identity fraud long predates the information era, its modern iteration is powered by phishing: a common scam in which a fraudster uses emails, text messages, phone calls and malicious websites to gain access to a victim’s personal and professional accounts. Once access is obtained, the scammer can assume the rightful account owner’s identity to conduct financial transactions, steal sensitive information and even phish other people from a trusted email address. The monetary cost of fraud is staggering on its own, but it’s the human toll that makes it a safety issue.
According to the Identity Theft Resource Center’s 2023 Annual Report, 16% of identity fraud victims have considered suicide—a 6% increase from the previous year. And that’s just counting the survivors. ITRC reports “an equally troubling increase in the number of incidents where victims have taken their own lives, followed by criminals attempting to take advantage of their grieving families.”
Viewed through this lens, it’s clear that the ever-present threat of identity fraud constitutes a psychological safety hazard with potentially fatal outcomes. It’s a 24/7 concern that can affect workers, their families and their friends. And because of the way it propagates through digital communications at home and at work, it can be extremely difficult to fight.
Weaponized human factors
Insurance companies have begun offering identity theft policies, but those only help after the fraud has taken place. There are digital security safeguards available to help protect against the cyberattacks that lead to identity fraud, but just like PPE, these are the last lines of defense. The best way to protect employees from being scammed is by equipping them with the tools to recognize phishing hazards when they encounter them.
But, looking at the healthcare industry—which, as a priority target for scam artists, has been the subject of much research in this area—we can see that’s easier said than done. Traditional education on cyber safety has a poor track record of actually working. A 2019 study on phishing program effectiveness in a US healthcare institution showed that “a mandatory training program for the highest-risk employees did not decrease click rates when compared with lower-risk employees.” In other words, even after specific anti-phishing training, workers still clicked on phishing email links.
Another study from 2020 investigated the reason behind why the problem persists despite education, training and awareness. The culprit seems to be human factors. According to the report Why Employees (Still) Click on Phishing Links: Investigation in Hospitals, “In situations where high workload stops employees from paying attention to details of an email, whether intentionally or accidentally, the likelihood of opening a potentially dangerous email might increase.”
The findings make sense: human factors are a fraudster’s best friend. Digital communications are so commonplace that we have built up high levels of complacency, making it easier for scammers to exploit other human factors in order to trick us into clicking bad links or disclosing confidential information. They take advantage of tired employees who aren’t reading emails closely, and they generate a sense of panic to make users click before they think.
Reducing and eliminating digital hazards
The fraud stats are not hopeful. This is an issue facing every industry and the victimization numbers keep climbing. But your organization is far from powerless to curb the impact on your workers and their families. Here are a few things you can do to address the digital safety hazard of phishing.
Limit the use of phones at work
The first strategy is already commonly observed: don’t allow phones on worksites. In the same way that smartphones can cause distraction from physical work and lead to critical errors resulting in injury or death, work distracts users from their phones, making them more likely to open suspicious emails and click on links. By keeping smartphones off the floor, you are enhancing both physical and digital safety.
Respect the right to disconnect
In this era of smartphones, laptops and hybrid work models, it’s common for employees to access their work email account at home outside of normal work hours. If they are checking and responding to emails while rushing in the morning to get out the door, or multitasking with their family in the evening, they are more susceptible to fraud risks.
Share images of detected phishing emails
Help folks detect known scams by sharing screenshots of phishing emails your company has received. But be careful to only use pictures of the emails. Don’t forward the original suspicious email, as you may be putting coworkers in danger. If the recipient isn’t paying enough attention, they could fall for the scam you were warning them about.
Lead with a no-blame mindset
No one is immune to identity fraud, even the experts. There is an entire black market industry dedicated to successfully phishing people at home and at work. And a big part of why identity fraud goes unreported is shame. People feel stupid for clicking on bad links or being manipulated on the phone or via text, so they don’t report their incident, allowing the damage to multiply. Blaming the victims of fraud has a chilling effect on incident reporting, and that’s exactly what scammers want.
Invest in human factors training
Educating your workforce to understand and manage their relationship to human factors like panic, distraction, fear and rushing will go a long way in ensuring they are in the right mindset to safely use their email. There is no silver bullet for fraud, but making sure workers’ eyes and minds are on task when they are using digital communication channels will help keep them safe from the dangers of phishing and identity fraud.
The transition into digital life can be onerous, but there’s no stopping the future. Cyberthreats face everyone with an online presence, and that means your workers are at risk. By taking these steps and treating digital hazards as the legitimate safety concerns that they are, you can show personal commitment to your workers’ psychological safety and possibly even save a life.