As our teams work remotely from different countries around the world, information security remains a top priority for the AMC Bridge IT department. Any hacker intervention can lead to security breaches and unauthorized access to confidential information, putting the company at risk of losing customer data, damaging its reputation, and causing financial implications.

That’s why the company regularly conducts mandatory information security training courses for all employees. Additionally, the IT department periodically carries out phishing attack simulations to assess how well colleagues respond to such attempts.

Anticipating the upcoming course, we sat down with Vitalii Hrebenozhko, Systems Engineer at AMC Bridge, to discuss the worst-case scenario for the company if a colleague falls victim to a phishing attack, the best course of action to take if damage has already been done, and the evolving tactics of modern attackers.

We already know everything about phishing, don’t we?

The upcoming information security course will specifically focus on social engineering attacks, a prevalent and highly effective tactic that attackers employ. By gaining a deeper understanding of these techniques, employees can proactively safeguard themselves and protect the company’s sensitive information.

From my experience, colleagues generally exhibit good behavior when receiving phishing emails, including educational ones from the IT department. They demonstrate good practices, such as promptly ignoring or deleting suspicious emails or writing directly to someone in the IT Department. The best action is the Report Phishing button in Outlook to mark the email as phishing.

What’s on the line?

Even the most cautious users can inadvertently click a suspicious URL in a phishing email. We must recognize the gravity of such a risk because the price of a single mistake can be exceedingly high. When a colleague unknowingly enters their work account data, the consequences can vary depending on the specific circumstances. In the worst-case scenario, it can result in a security breach and unauthorized access to sensitive information, putting the company in jeopardy of losing customers’ data, its reputation, and certainly money.

While the company invests in advanced antivirus software to protect all devices technically, users remain the weakest link. Phishing emails are the most common form of attack, and even though our anti-spam and anti-phishing filter blocks a significant portion of them, users still receive dangerous emails and must correctly identify and handle them to prevent potential data leaks.

It’s better to be safe than sorry

Phishing, smishing, and other malicious emails can be incredibly convincing due to sophisticated techniques like spoofing, social engineering, content replication, personalization, and meticulous attention to detail. However, the human factor is the primary reason social engineering attacks continue to succeed.

How often do we carefully examine the sender’s address when receiving an urgent task request from a customer or management? The urgency of the task and the perceived authority of the sender can make us overlook suspicious signs, such as an incorrect email address, like This email address is being protected from spambots. You need JavaScript enabled to view it., and inadvertently click a phishing URL.

Furthermore, we encountered cases of receiving phishing SMS messages from individuals impersonating Michael Ludensky, AMC Bridge CEO.

If you have accidentally marked a legitimate email as phishing—don’t worry. It is better to mistakenly identify an email as phishing than to miss a truly hazardous one because you don’t want to bother the IT department team.

Failure to report incidents of mistakenly entering credentials can potentially compromise both the company’s information and the user’s account. To mitigate such risks, the IT department has implemented preventive security measures, including multi-factor authentication. However, these measures may not be sufficient in the case of stolen credentials. Therefore, promptly notifying the IT department of such incidents is vital to prevent data breaches.

Think before you click

The golden rule of protecting against phishing attacks is think before you click. However, familiarizing yourself with different types of attacks is crucial to effectively differentiate between phishing and legitimate emails.

Identifying phishing emails before clicking links is essential because hackers can exploit vulnerabilities in the browser to execute malicious code. Vigilance and proactive measures are necessary to stay protected.

But we are all human beings and prone to making mistakes. In a previous job, I accidentally opened a phishing link. Fortunately, I promptly recognized an inconsistency in the link and took immediate action to prevent any potential data leaks—this is our main task today. We may never be able to recognize 100% of dangerous emails. But at least we should all know what to do when we make a mistake.