'tis the season...to watch out for malicious code and social engineering in enterprise emails. Actually, it is always the season to watch out for that. To underscore the point, the nation's cyber watchdog (CISA) has released an infographic that it "recommends stakeholders use...to help educate their workforce on how to spot and avoid phishing attacks."
Note especially the data in Item 3 in the attached: large volumes of malicious emails are not blocked by endpoint or network border protection. Once those emails get in, employees are overwhelmingly likely to interact with them, and underwhelmingly likely to report their interaction.
Why It Matters
Most organizations still think about complex, high-tech hacks by shadowy actors when they consider cyber threats to their enterprise. But the fact is that for most small and medium businesses, email is the main threat vector: it's how the bad guys get into, or get information out of, your network. Raising awareness of red flags within your workforce, blocking as many phishing emails as you can, and putting in place simple policies such as requiring a confirming phone call before acting on ANY emailed payment instructions, can save quite a lot of heartache, expense, and legal exposure.