2021.02.23
2026.06.29
How to Protect Yourself from Targeted Attack Emails? Explaining from the Importance of Information Security Education to Challenges and Key Solutions!

In recent years, damage caused by "targeted attack emails" has become particularly severe. Simply opening an attachment in a cleverly disguised email or clicking a link can lead to internal systems being hijacked or confidential information being stolen.
This is why "information security education" is crucial. By ensuring that each employee correctly understands the risks and acquires concrete countermeasures, it is possible to prevent damage from attacks in advance. This time, we will explain in detail the characteristics of targeted attack emails, the methods and challenges of information security education that companies should conduct, and even key points to keep in mind when implementing it.
Table of Contents
1. Various Information Security Risks Surrounding Companies
2. Increasing Damage from Targeted Attacks
3. Targeted Attack Techniques Are Becoming More Sophisticated! The Misconception That "Only Large Companies Are Targeted"
4. Targeted Attack Emails Cannot Be Blocked by Security Software! What Are the Concrete Measures?
5. Developing Individual Security Awareness Without Over-Reliance on Systems and Software
6. Methods of Information Security Education
7. Challenges of Information Security Education
8. Key Points When Conducting Information Security Education
9. Additional Items to Include in Information Security Education for Companies Implementing Telework
10. E-learning Materials Useful for Information Security Measures
11. Summary
1. Various information security risks surrounding companies
The starting point of information security measures is to understand what kind of "risks" exist. In the course of business, we consider how much risk there is of leaking confidential information.
Risks include "threats" and "vulnerabilities." A threat is a factor that causes a risk. There are human-made threats due to human actions and environmental threats such as disasters.
<Examples of Threats>
A vulnerability is a weakness that can be exploited by a threat. It refers to security gaps such as insufficient virus protection, software defects, or unlocked buildings.
The more vulnerabilities there are, the more likely malicious attackers will target them and steal confidential information.
2. Increasing Damage from Targeted Attacks
When it comes to malicious cyber attacks, in the past, they were mainly perpetrated by thrill-seekers targeting a large number of unspecified individuals. However, recently, attacks aimed at specific organizations or individuals for financial gain have become more prevalent.
These attacks targeting "specific organizations or individuals" are referred to as "targeted attacks."
Among targeted attacks, one of the most common is email-based attacks.
For example, an attacker targeting Company A's confidential information sends a disguised email to an employee of Company A that is "likely to be accidentally opened," infecting the employee's PC with a virus. From the infected PC, the virus spreads through the internal network, stealing confidential information on PCs and networks or destroying systems.
These attacks often continue for long periods, and it is not uncommon for information to be stolen without the victim realizing it.

According to the "Top 10 Information Security Threats" published annually by IPA (Information-technology Promotion Agency, Japan), targeted attacks have been ranked continuously for 11 years from 2016 to 2026. Until 2020, they held the number one spot in the "Threats to Organizations" ranking for five consecutive years. Furthermore, since there was no distinction between "organizations" and "individuals" before 2015, targeted attacks have been consistently listed since the investigation of threats to organizations began. This indicates that these attacks result in a very high number of incidents.
In November 2020, a major Japanese gaming company experienced an incident where personal information was leaked due to a targeted attack, and a ransom was demanded. It seems that the company was infected with ransomware (an attack that demands a ransom in exchange for stolen information), potentially leading to the leakage of approximately 350,000 pieces of personal information.
3. Targeted attack methods are becoming increasingly sophisticated! The belief that only large corporations are targeted is a misconception.
The methods of targeted attacks are indeed sophisticated. They meticulously research the companies they target, considering factors such as "what kind of subject line would make it easier to open the email" before launching their attacks. They may investigate employees' social media and sometimes even delve into internal relationships.
The email sender and attachments are disguised in such a way that they cannot be easily identified at first glance.
Some people think that targeted attacks "only target large corporations" or "have nothing to do with me," but that is a misconception. Regardless of company size, department, or position, anyone can be targeted. Attacks are also carried out against government agencies and organizations.
For example, attackers targeting Company A will set traps for anyone even slightly related, such as Company B, which is contracted by Company A, Company C, which is subcontracted, Company D, a business partner, and Company E, which manages servers. If even one person gets infected with a virus, they can spread the infection from there and ultimately reach Company A's confidential information.

4. Targeted attack emails cannot be blocked by security software! What are the concrete measures?

Among cyberattacks, the particularly sophisticated "targeted attack emails" are difficult to completely prevent even with general antivirus software. So, what preventive measures should companies take? Below, we introduce specific countermeasures.
〈Measure 1〉Do not open emails with unnatural subject lines or content in the first place (open only after verifying the sender)
Be cautious if the subject line seems unnatural or tries to create a sense of urgency. Make sure to respond carefully, such as by confirming with the sender directly.
In such cases, avoid inquiries via email; instead, verify by phone, face-to-face, or through the official website.
〈Measure 2〉Do not open attachments or click on URLs
Even files in familiar formats like Word or Excel may contain viruses. Avoid clicking carelessly, and as a rule, do not open anything that seems even slightly suspicious.
〈Measure 3〉Implement Education on Emails
Ensure thorough education through e-learning and regular training so that all employees understand "why this email is suspicious" and "how to respond appropriately."
〈Measure 4〉Establish a Reporting Flow to System Administrators
To prevent suspicious emails from being opened, it is important to have a reporting system in place upon discovery. By setting up a flow that immediately notifies system administrators, damage can be prevented in advance.
〈Measure 5〉Training with Targeted Attack Emails
Conducting training by actually sending “simulated attack emails” improves employees’ awareness and response capabilities. It is effective to implement this together with classroom learning.
〈Measure 6〉Application of Email Filters
By applying security filters, certain attacks such as spam emails can be automatically blocked. However, targeted attacks are designed to bypass email filters, so these filters serve only as the "first line of defense."
〈Measure.7〉Introduction of Sender Domain Authentication Technologies
To prevent "spoofing," it is also effective to implement sender domain authentication technologies such as SPF, DKIM, and DMARC.
For a detailed explanation about ransomware, please refer to the following article.
> What is Ransomware? Explanation of Attack Processes, Infection Routes, and Necessary Countermeasures!
5. Cultivate personal security awareness without overly relying on systems and software

The introduction of systems and software for information security measures, such as antivirus software, is of course necessary. However, information security measures are not something that can be guaranteed by simply installing a particular security software. Attackers’ methods are becoming increasingly sophisticated, and attacks that cannot be prevented by software are on the rise.
Abandon the idea of "always being protected and safe," and it is most important that each employee acquires correct knowledge of information security measures and carries out daily tasks with caution. Let’s cultivate individual security awareness through information security education.
6. Methods of Information Security Education
In information security education, simply conveying knowledge and rules is not sufficient for effectiveness. What is important is that each employee perceives it as a personal matter and integrates security awareness into their daily work. Here, we introduce specific educational methods and how to proceed with them.
【Main Educational Methods】
〈1〉E-learning
Since it can be taken on mobile devices such as PCs and smartphones, learning is possible regardless of location or time. The ability to retake courses and manage course history are also advantages.
〈2〉In-House Training
The strength lies in being able to cover content tailored to the company’s own rules and cases. Having the person in charge explain directly also promotes mutual understanding.
〈3〉External Seminars and Group Training
A valuable opportunity to learn about the latest security trends and expert perspectives. Gaining stimulation from an external viewpoint leads to increased awareness among learners.
〈4〉Video Materials
They efficiently convey key points in a short time and are visually easy to understand, which is their appeal. Learners can “see” and understand risk cases and violations of etiquette.
【Implementation Process】
〈STEP.1〉Clarify the Educational Content and Theme
Narrow down the theme according to the purpose, such as "Password Management," "What is a Targeted Attack," or "Risks of Information Leakage." Vague themes tend to be less effective.
〈STEP.2〉Select the Training Participants
The content and depth to be conveyed vary depending on the target learners, such as new employees, managers, or all staff. Designing materials tailored to the audience is key.
〈STEP.3〉Consider the frequency and timing of the training
Decide the timing of implementation according to increased risks and organizational changes, such as at the time of joining the company, during transfers, or annual training for all employees.
〈STEP.4〉Consider the Means to Conduct the Training
Choose the most suitable method such as e-learning, group training, or videos according to the number of participants and the nature of their work. Combining multiple methods can also be effective.
〈STEP.5〉Create and Arrange Teaching Materials
Once the structure and method of the teaching materials are decided, proceed with their creation or arrangement. If producing in-house, it is important to link the content to actual work and case studies to make it more concrete. Furthermore, by regularly reviewing and continuously improving the content, you can refine the materials to be more effective.
For more detailed explanations on key points for creating teaching materials, please refer to the following column.
> What is Information Security Education? Introducing Implementation Methods, Steps for Creating Teaching Materials, and How to Create e-Learning Materials!
7. Challenges of Information Security Education

Information security education is extremely important and has already been introduced in many companies. However, when actually implemented, there are quite a few voices saying, "Even if we take the training, we don’t see any effect," or "It has become just a formality." This chapter organizes five common challenges seen in information security education.
〈Issue.1〉Decline in Participant Motivation
If the content is monotonous, the lecture time is too long, or the presentation is mainly one-way, participants will struggle to maintain concentration. Additionally, when internal staff serve as instructors, it can be difficult to create an appropriate level of tension, resulting in training sessions that lack dynamism.
〈Issue.2〉Lack of Reality
Especially in training that is mainly lecture-based, it can be difficult to imagine the actual workplace, and the content may not be perceived as personally relevant. As a result, the risk of being unable to respond appropriately in critical situations increases.
〈Issue 3〉Latest Information Not Reflected
The field of information security is constantly changing, with new attack methods and countermeasures emerging one after another. Quickly responding to these changes and reflecting them in training materials tends to be a significant burden for companies that manage training in-house.
〈Issue.4〉Lack of Perceived Educational Effectiveness
If there are no opportunities for follow-up or review after training, knowledge related to information security may not be retained, and awareness of risks can diminish. As a result, the problem of not feeling the educational effect tends to occur.
<Issue.5> Training Becomes a Mere Form
If issues like those in 1 to 4 are left unaddressed, the training will degrade into a mere routine of "just doing it." Participants' interest will wane, and as they fail to grasp the purpose and significance of the training, their motivation to learn itself will be lost.
Common challenges and solutions are also explained in the column below, so please take a look together.
> Introducing common challenges and solutions in in-house information security education!
8. Key Points When Conducting Information Security Education
Although there are various challenges in information security education, its effectiveness can be greatly enhanced with some ingenuity. Here, we introduce five key points to keep in mind when conducting it.
<Point.1>Utilization of e-Learning
e-Learning, which allows learning regardless of time or place, is easy to take even during busy work hours and is convenient for progress management and review. Regularly updating the content and designing it to suit the learners increases its effectiveness.
<Point.2>Introducing Elements for Enjoyable Learning
Incorporating “fun” into the materials through quizzes, animations, and drama-style presentations deepens learners’ interest and understanding. The key is to devise ways to keep them engaged without getting bored.
<Point.3>Expansion of Training with Practical Experience
It is important to cultivate the ability to move from "acquiring knowledge" to "taking action" through simulated training of targeted attack emails and case studies. Experiencing such practical training leads to better judgment and adaptability in emergencies.
<Point.4>Customization to Fit Your Company
By tailoring the content not only to general principles but also to your company’s rules and operations, it prevents the perception of "this does not apply to me" and encourages learning with a sense of relevance.
<Point.5> Effect Measurement and Follow-up
Be mindful not only of reviews through tests and surveys but also of changes in behavior and incident occurrence status several months later. Continuous review and improvement lead to learning outcomes.
The key points for successful information security training through e-learning are also explained in the column below, so please take a look together.
9. Additional Items to Include in Information Security Training for Companies Implementing Telework

With the spread of telework, the scope of information security measures has expanded from "within the company" to "each individual's work environment." As more employees work in environments different from the office, it is necessary to update the training content accordingly.
Here, we organize the additional points that companies implementing telework should include in their information security training.
● Precautions for Information Taken Out from the Company
Special care is required for information physically taken outside the company, such as paper documents and USB memory sticks. Be sure to include rules on whether taking out is allowed and the reporting system in case of loss or theft in the training content.
●Security Measures for Devices Taken Outside
It is essential to set passwords and encryption on laptops and smartphones, and always keep the OS and security software up to date. Be sure not to forget configuring remote lock and remote wipe settings as well.
●Information Security Measures for Work PCs
There are risks associated with working on devices shared with family members or personal devices. It is important to strictly follow basic practices such as using a dedicated work PC, deleting unnecessary apps, and enforcing screen locks.
●Information Security Measures in the Workspace
In various external situations, there is a possibility that third parties may peek at your screen or overhear your conversations. Let's include physical anti-peeping measures and voice leakage prevention as part of the training.
● Information security measures for communication methods such as email, web conferences, and VPN
To prevent misdelivery and unauthorized access, thoroughly check email recipients, follow rules when connecting to VPNs, and enforce entry settings for web conferences (such as passwords and waiting rooms).
●Precautions When Using Wireless LAN and Cloud Services
There are cases where information leakage can occur due to the use of public Wi-Fi or misconfiguration of cloud storage. Using encrypted networks and managing access permissions for cloud services are important topics for education.
For information security measures in telework, please also refer to the following column where it is explained in detail.
> An Easy-to-Understand Explanation of Information Security Measures in Telework!
10. e-Learning Materials Useful for Information Security Measures
The e-Learning Manuscript Easy Arrangement Series "Basics of Information Security Measures in Companies <Case Studies>" provided by Human Science is a course that can be used for employee information security education as part of information security measures. It introduces three threats: "targeted attacks," "supply chain attacks," and "ransomware."
Furthermore, the "Information Security Basics Course - Targeted Attacks" explains typical attack methods and their countermeasures.
Since it is in PowerPoint format, you can freely edit it by adding your company's policies, case studies, or a message from the president.
In addition to these two courses, we offer various other options.
If you are struggling with information security measures, please consider this option.
e-Learning Manuscript Easy Arrangement Series
> "Basics of Information Security Measures in Companies <Case Studies>"
> "Basics of Information Security Measures in Companies"
> "Information Security Basics Course - Information Security for Computers and Smartphones"
> "Information Security Basics Course - Information Security for Telework and Remote Work"
> "Information Security Basics Course - Targeted Attacks"
> "Information Security Basics Course - Ransomware"
11. Summary
With the advancement of cyberattacks and the establishment of telework, the information security measures required of companies have become more multifaceted and practical than ever before. In this context, the approach to information security education must also be continuously updated.
Education is needed not only to input knowledge but also to enhance each employee's risk sensitivity and support them in making appropriate decisions and actions in their daily work. To achieve this, it is key to utilize efficient and effective learning methods such as e-learning and to conduct education continuously.
At Human Science, we leverage our expertise gained from solving over 3,000 customer challenges to support the development and implementation of e-learning materials tailored to the issues and work environments of companies. If you are considering revising your information security education or are struggling with effective operational methods, please feel free to contact us.
Related Information
Latest Blogs
- 2026.06.17
- How to Use PowerPoint × Vyond Effectively











