Phishing attacks are a type of cyber-crime based on email fraud. A bad actor disguises themself as someone trustworthy in the hopes of tricking their victims into giving them sensitive data such as usernames, passwords and financial information. Phishing emails can target hundreds or even thousands of people at once, and they’re one of the most common and financially dangerous online crimes that we see today. Spear phishing is an advanced form of phishing. The attacker targets a small number of individuals with highly personalized emails. Because of this personalization, the victim is less likely to spot the fact that the message a hoax.
In today’s world, more teams are becoming digital. This means that now, more than ever, we’re extremely reliant on email communication. Phishing exploits this reliance, which makes it one of the most dangerous email threats that modern organizations are tackling. But how often, you might be asking yourself, does it actually happen? Well, according to Proofpoint’s most recent annual “State of the Phish” report, 88% of organizations around the world experienced spear phishing attempts in 2019. And with attackers taking advantage of times of uncertainty, attempted attack rates have spiked during the peaks of the Coronavirus pandemic. The FBI even issued an alert to warn the general public of the increased threat.
But this doesn’t mean that you should close down all of your email accounts immediately. One of the most useful forms of prevention is education; being aware of these kinds of attack will make you less likely to fall victim to them, so you’re already a step closer to having a secure inbox than you were when you started reading this article!
No single solution will protect your business completely from phishing attacks, so it’s important to implement multiple layers of defense. In this article, we’ll cover five steps that you can take to protect against phishing and secure your organization’s communications.
Step One: Create A Culture Of Security
Password security is something that we’re all aware of. Despite this, many of us slip into the habit of using the same memorable phrase for every account we own. There are two problems with this. Firstly, if the password relates directly to your interests, it’s easier for a bad actor to guess. Secondly, no matter how strong your passwords are, you shouldn’t use them for multiple accounts! If someone cracks the password to one account, all accounts with the same password are compromised. Teach your employees this, and instruct them to update their user account passwords regularly.
You should also enable multi-factor authentication. This prevents hackers access to accounts even if they’ve tricked the user into giving up their password. The “how” is pretty simple: each user has to provide two or more methods of verification to log in to their account. Usually, the user types in their password and receives an email or text with a code to verify the login. However, it could also involve using an authenticator app or even a fingerprint scan. These both add an additional layer of security. Authenticator apps regularly reset their authentication codes, and it’s much more difficult to steal someone’s biometric data than it is to guess the name of the street they grew up on!
Step Two: Turn Your Employees Into A Form Of Defense
There are a number of phishing awareness training solutions out there, and for good reason. These programs teach employees to spot obvious signs of phishing attacks and report them to their IT or security team. On top of this, they’re often customizable and highly interactive, so you can tailor them to your organization’s needs.
The most effective awareness training solutions are made up of engaging learner-centric materials, such as videos, quizzes, and real-world simulations. This gamified content allows users to experience different kinds of attacks first-hand, as well as practice what they’ve learned in a safe, realistic environment. Some solutions also offer admin reporting, which lets you see which of your employees have successfully completed the training.
Step Three: Drill Your Employees
It’s really important that you regularly test your employees to make sure that they’re alert to phishing attempts and will actually report any suspicious messages. To do this, send them simulated phishing emails. In the message, ask your employee to reset a password, transfer money, or even enter a competition to win something. The type of “attack” that you choose is highly customizable so you can simulate attacks unique to your organization. Users should report the email, but if they click on the link instead, it’ll direct them to a landing page. This page tells the employee they’ve made an error and shows them how they should have responded.
The best phishing simulation solutions include admin reporting so that you can see who is falling for which simulated emails. This means that you can direct employees towards specific training material and tailor future simulations to re-test them. They also include a “report phish” button in the user’s inbox, so that they can quickly flag an email without having to open it.
Step Four: Protect The Whole Organization
Secure Email Gateways (SEGs) are software used to monitor and, as the name suggests, secure an organization’s inbound and outbound emails. They do this by scanning emails for phishing, scam and malware threats. They then block or quarantine malicious content so that it doesn’t reach the user. SEGs are very effective at defending a network from the outside, but they don’t protect against internal threats that have already breached a user’s inbox.
Think of it this way: your network is your castle. The SEG is your high stone wall, preventing external threats from getting through to the people tucked safely inside. But the wall can’t protect your people from threats that are already inside the castle, like the new chef who’s currently putting a drop of poison in tonight’s soup. Sophisticated spear phishing attacks are able to breach SEGs more effectively because of the way the attackers impersonate trustworthy senders, such as a key stakeholder (or a top-notch chef).
To defend your castle against internal threats, you need to add another layer of protection to secure user accounts individually. This bring us onto the final step…
Step Five: Add Layers To Protect Individual Accounts
Post-Delivery Protection solutions sit within the email network itself; they’re soldiers patrolling inside your castle walls. They detect and remove malicious content that has slipped through an SEG into the user’s inbox. These solutions use artificial intelligence (AI) and machine learning to analyze your organization’s communication patterns. They then scan all inbound, outbound and internal messages for anomalies. Because the process is fully automated, it saves your IT department valuable time and resources.
The key point here is that Post-Delivery Protection solutions understand how we communicate. Your castle wall let the chef through because they were pretending to be someone else. Your soldiers know how the real chef speaks and acts, and will quickly realize that this phishy figure is an imposter.
As cybercriminals become better at breaching systems, we must become better at defending them. A combination of human-centric and technological solutions is the only way to truly protect against phishing threats. This might seem a little complex to deploy, but there are many anti-phishing security vendors that can offer the support you need, often with multiple layers of protection included in one easy-to-manage package.
If you’d like some advice on which solutions will work best for your organization, take a look at our guides to the Top 10 Phishing Protection Solutions and the Top 10 Phishing Awareness Training and Simulation Solutions.