Phishing attacks are one of the most prevalent and damaging cyberattacks facing businesses and individuals today. Phishing is a type of social engineering attack in which a criminal will attempt to trick unsuspecting users into disclosing sensitive information (such as banking details or a password), or performing an action (such as downloading a malicious file or making a fraudulent payment).
Phishing has a big impact. An alarming 75% of organizations around the world experienced a phishing attack last year—and 74% of phishing attacks affecting US businesses were successful. Phishing can come in many forms, but attacks are most commonly delivered via email. Phishing emails typically impersonate trusted contacts (such as established brands or your work colleagues), while phishing websites often impersonate login portals, which entice users into entering their passwords, inadvertently revealing them to a cybercriminal lurking behind the scenes.
Phishing is extremely difficult for security teams to deal with due to how these attacks exploit human error, rather than weaknesses in technical defences, like firewalls. While the risk of phishing can never be eliminated, there are a number of steps you can take to reduce your risk of experiencing an attack. Throughout this article, we’ll take you through our top 10 tips to protect against phishing attacks.
The first half of this list will cover actions you can proactively take to protect against phishing; the latter half will cover technical solutions you can implement to protect your users against phishing and other email threats. Let’s jump into the list.
Turn On Multi-Factor Authentication
The very first thing you should do to limit your risk of phishing attacks is to turn on multi-factor authentication (MFA) or two-factor authentication (2FA); especially for email accounts. Multi-factor authentication can be easily implemented with Office 365, Exchange and Google Workspace. MFA vastly improves account security; stopping criminals from gaining access to accounts even if they havediscovered one of your users’ passwords via a successful phishing attack.
MFA requires that users use a second method of authentication alongside their password, such as a security code sent via text or an authenticator app, or a biometric scan using their device’s built-in biometric technologies—such as facial recognition or fingerprint scanners. Some businesses may wish to implement smart cards for users to authenticate, which further limits the risk of phishing. MFA is critical for sensitive admin accounts—and businesses who don’timplement this security measure can face fines in some industries.
Admins can implement MFA on a per-application basis, but there are a number of MFA providers who allow admins to centralize management of MFA across corporate applications. You can read our guide to the top 10 MFA solutions here.
Mandate Strong Passwords, With Regular Updates
Strong passwords are essential to protecting your business against phishing. Weak passwords like “123456” take less than one second to crack—when you use weak passwords, particularly for email accounts, you’re only making life easier for cybercriminals.
We recently spoke with a company who had multiple email accounts compromised, allowing phishers to remotely access email servers and send out hundreds of phishing emails to their contacts. This kind of breach is highly damaging to brand reputation, and can also lead to serious financial loss—both to the criminals themselves, and to compliance regulators who are coming down hard on companies who fail to have proper password policies in place.
We recommend mandating the use of strong passwords across your organizations. This can be done by implementing a strong password policy, via the use of a business password management solution. We also recommend that you ensure passwords are regularly updated across your organization, with a rotation once a quarter for example. This will ensure that, even if passwords are compromised, they will only be in use for limited periods of time—limiting the damage a criminal can do to your systems. Password managers or single sign-on solutions can help here, as they allow you to centrally manage password use without the end user needing to manually update existing passwords.
Encrypt POP3 and IMAP Authentications
The POP3 and IMAP protocols (email protocols that manage and retrieve email messages from mail servers) were not initially designed with the risk of phishing attackers in mind. As a result, when POP3 and IMAP are used, sensitive data, such as passwords, are vulnerable to cyber-attackers.
We recommend implementing SSL and TLS encryption to secure authentications. This will prevent attacks occurring where cyber-criminals access your email servers via IMAP connections and send out phishing or spam emails from your domains.
Install EvlWatcher for Windows
Another way that organizations can protect themselves against phishing attacks that exploit remote desktop connections (RDPs) is by implementing EvlWatcher. EvlWatcher is a free tool which protects RDPs from brute force cyberattacks, in which cybercriminals attempt to take over your servers and start spamming your clients and contacts with phishing emails. It provides a preconfigured set of rules which can be fully customized so you can automatically block repeated attempts to log in to your remote connections.
EvlWatcher installs a service that scans for unsuccessful login events. If a user attempts to log in usingan incorrect password more than five times in a set period of time (a strong indicator of suspicious activity), it will ban that user for two hours, or permanently ban them if repeated attempts are detected. This is easy, quick to deploy and will save a lot of time in protecting remote connections against cybercriminals looking for a quick way to send out phishing campaigns.
Keep Up to Date With News On Phishing Campaigns
If you’re managing cybersecurity for an organization, one of the most important things you can do is keep up to date with the latest news and trends on phishing campaigns. There are a range of great cybersecurity news, analyses, and research websites on the web (including Expert Insights) that can help you keep on top of the latest trends and methods that cybercriminals are using to execute phishing attacks.
It’s not only important that you know what phishing attacks look like, but that your users know what to look out for, too. It’s also important to know when major phishing campaigns have been detected, such as the huge spike in phishing that has been reported around coronavirus vaccinations. This allows you to give clear advice to your users about what the risks of phishing are, and what to look out for.
As an example, a recent trend in phishing has been for cybercriminals to impersonate document sharing platforms such as “WeTransfer”, encouraging users to open malicious files that have been shared with them. These files often contain malware, such as ransomware attacks. Only by being aware of this method of attack can you advise your users which emails to look out for, or set up rules to prevent their delivery into your email environment.
Deploy Strong Email Security
Moving on to paid tools that you can implement to protect your organization against phishing, our number one recommendation is strong email security. All modern email security solutions are heavily focused on the threat of phishing attacks, but there are various types of email security solutions for you to consider.
Secure Email Gateways (SEGs) protect inboxes against phishing attacks by filtering inbound and outbound emails for signs of malware, suspicious content, or indicators of compromise, and automatically blocking them from being sent or delivered. Post-Delivery Protection (PDP) solutions fill some of these same functions, but the key difference is that they also provide internal email scanning powered by machine learning, placing warning banners on suspicious email content, and allowing end-users to report email messages to admins. You can read our guide to the top email security solutions here.
Email security solutions provide a number of benefits. They block most phishing attacks immediately, before they can be delivered to user inboxes. They also scan internal message content, so any links within phishing emails will be opened in a sandbox environment, allowing a user to read the email without being affected by malware or harmful content. They also provide strong reporting capabilites, so you can monitor the threats that your organization is facing. We highly recommend implementing a multi-layered email security solution that provides strong email filtering and powerful controls inside the email inbox.
Run Phishing Simulation Campaigns
Phishing simulations can be a valuable way to train users to recognize what a phishing attack look like so they can successfully identify them and understand how they can protect against them. Phishing simulation providers essentially allow you to create a series of mock phishing emails that are sent out to your employees. These should be highly customizable and realistic, to ensure a genuine reaction from users.
The purpose of this activity is twofold. Firstly, it allows users to see what phishing attacks look like. If they click on the link within a simulated phishing email, they should be able to access more training, to protect themselves from real attacks in future. Secondly, it allows admins to see who in the organization is falling for the simulations and which types of attacks users are most commonly susceptible to, giving them the opportunity to deliver more training or implement stronger email security controls.
The overall benefit of phishing simulations should not be to trick unsuspecting users, but rather to foster a more engaged, better-informed workplace, that’s aware and alert to the dangers of phishing attacks. You can read our guide to the top phishing simulation providers here. Phishing simulation is also commonly tied into broader security awareness training, which brings us on to our next point.
Provide Security Awareness Training
Security awareness training is an important way to teach users about the dangers of phishing attacks, as well as other cybersecurity risks. There are a number of ways security awareness training can be delivered: weekly videos, online quizzes, in-person training, even VR! But the important point is that users get regular training on what phishing attacks look like, and how they can protect themselves across both work accounts and personal accounts.
We recommend implementing a cloud-based security awareness training platform, which provides regular training content, granular reporting, and integrated phishing simulations. These platforms are proven to help reduce the risk of phishing attacks, and can be an important way for organizations to demonstrate legal compliance in highly regulated industries.
It’s important that organizations look for a solution with engaging, memorable awareness training content, rather than an unengaging, check-box activity that’s unlikely to have any real impact on phishing resilience. You can read our guide to the top security awareness training solutions here.
Implement Web Filtering
Although phishing attacks are commonly delivered via email, there are millions of phishing webpages online that exist purely to trick users into giving up passwords or make fraudulent payments. In fact, Google registered a staggering two million phishing websites in 2020, with 46,000 new websites popping up every single week.
Phishing websites often look highly realistic and are designed to trick users into thinking they are logging into a service such as their bank account or email client. But by doing so,client. But that user will actually be passing their confidential login information directly into the hands of a cybercriminal. This puts business accounts at risk, but can also cause devastating financial losses for individuals if they input their banking information.
Strong web filtering is an important way to prevent users from being able to access phishing websites. While browsers do try and block phishing domains from being accessed, the sheer number of new sites popping up means an extra layer of protection can go a long way. Website filtering can work in a few ways: DNS filtering protects against phishing domains, while URL filtering can prevent individual phishing pages from being accessed. This is particularly useful for blocking known malicious pages that are being hosted on non-malicious domains.
We’ve put together a guide to the top DNS filtering and top web security solutions to help you find the right web protection to suit your business’ needs.
Deploy Strong Endpoint Security
Our final recommendation is to implement strong endpoint security or antivirus protection across your organization. While this won’t necessarily protect against phishing attacks, it can help to mitigate the effects of phishing. For example, if a user clicks on an attachment in a phishing email and downloads a file containing ransomware, a strong endpoint security solution will prevent the malware from affecting the device, or possibly prevent the download in the first place.
Endpoint security solutions sit on each user’s device and prevent the execution of malicious software. They provide greater controls for admins, who can control installed applications and ensure devices are kept up-to-date with security patches—another important step in protecting against phishing and other forms of endpoint attack.
Which type of endpoint protection you need will depend heavily on the size of your organization. For smaller businesses, we’d recommend implementing antivirus solutions that can provide strong protection for individual devices against cyberattack. For larger organizations, we’d recommend implementing more comprehensive endpoint protection solutions, which provide greater admin controls, centralized management, and more granular threat protection policies that cover the entire network.
Protecting against phishing needs to be a top priority for IT teams in businesses of all sizes, across all industries. Following these steps are critical for protecting your users, ensuring the reputation of your brand and ensuring compliance with legal regulations.
Expert Insights has put together a number of Buyers’ Guides to help businesses find the right solutions to protect against phishing attacks, please see these below.
You can read our guide to the top solutions to protect against phishing attacks here.