The biggest problem is the fact that many employees today still do not understand what a phishing attack looks like, or how to properly handle one they do identify. Accordingly, successful corporate cybersecurity programs must include targeted training for employees.
Fortunately, a wide variety of anti-phishing strategies are available to help organizations and their employees protect against phishing attacks. That’s what we’re going to discuss today.
Phishing is getting more sophisticated
Industry sources attribute as many as 93% of cyber attacks to various types of phishing
Phishing has been a popular hacker tool for nearly thirty years, and hackers have continually improved their phishing methods while also skillfully avoiding detection.
The vast majority of phishing attacks still rely on email, but increasingly phishing occurs via telephone (vishing), text messages (smishing) and social media. Regardless of the medium, phishing attacks all share common features: namely, they attempt to cause a user to engage with harmful content, such as a malicious link or attachment.
A new trend of some concern is that teaching others to phish has now become a lucrative business. Phishing kits, which provide a would-be hacker with the tools they need to launch attacks, have become widely available and contributed to increasing the number of both attackers and attacks. Hackers are also now using artificial intelligence and machine learning to refine their methods allowing attackers to more closely tailor their attacks to an individual, increasing their chances of success.
One thing is certain: hackers will use every tool available to them. To prevail, organizations must do the same.
Train employees to recognize phishing attacks
What are some of the key indicators that your organization is the subject of a phishing attack? This is a question that every employee should be able to easily answer.
Among some of the most common indicators of phishing are:
- Impersonal greetings in emails (e.g. “Dear customer”)
- Masked or spoofed email addresses
- Compressed (zipped) email attachments
- Noticeable errors in spelling or grammar
- Unusual or gaudy formatting
- Threats of actions such as collection
While none of these factors alone indicates a phishing attack, employees should view such emails with a higher degree of care. For example, employees can be trained to check the sender’s actual email address rather than simply what they see at first glance.
Successful training needs be neither costly nor overly time-consuming, since the benefits of effective training will far outweigh any costs.
Keeping phishing attacks from reaching your employees
The list of available tools for stopping phishing attacks is extensive. At a minimum, prudent organizations will consider the following:
Continuously update your software
Always ensure that the code for any applications or software your employees use are continuously updated with continuous integration and delivery (CI/CD) practices. As discussed in detail by Cloud Defense, this includes implementing automated security tools, changing coding configuration, and fixing bugs that hackers can exploit.
CI/CD has long been implemented as a means to not only address business requirements, but also as a means to implement new security features and guard against phishing schemes, malware, and DDoS attacks.
Employ spam filters
Email is still the primary vehicle for phishing attacks, so one of the first lines of defense is to prevent harmful emails from reaching end users. Spam filters scan email for indications of unreliability to minimize the amount of problematic email that reaches an end user, but they are often ineffective because they are poorly implemented.
Worse yet, employee access to spam filters allows employees to click on dangerous links or open suspect attachments. To avoid this, companies often use multiple layers of filters or supplement existing spam filters with additional filtering software. A well-implemented spam filter is a good first-line defense against phishing.
Authenticate email senders
Many phishing attacks are successful because they appear to come from known sources as a result of email spoofing. A cybersecurity strategy that includes implementation of a
Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol can limit the ability of hackers to spoof email addresses.
Essentially DMARC tells an email recipient that the sender’s domain is protected and asks the client to authenticate using a specific authentication protocol. If the authentication process fails, the email is rejected.
Use phishing filters for internet activity
Users can also unwittingly spawn phishing attacks by opening links that allow malicious software to infiltrate their systems. Internet phishing filters prevent attacks by analyzing links for indications of unreliability or checking links against site blacklists to prevent users from accessing malicious sites.
Run phishing simulations
Simulating phishing attacks can be effective to both identify vulnerabilities and train employees to recognize potential threats. In a phishing simulation, employees are sent emails designed to check their tendency to click on harmful links or open questionable attachments. The emails and the results of the simulations can then be used to design training programs for employees.
But be careful! Poor simulation design can negatively impact employee morale – just as happened when one company offered fake holiday bonuses for clicking on an email link.
Use virtual private networks
While a virtual private network (VPN) will not help eliminate phishing emails, it provides a desirable added layer of security, especially for remote workers. By encrypting data and routing traffic through protected private servers, VPNs help prevent hackers from accessing the connection between remote workers and sensitive corporate systems and data.
Not all VPNs are created equal, however. According to Toronto-based cybersecurity analyst Ludovic Rembert of Privacy Canada, some VPNs will actively work to collect and then sell your data to third parties.
As Rembert explains in his analysis of inexpensive VPNs available on the market, “Be very careful when choosing your VPN. There are lots who are working with Chinese-owned companies, in order to sell-off your data. Others install malware, in order to actually steal your private information.”
The good news is that there are a wide array of effective and yet inexpensive VPN solutions available in the marketplace that are highly reputable. Requiring all remote employees to utilize a VPN service when accessing company data or using a public network is a good idea, so long as you are strategic about the specific VPN that you use.
Secure your domain names
Remote employees also create substantial opportunities for hackers to infiltrate company websites and hijack or misuse company domains. A hacker who is able to change the owner of a domain can cause substantial damage. An effective cybersecurity program will therefore also include protections against domain name hijacking.
Keep up to date with prevention efforts
Some of the most promising developments in the identification and prevention of phishing attacks come from the use of artificial intelligence (AI) and machine learning. Many spam and phishing filters now use AI to train malware identification algorithms. Any effective cybersecurity strategy will evolve as the available technology advances.
These are only a few of the available methods in the fight against phishing. A prudent organization will select the methods (among these or others) that are most well-adapted to their particular systems and structures.
While phishing remains a significant security threat to organizations today, there is much that can be done to minimize the risk of an attack. Successful phishing prevention requires implementing a comprehensive, multi-faceted cybersecurity program that includes frequent auditing and testing.
Substantial employee engagement and training will further enhance an organization’s efforts to thwart cyber attacks. With diligence and focus (and a little help from cybersecurity experts), your organization can ensure that a hacker can phish all day long without catching anything.
About the Author:
Samuel Bocetta is a former security analyst for the DoD, having spent 30-plus years bolstering cyber defenses for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of his work involved penetration testing Navy ballistic systems. He analyzed networks looking for entry points, then created security-vulnerability assessments based on findings. He also helped plan, manage and execute sophisticated “ethical” hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.