Phishing scams have been around practically since the beginning of the Internet. Phishing is the most common cyber-attack you and your organization are likely to encounter. Hugely profitable, thousands of people fall victim to them yearly, and they will not go away soon.
Phishing, using email, mobile (phone calls/vishing, and text messages /smishing), social channels, the web, or your computer, is the sending of communications designed to get you or your users to react.
Phishing often begins with spam and progressively attempts to steal business-sensitive information and personal information; like bank account numbers and pins, credit card details, etc. This information is then used for various purposes, including identity theft, fraudulently getting funds, crippling computer systems through securing trade secrets, or even sensitive information about national security. However, phishing is often used simply to spread malware; like trojan horses, worms, ransomware, spyware and take actions like opening ports or backdoors for future action quietly rather than immediately soliciting user action.
Phishing “baits” the recipient, with trust, to take any action that gives cybercriminals access to information and devices. Defending against cybercriminals attempting to gain access to your systems and data might look like a technology issue on the surface. And, it’s true that robust email and web filtering are essential to prevent traditional phishing and reduce risk. But, when dealing with more narrowly focused spear-phishing and whaling, addressing the risks created by human behavior, becomes vital to giving your organization the best chance of preventing costly breaches.
To protect your organization and prevent phishing attacks using best practices, you need to ensure you use a suite of network security, cybersecurity, and human security which allow you to consistently block and avoid phishing emails or text messages as well as to detect ones that land in inboxes are critical components to protect against phishing. To do this, it’s essential to understand the different channels of communication phishing uses, the methods and lures that they employ. This will help you and your employees recognize warning signs and phishing emails using a wide variety of tactics to gain an inside track.
Reinforce your organization’s perimeter
Phishing attack prevention includes applying three important network security best practices. First, ensure that all employees who connect remotely encrypt their traffic using VPNs, install robust email and web filtering, and reduce the amount of general phishing an employee encounters. Deploy additional network filtering resources, but these are the first three measures to start with.
Encrypt all traffic using TLS
Start with a simple step. Invest in a reputable VPN with TLS encryption for all your employees, so they can securely use public networks during their business trips, working from home, or in a coffee shop.
Having employees use a VPN will protect against cyber criminals listening to sensitive data, or becoming a man-in-the-middle using the best authentication and newest TLS protocol. This secures and encrypts the remote user’s activities and communications. VPN services also prevent unexpected data links by also automatically disconnecting inbound connections from your network, thereby preventing the criminal from penetrating your network at the end of any user session.
Filter all email traffic
Next, phishing email prevention is critical for ensuring email security, from rejecting and filtering harmful and malicious emails and quarantining them away from user inboxes. A properly configured email gateway with multiple layers will block 99.99% of spam and traditional phish with malicious links or attachments, much like a traditional phish. This means, understanding the configuration of a server is crucial in stopping users from receiving most fraudulent phishing emails.
Email spam filtering must always use multiple layers to truly be effective, even if these are hidden under the cover. Layers need to include well-designed real-time DNS Blocklists (DNSBL) to reject mail. A well-designed suite of blocklists, like Abusix Mail Intelligence, will block over 99% of the spam and general phish during the connection session.
Additionally SMTP authentication, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting & Conformance), is required to block unauthorized senders using your domain, as well as ones that attempt to spoof your domain and your executives and users. Bayesian content filtering is next used, with additional DNSBLs that block spamming domains, newly observed zero-day newly observed domains and IP addresses, Short URLs and online storage URLs, as well as cryptocurrency wallets found in spam.
Anti-malware filters next identify and neutralize malware attachments. In the last layer in the filter processing step, you should consider a well-designed phishing filter. While this will use more machine resources than earlier steps, it has fewer messages to deal with when you reach this point. Anti-phishing solutions will use powerful machine learning to find messages with other hidden indicators of spear-phishing.
Filtering email traffic is crucial for email security because filtering allows users to focus on their jobs and lives, not regularly be on the lookout for malicious email. Email security also reduces the risk of users unintentionally replying to phish, navigating to phish sites to input sensitive data or personal information or downloading malware, placing your organization’s and other user’s overall security at risk for a data breach or ransomware attack.
Filter all web traffic
Content Control or Web Filtering is a network security measure that helps in preventing your users from reaching phishing sites. Microsoft’s SmartScreen filter for Explorer and Edge; and Google’s Safe Browsing initiative (which includes Apple Safari, Firefox, and others) have gone a long way toward improving user safety. But that said, applying additional web traffic filtering protection is worth it, especially if you are in industries or businesses targeted by phishers; like financial, healthcare, utility, retail, information services, manufacturing, and government sectors.
Filtering web traffic is crucial to stop users from going onto fake phishing sites that appear legitimate, inputting sensitive data or personal information, and downloading malware. The way web filtering technologies work is they use DNS or a web proxy to manage traffic flows. The solutions identify phishing sites using Bayesian content filtering to both identify the category of the site and to scan the sites for threats including doing an anti-virus analysis. Most well-designed web filtering solutions today use machine learning also, to find sites with other phishing indicators, even if the site does not contain anything outright malicious.
Also, organizations that have deployed web filtering solutions typically configure the solution to block specific categories and enable other policies that help prevent users from unintentionally reaching any non-business-related and phishing pages. Comodo’s Secure Internet Gateway is one example of this type of filter for commercial use.
While not listed here, other additional network security activities that should be looked at include adding IDS/IDP and additional firewall protection, locking down tighter WiFi access, adding additional email filters, and sensitive data protection. Also consider user endpoint protection, including mobile devices, especially for your executives, if not all employees. Oh, and I can’t forget. If you don’t have current antivirus software on all employee devices at this point, you are way behind, no bueno.
Keep awake and aware
Keep your network healthy by remaining aware. Continually apply solid cyber security practices by monitoring and verifying. While locking down the network is an excellent start to developing network security, you need to always assume there will always be vulnerabilities. Continual cyber security monitoring of traffic is critical to plugging holes and securing your business network.
Closely monitor traffic
All of your system logs contain valuable information about the traffic coming in, and going out of your network. IDS, firewalls, wireless routers, email and web servers, web proxies, all contain information about who is trying to get inside your organization. Don’t be just reactive, be proactive, mine it!
Set aside time to read your log reports carefully and not rely entirely on alerts to flag dangerous activity.
Ensure that whoever reads your logs understands normal network behavior, so they can detect abnormal behavior that automated monitoring and alerts are missing. Here you might also consider adding additional security behavioral analytics tools and threat intelligence feeds to allow you to automatically detect activities that deviate from the norm and represent a potential threat.
Also, ensure there is a way to log and flag suspicious activities to look for repeat anomalous events and escalate issues. Following this path, you will identify faster indicators of threat and compromise that pose a potential problem, making remediation far faster and easier.
While sometimes organizations avoid monitoring logs containing employee traffic, don’t avoid them. Many employee devices may not be fully secured and may be compromised. Additionally, since most exploits are social engineered attacks, each employee is a vulnerability. Yes, employees are the most significant data breach risk to your organization.
Address the behavioral and insider threats early in their life cycle, regardless of whether they are related to an uninformed employee or an immediate risk to your business. Do not wait, always be proactive.
Stay up to date
Monitor the threat landscape for new types of threats or major exploits as they are discovered and reported, as you may find that the same problems exist in your network. Your security solutions or services may provide this type of alert or information system.
Subscribe to the U.S. Computer Emergency Readiness Team (US-CERT, a division of Homeland Security), which sends email alerts about recently confirmed software vulnerabilities and exploits.
Develop a human firewall with a security-centric culture
The two most effective phishing prevention methods include employee security awareness training and phishing simulations.
Security Awareness Training
Phishing doesn’t just bypass security technologies, it specifically preys on human mistakes, being fooled by cloned emails, and being too busy to review emails for signs of a scam before reacting to the message.
Phishing also exploits the fact that most people know little about phishing and preventing themselves from becoming victims.
To create a security-centric culture, you need to provide training in your new hire onboarding process and hold ongoing regular exercises to prevent phishing scams from gaining a foothold in your organization. Regular formal training sessions will help your employees keep current with any changes to your policies, network security practices, as well as new threats that have been observed in the wild or within your network.
To remain secure, your employees in your security-centric culture should be regularly asking the questions, “Are my devices, accounts and network secure?” and “How can I tell if my network is secure?” If they aren’t, each one increases your network’s vulnerability to attack.
A general training syllabus should dedicate time to
- Information security to ensure that the time you have put into your security best practices and processes, customer acceptable use policies, and what to do with an emergency is understood. If you don’t spend the time, employees will simply skim through your documentation.
In this section, teach your users about the best ways to improve their security, like using multi-factor authentication (2FA/MFA). Discuss why unsecured usernames and passwords are dangerous for them, and how they can develop unique, high-quality passwords if they ever have to use one.
- Network security training helps employees understand why certain types of security hardware and software exist, and the risks they mitigate. Doing this, eases resistance and increases network security tool adoption.
Include in the discussion the use of a VPN when they connect to a public network at a coffee shop, while traveling, or at home. Also, make sure they understand how to recognize secure and insecure VPN attributes. Cyber security threat and response training helps arm your employees with the knowledge necessary to prevent successful email and web-based phishing attacks. It should also build awareness of current general cyber trends, recent attacks, and activity seen within your own network. Keeping them aware and helping them understand the risk of human vulnerabilities and the problems associated with sharing sensitive information outside their network, goes a long way toward keeping them and your organization safe.
To make this part of the training meaningful, run through several phishing examples, from email to web, to text messages and computer pop-ups. Make the session interactive. Help employees understand the dangers of clicking on a link, both in email and text messages, from a person they don’t usually communicate with, clicking on a link that does not appear correct, and backchecking the URL. Awareness is critical for you to help your users to stop phishing attacks successfully.
Actively engage employees in Security Training
Sharing real-world phishing emails and site screenshots with them, and discussing how to identify fake phishing, is helpful to increasing awareness and making them more cautious of phishing attempts and engaging them in the discovery process.
Also, encourage employees to present their security responsibilities in security training sessions; especially if your company provides customer-facing SaaS, web or email services. Brainstorming security process risks and improvements together and keeping a good, better and best practices security roadmap is a must.
Separately, you may wish to seek out a security awareness training vendor to increase the depth of helpful content. Often these vendors have gamified videos, quizzes, presentations, and posters which deliver the information in bite-sized chunks to make them easier for users to digest.
Phishing simulations are an ideal way to measure phishing awareness in your organization. Using a phishing simulation to test users helps increase cyber security and heightens phishing risk awareness.
Phishing simulations are meant to stop phishing attacks by giving security trainers a way to effectively tell if employees can identify suspicious emails or text messages and which are phishing. Simulation results help direct future training where it is needed. Trainers should send simulated phishing emails from time to individual users, groups, or departments, with different levels of difficulty for each group. They should identify trends across the organization and follow users who fail the tests regularly to help them. Simulation shouldn’t be used to catch people who struggle, instead, it should be used to assess the real-time responses staff, keep employees on their toes, and provide ongoing training to users struggling with cybersecurity issues.
Never forget, phishing targets people. Ensuring everyone in the organization is familiar and aware of phishing is a crucial factor in stopping phishing attacks. Your goal with training should be to directed to help your users stop phishing attacks and reduce the likelihood they will inadvertently succumb to phishing scams, clicking on a link or revealing sensitive data, transferring money from a business or personal bank account, or revealing personal information or credentials like email addresses, phone numbers, and numbers to credit cards to attackers. Make the training personal, and about keeping them and their families and livelihood safe, not just about you and your business; and you will get a better result.
If you need help, security awareness training vendors also offer comprehensive platforms to create simulated phishing email campaigns and send them out to users. Many of these same vendors also provide additional materials which can be used after phishing simulation to train users who need more help identifying phishing emails.
Send security updates to employees
Keep your employees informed and aware of the latest cybersecurity issues. Send employees regular updates about cybersecurity threats and new social engineering scams, and regularly refresh their memories about repeat threats to keep your human firewall strong.
Encourage a “neighborhood watch”
Involve your employees and encourage a “neighborhood watch”
- Just like a job description, ensure your employees know their role and its related risks. The better employees understand the implications of weak networks and cyber security and what they can do to help, the safer your network will be.
- Assign every employee some cyber security duties as part of their job. Take a look at NIST’s guide “Cyber security is everyone’s job,” for ideas that are appropriate for different parts of your business.
- Regularly test your security plans by reviewing them with your employees to ensure they’re sound and practical.
- Have employees guide you through what they should do, if they notice suspicious activity on their devices or on the network. Include how they should escalate alerts to their cybersecurity escalation contact.
Continuing to stay safe
Phishing can be a complex area to tackle by following the simple tips and advice outlined in this article (and embracing proper phishing prevention tools) — you can significantly minimize your risk of falling victim to digital scammers.
Protect your organization by applying solid network security best practices, monitor and stay awake with cyber security monitoring and develop a security-centric culture.
Social engineering can be harmful. 91% of all cyber attacks begin with a spam (phishing) email to an unexpected victim, so all your employees need to be alert. Otherwise, an attack can even cause your organization irreparable harm, causing you to go out of business.