How to Protect Your Business From Email Phishing Attacks
Cybercrime is now one of the many concerns business faces daily. Technology has been the mainstay of development for many companies; however, as the digital aspect becomes more essential for businesses operation and daily activities, such does the growth of attacks in this environment.
One of the most common means for hackers to gain access to the private information of individuals and companies is through email. E-mail is one of the most used channels by companies and individuals to share information on a daily basis. It’s incredible how much information is sent through email every day and how much of that data contains private or delicate information. Suppose you want to prevent your company from suffering a phishing attack due to an oversight in the correct use of email. In that case, this article will provide you with valuable information to prevent and provide greater security to your company.
First, what is phishing?
Phishing is a type of social engineering where the hacker tricks a user into doing “the wrong thing”, which usually includes disclosing information or clicking on a malicious link. Phishing can be conducted via social media, text messages, or even by phone. However, nowadays, emails have been the most common channel for perpetuating this type of attack. Email is an ideal delivery method for phishing attacks because most people check their emails in a rushed manner. In addition, these malicious emails are very easy to camouflage among legitimate emails.
How does phishing affect businesses?
An organization of any type and size can be hit by a phishing email. Aside from the theft of information, phishing emails can install malware, including ransomware, sabotage your systems or steal money through fraud. In addition, a cyberattack can destroy your reputation and your costumer´s trust. You might get caught up in a mass campaign; this is when the attacker is stealing passwords or making some easy money, which is usually the first step to committing a bigger attack on your company, like the theft of sensitive data. In a targeted campaign, the attacks may use private information about your employees to make more realistic and persuasive messages, which is known as spear phishing.
Why are phishing attacks successful?
Hackers have studied people’s online behavior very well, they know how people’s social instincts works, such as being helpful and efficient. Phishing attacks can be particularly powerful because these social instincts also make us good at our jobs.
The most effective way to protect against phishing attacks is to utilize a combination of technology, process, and people-based approaches. For example, if you want people to report any suspicious email, you need to make it easy for them to do so. This means providing technical means of reporting the email and having a process in place that will give timely feedback on the report.
How to protect your business against phishing attacks?
Here are some expert-provided steps to protect your company from email phishing attacks:
Widening your defences:
Typical defences against phishing rely on users’ ability to detect phishing emails. By widening your defences you can improve your resilience against phishing without disrupting the productivity of your employees. You will also have multiple opportunities to detect a phishing attack and act before it can cause big damage to your company. Also, it is essential to embrace the fact that some attacks will get through, which you can use as an advantage to plan ahead and minimise the damage caused.
When developing your security plan, you can think of your defences in terms of four layers:
- Don’t let your email addresses be a resource for hackers.
- Help users identify and report potentially harmful or fraudulent emails.
- Keep your organization safe from phishing emails that go undetected.
- It is important to respond quickly to incidents in order to resolve them as soon as possible.
Below we will explain each of these layers and how to apply them to your business.
Layer 1: Make it difficult for hackers to reach your users
The first layer describes the defences that can make it difficult for hackers even to reach your end users.
Don’t let hackers use your email addresses as a resource
Attackers can trick people by sending emails pretending to be someone else, for example, one of your employees or even yourself. These spoofed emails can reach your customers or people inside your organization.
How can you prevent this?
To protect your email addresses and prevent hackers from gaining access, you can employ anti-spoofing controls: DMARC, SPF and DKIM. In addition, encouraging your contacts to do the same is very useful.
Reduce the information available online
The online public information of your company is known as a “digital footprint” and includes all the public information you post on social media and your website. Including the one your employee posted.
What can you do about this?
Don’t provide unnecessary details; beware of the information your partners, contractors, and suppliers give about you in their organization’s online communication and work with your employees to minimize security risks. Educate your staff on how sharing their personal information can affect them and the organization, and develop a clean digital footprint policy for all users.
Filter or block incoming phishing emails
Filtering or blocking any attempt of phishing attack before it reaches your users reduces the probability of any harm. In addition, it also reduces the amount of time users need to spend checking for suspicious emails and reporting them.
How can you do this?
Acquire a cloud-based filtering/blocking service to block all incoming emails with phishing and malware before they reach your user. Make sure the service you get covers all of your users. For inbound emails, the anti-spoofing policies of the sender should be honoured. If the sender has a DMARC policy with a rejection policy, you should do as requested. In addition, emails can be filtered or blocked in a number of ways, such as using IP addresses, domain names, email address white/black lists, public spam and open relay black lists, attachment types and malware detection.
Layer 2: Help the user identify and report suspected phishing emails
This layer explains the best ways to help your staff to spot phishing emails and how to improve your reporting culture.
A well-executed phishing training program can make a difference
One of the most emphasized methods regarding phishing defence is your train your users, they can provide a valuable contribution to your organization’s safety. However, humans can make mistakes, that’s why it is crucial to provide a holistic approach with appropriate technical mitigations and changes to the wider security culture of the organization.
How can you do this?
Your staff must know that phishing messages can be difficult to spot, and you do not expect people to identify them all the time. Instead, foster a mindset where it is ok to ask for guidance or support when something seems off.
Never punish users who are struggling to spot phishing emails. Remember, hackers are professionals, and they know how to trick people. Training should aim your employees to improve their confidence and willingness to report future incidents.
Ensure your users understand the consequences of phishing, and provide real-life examples and a tangible case of studies without overwhelming people.
Work with the staff who is more vulnerable to receiving phishing emails. For example, customer-facing departments, the financial area or the IT staff are of greater interest to hackers. Ensure the staff is aware of the risks and offer them additional support.
Make it easier for your users to recognize fraudulent requests
Attackers mislead users to gain access to passwords or make unauthorised payments. Keeping in mind what processes are more likely to be mimicked by attackers, it is necessary to improve and review them so that spotting these phishing attacks can be easier.
How can you do this?
Ensure everyone involved is familiar with the processes and is prepared to recognise unusual activity.
Implement two-factor authentication, which means that all the important email requests are verified through a second type of communication, such as text messages, calls, or in person. Another thing you can do to share files is through an access-controlled cloud account; this way, you avoid any attachments in your emails.
Consider telling your suppliers or customers what they should look for, such as “we will never ask you for your password or bank details”.
Encourage users to ask for help when they need it
Building a good reporting culture enables your users to ask for help and provides you with important information about what types of phishing attacks are being targeted at your organization. You can also learn what types of emails are being confused with phishing and what improvements you can make.
How can you do this?
Create an effective process for users to report when they think phishing attempts might have passed your organization’s technical defences. Ensure the process is clear, simple and convenient.
Provide quick and specific feedback on what action has been taken, and make clear that their contributions make a difference and are helpful.
Think about how you can use informal communication channels to create an environment where it is easy for the staff to talk about the topic and ask for support and guidance.
Avoid creating a punishment or blame-oriented culture around phishing.
Layer 3: Protect your organization from the effects of undetected phishing emails
This layer explains how to minimize the impact of undetected phishing emails.
Protect your devices from malware
Malware is hidden in emails or fake websites, but you can configure your devices to stop malware installing, even if the email is clicked.
How can you avoid malware?
One way to prevent attackers from exploring your vulnerabilities is to use supported software and devices and keep them up to date with the latest versions of software developers, hardware suppliers and vendors.
Limit the use of administrator accounts to only the staff who need them. However, people with administrator accounts should never use them to check emails or browse the web.
Consider other security defences for malware, such as disabling macros, anti-malware software, antivirus, etc. However, you must make sure what type of malware defence is appropriate for the different devices.
Protect your users from malicious sites
Links to malicious websites are always the most important part of phishing emails. However, if the link is unable to open the website, the attack will not be completed.
How can you do this?
The most modern and updated software will block websites that contain malware. However, this option is not always available on mobile devices.
Organizations should run a proxy service, either in-house or in the cloud, to block any attempt to reach websites identified as hosting malware or phishing campaigns.
Protect your accounts with a stronger authentication
Hackers are always on the hunt for passwords, especially when they are for accounts with privileges to access sensitive information, financial assets or IT systems. Make sure to make your login process more resistant to phishing, and limit the number of accounts with privileged access to sensitive information.
How can you do this?
Enable two-factor authentication (2FA) or two-step verification. Having a second factor means the attacker can not access an account using a stolen password.
Use a password manager. Some of these recognize real websites and will not autofill on fake websites; this way, you will avoid giving your login information to a fake website. In addition, you can use a single sign-on method, where the device recognises and signs into the real website automatically. These two techniques avoid entering passwords manually, which means it would be unusual when a site requests the user to enter the password.
Consider using alternative login mechanisms that are more difficult to steal, like biometrics or smartcards.
Remove or suspend accounts that are no longer being used.
Layer 4: Respond quickly to incidents
All organizations will experience a cyberattack at some point; being aware of this and having a plan in advance to react immediately is primordial to avoid the most serious consequences.
Detect incidents quickly
Knowing about an incident sooner rather than later allows you to limit the harm it can cause.
How can you do this?
Having a security monitoring capability can pick up on incidents your users are not aware of. However, this can not be possible for all organizations, so you can start by collecting logs, such as the history of emails received, web addresses accessed and connections to external IP addresses. To collect this information, you can use monitoring tools built into off-the-shelf services, such as cloud security panels, build an in-house team, or outsource to a managed security monitoring service. The amount you collect and the store will depend on your budget. Once you have done this make sure to keep it up to date, so it remains effective.
Have an incident response plan
Once you or some of your employees have discovered a phishing attack, you need to know what to do to prevent any harm as soon as possible.
How can you do this?
Make sure everybody in the organization knows what to do in case of different types of incidents, their responsibilities, and how they will do it. Ensure your plan complies with the legal and regulatory obligations of your organization. Incident response plans should be practised before to ensure everyone is familiar with the procedure and their roles.
In closing, phishing attacks can have serious consequences for individuals and organizations. It is important to remember that it is not a problem that can be solved with one solution but rather by implementing various layers of defence. This may involve technical measures, such as using secure email gateways and proxy services, as well as having strong authentication and regular user training to educate employees on recognizing phishing attempts. Lastly, be prepared with a response plan in case of an attack is crucial to minimize the damage and recover quickly.
César Daniel Barreto