Phishing targets the most vulnerable part of IT business systems – the employee. Hackers launch phishing attacks targeting employees in the hopes of extracting sensitive data. They often use this data for extortion and theft. These types of attacks have increased recently and have never been more frequent. A 2019 Verizon report noted that more than 30% of all breaches were the result of phishing. They are quick and inexpensive to put in place and scale, so it is no surprise that phishing is so prevalent.
The main weapons used in phishing attacks are deceptive emails and websites. A successful phishing attack convinces an unsuspecting victim that someone you trust, usually a coworker or manager, needs you to perform an action on their behalf. This can be clicking a link to an attachment, or flat out providing sensitive data. So how should you protect your business from this type of cyber-attack?
Continuous Education
By far the most valuable thing you can do to prevent phishing attacks is to educate your employees as they are the ones most likely to be targeted. Phishing emails and websites are becoming more sophisticated and harder to tell apart from “the real thing”, so awareness is key. Employees who receive hundreds of emails every day can easily let their guard down which could lead them to clicking on an official looking email. Employee training does not need to be over complicated since the basics of phishing are quite simple. Also, encourage your employees to share phishing experiences with each other to increase awareness.
Training should be consistent and updated regularly. Hackers keep perfecting their methods and developing new techniques so you will need to keep up to date on the latest phishing trends, and make sure your employees are also aware of them. There are several IT news sources that report on the newest attacks. Monitoring them regularly will give you an advantage when it comes to protecting against potential threats.
Antivirus and Anti-Malware
Most phishing attacks can be stopped in their tracks by using effective antivirus and anti-malware software on every device in your business. This layer of software protection will analyze all links and scan all incoming attachments in your inbox. Suspicious emails are marked, and you can revoke read access for these emails. This can give your security team time to analyze them and take further action.
As with all software, you need to be vigilant about keeping the latest version installed. New phishing attacks are launched all the time so stay alert. Even if you have the best, fully updated antivirus software money can buy you should remain vigilant. Relying too heavily on antivirus and anti-malware software can leave you open to attacks.
Run Unannounced Drills
Even if you have fully educated your employees about phishing attacks, and deployed software protection, you should by no means become complacent. The best way to test the online security of your system is to launch practice phishing attacks. Random phishing emails can be sent out to employees on a regular basis to test how good they are at recognizing suspicious emails, and how susceptible they are to attacks.
These emails almost always contain a fake link or call to action that urges the recipient to take some action on behalf of the company. This link most often looks like the link to a legitimate company service but has a fishy domain or is subtly misspelled. The employees that take the bait and click on the malicious content should be invited to take a refresher training course in online security. If you lack the time or inclination to mastermind these attacks yourself you can use online phishing simulators.
Know the Language
While the types of phishing attacks are extremely diverse there are some characteristics that most of them share. Learning these characteristics will equip you to spot attacks more quickly. A call to action is a common characteristic in phishing attacks; “fraud alert”, “verify your account” and “unlock your account” are just a few common examples. Be aware of the fact that legitimate businesses will never send you links or other content that will ask you for personal information like login credentials and passwords.
Another thing common with phishing attempts is that they try to convey a sense of urgency. This can be done in a variety of ways; from warning you that your account is compromised or about to expire to impersonating a high level manager in your company who urgently needs some funds sent. Last but not least, any emails that do not address you directly should be approached with great scrutiny. The more pedantic scammer will use your real name, but the majority will send spam messages thousands of times with generic greetings.
Use All the Tools at Your Disposal
Your anti-phishing efforts must be multifaceted in order to be effective. Implementing just one of the steps mentioned above won’t go far enough towards providing a bulletproof security system. Training and educating employees are key ingredients to defending against phishing attempts; however, this will not stop an attack caused by human error. Likewise, tools and applications for online security are only as good as the people using them. If your staff is unaware of the risk of phishing attacks, then shortcomings in their understanding could lead to the misuse of anti-malware software and cause these protections to be less effective. Always assume that your system is at risk and under attack. This mindset should be shared by everyone on your staff.