Every IT admin has asked themselves, “How can I stop phishing attacks?” Phishing is unfortunately one of the most common, effective, and damaging attacks hackers can use to break into bank accounts, steal data, take money and overall – scam your company.
Phishing attacks have always been on the rise, but since Covid-19 caused many organizations to move to remote work, phishing attacks have increased exponentially. According to F5, Phishing attacks increased by 220% during the Covid-19 peak. Some of these attacks capitalized on the fears surrounding the pandemic, including fraudulent hand sanitizer and mask offers.
By learning a few tricks, stopping phishing attacks can be easier for your company. There is a wide range of tricks and tools that you can use to protect your users and data from phishing attacks, including just knowing what to look out for. Sharing this knowledge, and implementing these tools can help you improve your overall cybersecurity, save time, and protect your business’ money long term.
What Is Phishing and Which Techniques Do Attackers Use?
Phishing is an attack made by a cybercriminal, where the attacker poses as an institution or known person. The goal of this trickery is to easily convince an individual to share sensitive information. This information may include bank account numbers, credentials, credit card numbers, or any other personally identifiable information (PII). Additionally, these attacks may be performed in any of the following ways:
The most common type of phishing attack is an attack via email. These emails are likely to contain a ‘call-to-action.’ The actionoften leads to a spoofed login page designed to harvest passwords, but it could also include instructions to click a link or open a file, which will then install a virus or ransomware onto your computer system.
Spear-Phishing and Business Email Compromise
These types of attacks are more advanced than regular mass phishing attacks. Spear-phishing is when hackers uniquely target an individual or business using information specific to them. This includes impersonating a trusted sender, such as a business contact.
They will then target users, impersonating familiar suppliers, services, or business topics, and ask them for specific account information, such as banking credentials.
Business email compromise (BEC) is similar, except the senders are usually impersonating the company’s executives or using a compromised account within the organization.
When surfing the web, users might come across a page that looks legitimate (it may even utilize HTTPS), but it may be scraping your user data. According to Google’s Transparency Report, they detected an average of 46,000 new phishing websites a week.
A whaling attack is a targeted attack towards senior executives or higher profiled employees. The goal of whaling is to manipulate the victim into authorizing a high-value wire transfer. Whaling attacks are harder to detect than the standard phishing attack.
Smishing and Vishing
These two techniques are very similar in nature. Smishing is phishing via mobile phone by text messages and vishing is phishing through voice communication, such as acting as technical support.
This is a new type of phishing attack due to the rise of social media use. Cybercriminals will disguise themselves as customer service representatives and reach out to disgruntled customers to obtain private account information in order to resolve the issue.
Why Phishing Is Dangerous
Phishing attacks have still been so successful due to the fact that they constantly slip through email and web security technologies. Exchange, Office 365, and G-Suite are commonly used in the workplace for business communications. While these platforms filter out well-known malicious emails, zero-day and targeted email threats consistently slip through the cracks. Unfortunately, when these emails do not look overtly scammy, users can fall for these traps, which can have massive repercussions for organizations. Take a look at some of the most shocking phishing damage statistics from the past few years:
- The FBI IC3 has received an increase of business email compromise (BEC) complaints involving the usage of virtual meeting platforms instructing victims to send funds to fraudulent accounts.
- In a recent threat report, Proofpoint found that 75% of all organizations experienced some sort of phishing attack. Additionally, 35% of organizations experienced spear phishing attacks, and 65% faced Business Email Compromise (BEC) attacks.
- IBM also found that nearly 20% of companies suffered a malicious data breach, which was infiltrated due to lost or stolen credentials.
- If one account has been compromised there’s a chance that multiple accounts have been compromised as well. Google Online Security Survey shows that 52% of users reuse the same password for most of their accounts.
- Human error will continue to be a major problem. No matter which security solution a business chooses to implement, mistakes from humans will continue to be a loophole that cybercriminals will take their chances on.
- Organizations can lose millions to cyber extortion. This type of social engineering attack targets important individuals within an organization demanding money in exchange for not leaking sensitive or humiliating information of the individual.
- Phishing has grown more sophisticated and accessible. The dark web offers phishing kits that are made by professional hackers, which gives low-level hackers the opportunity to launch sophisticated attacks without being skillful.
- Phishing causes permanent damage to brands. Phishing attacks are usually spotted too late and sometimes are meant to compromise the customer instead of the business. When customers find out about a security breach, the brand loses its reputation and customers take their business elsewhere.
11 Tips to Stop and Prevent Phishing Scams
With a few tips and tricks, you can keep your organization safe from phishing attacks. Let’s take a look at some of these tips and why they are so helpful:
1. API-level detection layer
API-level email security provides several advantages over the email filter approach for detecting and responding to evasive phishing attacks. This new approach continuously scans messages for threats and anomalous behaviors post-delivery, not just in a single pass at the server. Inspecting emails post-delivery allows for time to apply frameworks like machine learning, natural language process, sender-recipient email history, etc.
When a threat is identified, it can automatically “claw back” suspicious messages from all impacted inboxes. This addresses a second shortcoming in the current email security model—the labor-intensive process of investigating, containing, responding to and remediating malicious emails across the organization.
2. Provide training to your employees
Providing your employees with email security training can give them the knowledge they need to avoid a phishing attack. Here are some key points to touch upon during that kind of training:
- The concept of “think before you click”: This concept involves educating your employees about how to recognize and report a phishing attack. Some of the things to look out for might include suspicious email addresses, a generic greeting, a threatening tone, grammatical errors, external links to a site you don’t recognize, and more.
- Segment networks: This can help to keep sensitive data more restricted, which makes it more difficult for cyberattacks to penetrate your network.
- Audit the cybersecurity environment: This will help your organization assess any vulnerabilities, as well as identify threats, and develop necessary defensive strategies.
- Don’t respond: It’s crucial to not respond to emails requesting your personal information, such as bank details, passwords, etc.
- Check grammar: Make sure to thoroughly check any poorly spelled emails for grammatical errors.
- Checking on mobile: On mobile devices, try pressing and holding the link, URL, or web address of the page, so that a preview will appear, and you can determine if it’s a legitimate site.
3. Utilize end-to-end encryption
A very reliable method for stopping phishing attacks, encryption is always a great first measure your organization should adopt. End-to-end encryption is the best way to ensure email messages are fully encrypted by your employee. The intended recipient is the only person who can decrypt the email on their device. This type of email is secured throughout every stage of delivery – they cannot even be read by the email servers. This can make it difficult for cybercriminals to gain access to sensitive information or even attachments.
4. Check & set rules for your spam filter
The first step you can easily take is checking your email provider’s settings. While most email providers do a great job at blocking phishing attempts, a few may still slip through filters. Fortunately, you can report any of the attacks that do slip through. Additionally, you can also set up rules within your spam filter. Depending on the host of your email server, you can set up specific rules so that incoming emails are marked as junk based on parameters, and then put in the trash.
5. Install anti-phishing software
An anti-phishing software provides users with the extra protection they may need. Solutions such as Cyren Inbox Security can really help to detect phishing attacks and automate the incident response workflows to keep your organization safe. While major email providers have spam filtering capabilities they are necessary for email hygiene but not enough for the prevent, detect, respond, predict cycle required to address the risk.
6. Email filtering
The first line to phishing attack prevention is a secure email gateway. Microsoft Safe Links, a feature of Microsoft Defender are also helpful because they can be used to filter harmful and malicious emails. They also quarantine them automatically so that they do not reach the user inboxes. A great, secure email gateway blocks 99.99% of spam emails – removing emails that contain any malicious links or phishing email attachments. They are essential to stopping users from receiving almost any phishing emails.
7. Phishing simulation
Conducting phishing simulations is an important way to see how effectively your employees recognize phishing attacks. This helps IT admins to understand the risk their organization has by way of phishing. This can also be helpful to direct training as needed.
8. Don’t give your information to unsecured sites
Secured websites will contain HTTPS in front of their URL and a locked padlock icon next to it. Sites without certificates may not be intended for a phishing attack, but it’s always best practice to avoid unsecured sites.
9. Cycle your password regularly
A brute force attack is a hacking method that uses trial and error attempts until the password is cracked. Some password manager software can cycle passwords periodically to drastically reduce the risk of these attacks.
10. Install firewall software
Firewalls are effective in preventing external attacks by providing a layer of protection between your computer and the attacker. Simultaneously using a computer and a network firewall together will drastically reduce the chances of a security breach.
11. Avoid clicking pop-ups
These pop-ups are usually associated with advertisements, but some phishing websites will launch multiple pop-ups making them difficult to close, and if accidentally clicked, it may lead to a compromised site.
Phishing emails are unfortunately built to trick users into clicking, sending credentials, and more. Since the sophistication of these attacks is constantly evolving, users need to stay vigilant to stop phishing attacks from happening.
Even with today’s technological advancements, cybercrime technology continues to evolve as well. The best way in preventing phishing attacks is to invest in a security solution and have protocols and recovery plans in place.