How do you protect against phishing attacks?
Phishing attempts are so common now that you’d be hard pressed to find an internet user who hasn’t seen one. According to the government’s cyber breaches survey, 86% of businesses experienced a phishing attack in 2020, a rise of 14% since 2017.
This growth has only sped up since the start of the pandemic. HMRC detected a 73% rise in email phishing attacks in the six months since the pandemic began. As far as security researchers can tell, this sudden increase can be linked to the rise of home working and the vulnerable emotional state many targets find themselves in. Criminals have seized the rapid change Covid-19 has brought and will continue to do so until the global cases recede.
Despite this increase, when most of us think of phishing attacks it’s the ones that are easy to spot. Such emails poorly imitate a company in a bid to get you to divulge account or payment information. As you may have noticed, though, phishing attempts are getting more sophisticated.
“Spearphishing” attacks take a step back from the broad net attackers usually cast and highly tailor emails or phone calls to target specific employees. Often, once they have access to a network via a low-level employee, they impersonate them, targeting those with more valuable information.
These types of emails can be difficult for experts to spot, let alone your average user. As a result, preventing successful attacks can be a real challenge for many IT departments. Though some basic training will prevent the bulk of phishing attacks, it does little to prevent high-level imitations.
How to reduce the success rate of phishing attacks
If basic training isn’t enough, what can you do to protect your business against this new wave of attacks? Here are some of our top suggestions:
1. Strengthen domain security
With impersonation attacks so common, it’s vital that enterprises have strong domain security. If an attacker manages to get a hold of your registrar account, it becomes infinitely easier for them to pretend to be someone in your organisation. With the right access, they can send an email from a company address and mastermind attacks that are far more successful.
As well as securing your registrar account, you may want to register the most common misspellings of your domain and implement security protocols like DMARC and SPF and DKIM.
2. Reduce available information
Holding detailed information about your company on its website may provide reassuring transparency, but it’s also a treasure trove for attackers. Think about what information your customers need to know and what is just unnecessary fuel for attackers. Is it really important that your customers know who every team member in your company is? Does each of them require a publicly accessible email address, or can inquiries be directed elsewhere?
This extends to the information your employees share on social media. Attackers can use information about recently closed deals, new partners, and more. Ensure you have a clear and strict policy about what information should be made public.
3. Adopt a culture of caution
Though many companies perform training sessions, staggering numbers of employees click on phishing links every day. For the biggest impact, resilience shouldn’t just be boiled down to a quarterly seminar – it needs to be built into the culture of the company.
Adopting a “caution over comfort” mindset will help employees to think critically whenever they see an email that makes them uneasy. Make it known that they’re encouraged to double-check with their superiors or the IT department if they have any doubt.
This should extend to transactions. Often, phishers who have access to credentials will strike by jumping into an existing email chain about a deal and providing their own payment details instead of the intended recipient. A strict transaction policy that requires validation through security questions on a different communications channel can combat this.
4. Run spoof phishing campaigns to raise security awareness
Regularly running imitation phishing campaigns raises awareness amongst your user community about what to look for in a genuine phishing attack, and helps you identify individuals who need further support.
To help you run regular campaigns, we provide Phishing & Security Awareness as a Service. This hands free service means you don’t have to remember to run phishing campaigns, we do it for you. Campaigns are regularly updated in line with the evolving sophistication of genuine attacks. For many of our customers, this service helps them to tick compliance boxes and cyber security training requirements.
5. Stop phishing emails in their track a robust email gateway
Implementing the above tips will significantly reduce the chance that a phishing attack is successful without a significant financial investment. However, the unfortunate truth is that so long as phishing emails are still hitting employees’ inboxes, mistakes will be made.
That’s where an email gateway like Mimecast or Fortimail comes in. By scanning email in real-time, these solutions identify suspicious emails and block, flag, or categorise them before they reach an employee’s inbox. They scan every URL, sandbox and scan all attachments, and look for anomalies in the sender and email text.
With an intuitive dashboard and regular updates, email gateway solutions act as a one-stop-shop for phishing protection, taking human error out of the equation while reducing the burden on the IT department.
If your organisation is experiencing an increase in phishing attacks and you’d like help protecting your users, data and systems, please get in touch. We’re always happy to discuss your unique environment and the options available.