Smell the Phish: 6 Anti-phishing best practices

Phishing emails are the most widespread opening move of all cyberattacks. According to KnowBe4, 91% of cyberattacks start with a spear-phishing email. This article discusses some of the industry best practices that small and medium businesses can follow to protect themselves.

Table of contents

1. What is phishing?
2. Education
3. Enforce multi-factor authentication
4. Use DNS filtering
5. Use email protection
6. Protect all devices
7. Mitigate the impact
8. Summary

What is phishing?

Phishing is a form of cyberattack that tricks the victim into giving up sensitive information or smuggling in malicious code. Phishing attacks come in the form of a message, typically an email, and they use social engineering to appear legitimate.

How does phishing work?

Phishing uses spoofed messages to trick users to click on a malicious link or open a weaponized attachment. Doing this can trigger several events, depending on the attacker’s goal.

• The user is redirected to a website that will cheat money out of them by giving up their banking information or conning them to make a direct payment.
• The user opens an email attachment or visits a website that installs malware onto their device. This malware can do many things - connect the device to a botnet, misuse it for cryptocurrency mining, send spam messages from it, cripple the system (ransomware), or serve as a dropper for other malware.
• The user is taken to a spoofed site resembling a legitimate login dialog, which steals login credentials entered by the user. The attacker can then sell the credentials, use them to penetrate the systems and steal data, or covertly learn about the user’s coworkers for spear-phishing material.

Spear-phishing is a targeted form of phishing that is tailored to a specific victim. Unlike ordinary phishing, which is often akin to spam messages in both volume and form, spear-phishing addresses the victim directly, which lends them credibility and makes them particularly dangerous.

1. Education

Most phishing emails land in employee mailboxes. These are people who are often busy, tired, and have no cybersecurity background.

It’s therefore in the company’s best interest to teach them to spot fraudulent emails among legitimate ones.

How to spot a phishing email

Phishing emails to look legitimate by impersonating well-known brands, such as PayPal, American Express, LinkedIn, FedEx, Microsoft, DHL, etc.. They will use the same logo and often be sent with high importance. However, they bear signs that can give them away.

Unsolicited - Phishing emails are not part of a prior email exchange and may not conform to your history with the impersonated entity.

Spelling mistakes - Low-grade phishing emails aren’t the carefully crafted corporate communication they pretend to be and often lack polish. But it isn’t just typos – many phishing emails are deliberately misspelled to escape spam filters (e.g. CRITICAL AL3RT!).

Misrepresented domains - If you hover over a link in a phishing email, often the URL does not correspond to the company being impersonated. It can be one of the following:

• The country domain extension is wrong (.com, .eu, .gov, .info, etc.),
• The domain name is misspelled (americanexpres.com, linkedln.com, paypa1.com, etc.),
• The domain hierarchy is wrong (microsoft.security.com, facebook.notifications.com),
• Or the domain is different altogether.

Beware shortened links, which don’t let you see the full domain name right away. You need a web filter of some sort to tackle these (see DNS filtering below).

Sense of urgency - Phishing emails are also called phishing lures. They often ask for personal information and appeal to emotion or create a sense of emergency; for example:

• Joy - “You’ve won! Click to claim your $5,000 now!”
• Charity - “Emily needs $450,000 to complete her cancer treatment. Every donation helps.”
• Caution - “Your account has been suspended due to suspicious activity. Log in to verify identity.”
• Trust - “Action required. A recent policy update needs your signature. Sign here. Your HR Department.”
• Duty - “You’ve received a Zoom meeting invitation.”
• Fear - “Your account has been hacked. Click here to reset your password.”

Some phishing emails contain weaponized attachments, which install malicious code to your device. The email body then prompts you to open it. Common pretenses include:

• Invoices
• Tax bills or refunds seemingly from government financial bodies
• Lawsuits
• Orders of goods or services
• Job applications

3rd-party training

Phishing as a service (PhaaS) has two meanings. It can refer to a black-market email campaign that professional cybercriminals offer on the dark web, or it is a tongue-in-cheek term for employee training programs.

Trainers provide theoretical courses for your employees and test them with benign phishing emails, which is a good way to learn the patterns of common lures and gain confidence in your employee’s ability to spot them.

Keep up with threats and issue regular warnings

You are never 100% protected. Cybercriminals are constantly inventing new ways of tricking users and bypassing protection.

You should stay informed about new emerging threats. Also, keep up with what is happening in the world because attackers like to prey on people’s fears and insecurities, and will craft their messages to resonate with any current crisis.

For example, we saw phishing attempts disguised as public health warnings at the beginning of the covid-19 pandemic, or more recently, fraudulent calls for humanitarian aid to Ukraine.

Stay alert

Don't click or open anything you don’t expect or didn’t ask for. If you know the sender, but something in the email seems off, ask them to verify or report the message before doing any action.

Hover over links and check the URL before clicking. When opening a file, never allow scripts to run unless you are 100% sure it is safe. Always report every suspicious message to your IT security department.

2. Enforce multi-factor authentication

Multi-factor authentication (MFA) requires an additional proof of identity in addition to username and password. This adds an extra layer of protection to your network and renders stolen access credentials useless to the attacker, as they do not have the additional authentication factor.

Factors include: a one-time passcode sent via a text message, authentication with an app on another device, or biometric authentication.

3. Use DNS filtering

DNS filtering or DNS blocking prevents users from visiting blacklisted sites. It can be a relatively effective form of protection against visiting harmful domains.

DNS filtering detects attempts to visit malicious sites during domain resolution, so if a user clicks on a phishing link in a spoofed email, and is about to be taken to a fraudulent site, the filter blocks the attempt.

It’s often a first line of defense against phishing scams as well as a nifty safety net that doesn’t impede user experience.

4. Use email protection

At the very least, use a good spam filter that quarantines suspicious messages. If you receive a lot of email every day, it can be a hassle to deal with, but a few false positives is preferable to a security compromise. Plus, a machine filter will spot things the human eye easily overlooks.

In addition, have antivirus software installed on every device and keep it up to date and scan every email attachment for malware.

5. Protect all devices

Given the popularity of remote work, you won’t always have control over every user device that connects to your network. This increases the attack surface that cybercriminals may want to exploit.

You should apply the same security policies to all telecommuting devices as you do to your internal systems. In addition, it is important that all communication with external devices, whether owned by employees or contractors, are encrypted. They are connecting via infrastructure that you do not control, such as public wi-fi, which attackers sometimes use to intercept communications and steal data during transit.

6. Mitigate the impact

Attackers are always a step ahead, constantly coming up with new spoofs, and it’s only a matter of time before one succeeds. A successful anti-phishing strategy emphasizes mitigation in equal measure to prevention.

One of the best ways to mitigate impact is adopting zero trust. Zero trust network access (ZTNA) creates a network environment that puts internal threats at a disadvantage by placing a series of obstacles in its path.

Authentication

Authentication under ZTNA includes application and network-level authentication, which allows it to authenticate both users and devices at the same time.

This means that if a cybercriminal has stolen a set of access credentials to a company system, they still cannot gain access without a trusted device in hand.

Segmentation

Network segmentation ensures that users have access only to those systems they need for their work without free access to the whole network. Therefore, an attacker who has succeeded in penetrating the infrastructure will not be able to access everything they want but will be confined to the segment they stole access to.

Summary

Phishing has spread from email to text messages and other platforms as well, and it’s not likely to go away any time soon. It remains an important security topic that deserves company-wide awareness and effective mitigation measures.

If you are interested in building a zero-trust environment with domain-level malware protection, create a free account with GoodAccess.