Phishing emails are the most widespread opening move of all cyberattacks. According to KnowBe4, 91% of cyberattacks start with a spear-phishing email. This article discusses some of the industry best practices that small and medium businesses can follow to protect themselves.
Phishing is a form of cyberattack that tricks the victim into giving up sensitive information or smuggling in malicious code. Phishing attacks come in the form of a message, typically an email, and they use social engineering to appear legitimate.
Phishing uses spoofed messages to trick users to click on a malicious link or open a weaponized attachment. Doing this can trigger several events, depending on the attacker’s goal.
Spear-phishing is a targeted form of phishing that is tailored to a specific victim. Unlike ordinary phishing, which is often akin to spam messages in both volume and form, spear-phishing addresses the victim directly, which lends them credibility and makes them particularly dangerous.
Most phishing emails land in employee mailboxes. These are people who are often busy, tired, and have no cybersecurity background.
It’s therefore in the company’s best interest to teach them to spot fraudulent emails among legitimate ones.
Phishing emails to look legitimate by impersonating well-known brands, such as PayPal, American Express, LinkedIn, FedEx, Microsoft, DHL, etc.. They will use the same logo and often be sent with high importance. However, they bear signs that can give them away.
Unsolicited - Phishing emails are not part of a prior email exchange and may not conform to your history with the impersonated entity.
Spelling mistakes - Low-grade phishing emails aren’t the carefully crafted corporate communication they pretend to be and often lack polish. But it isn’t just typos – many phishing emails are deliberately misspelled to escape spam filters (e.g. CRITICAL AL3RT!).
Misrepresented domains - If you hover over a link in a phishing email, often the URL does not correspond to the company being impersonated. It can be one of the following:
Beware shortened links, which don’t let you see the full domain name right away. You need a web filter of some sort to tackle these (see DNS filtering below).
Sense of urgency - Phishing emails are also called phishing lures. They often ask for personal information and appeal to emotion or create a sense of emergency; for example:
Some phishing emails contain weaponized attachments, which install malicious code to your device. The email body then prompts you to open it. Common pretenses include:
Phishing as a service (PhaaS) has two meanings. It can refer to a black-market email campaign that professional cybercriminals offer on the dark web, or it is a tongue-in-cheek term for employee training programs.
Trainers provide theoretical courses for your employees and test them with benign phishing emails, which is a good way to learn the patterns of common lures and gain confidence in your employee’s ability to spot them.
You are never 100% protected. Cybercriminals are constantly inventing new ways of tricking users and bypassing protection.
You should stay informed about new emerging threats. Also, keep up with what is happening in the world because attackers like to prey on people’s fears and insecurities, and will craft their messages to resonate with any current crisis.
For example, we saw phishing attempts disguised as public health warnings at the beginning of the covid-19 pandemic, or more recently, fraudulent calls for humanitarian aid to Ukraine.
Don't click or open anything you don’t expect or didn’t ask for. If you know the sender, but something in the email seems off, ask them to verify or report the message before doing any action.
Hover over links and check the URL before clicking. When opening a file, never allow scripts to run unless you are 100% sure it is safe. Always report every suspicious message to your IT security department.
Multi-factor authentication (MFA) requires an additional proof of identity in addition to username and password. This adds an extra layer of protection to your network and renders stolen access credentials useless to the attacker, as they do not have the additional authentication factor.
Factors include: a one-time passcode sent via a text message, authentication with an app on another device, or biometric authentication.
DNS filtering or DNS blocking prevents users from visiting blacklisted sites. It can be a relatively effective form of protection against visiting harmful domains.
DNS filtering detects attempts to visit malicious sites during domain resolution, so if a user clicks on a phishing link in a spoofed email, and is about to be taken to a fraudulent site, the filter blocks the attempt.
It’s often a first line of defense against phishing scams as well as a nifty safety net that doesn’t impede user experience.
At the very least, use a good spam filter that quarantines suspicious messages. If you receive a lot of email every day, it can be a hassle to deal with, but a few false positives is preferable to a security compromise. Plus, a machine filter will spot things the human eye easily overlooks.
In addition, have antivirus software installed on every device and keep it up to date and scan every email attachment for malware.
Given the popularity of remote work, you won’t always have control over every user device that connects to your network. This increases the attack surface that cybercriminals may want to exploit.
You should apply the same security policies to all telecommuting devices as you do to your internal systems. In addition, it is important that all communication with external devices, whether owned by employees or contractors, are encrypted. They are connecting via infrastructure that you do not control, such as public wi-fi, which attackers sometimes use to intercept communications and steal data during transit.
Attackers are always a step ahead, constantly coming up with new spoofs, and it’s only a matter of time before one succeeds. A successful anti-phishing strategy emphasizes mitigation in equal measure to prevention.
One of the best ways to mitigate impact is adopting zero trust. Zero trust network access (ZTNA) creates a network environment that puts internal threats at a disadvantage by placing a series of obstacles in its path.
Authentication under ZTNA includes application and network-level authentication, which allows it to authenticate both users and devices at the same time.
This means that if a cybercriminal has stolen a set of access credentials to a company system, they still cannot gain access without a trusted device in hand.
Network segmentation ensures that users have access only to those systems they need for their work without free access to the whole network. Therefore, an attacker who has succeeded in penetrating the infrastructure will not be able to access everything they want but will be confined to the segment they stole access to.
Phishing has spread from email to text messages and other platforms as well, and it’s not likely to go away any time soon. It remains an important security topic that deserves company-wide awareness and effective mitigation measures.
If you are interested in building a zero-trust environment with domain-level malware protection, create a free account with GoodAccess.