Phishing is one of the most common and costly cybersecurity attack vectors. According to IBM’s Cost of a Data Breach 2022, it’s the second most prevalent cause of data breaches, accounting for 16%. It’s also the most expensive with an average cost of $4.91 million. Given the pervasiveness and damage of phishing attacks, businesses need to take proactive measures to safeguard their systems.
As a form of social engineering, phishing relies on trickery to convince users to perform a desired action. Cybercriminals pose as legitimate organizations or people to sabotage systems; install malware; or steal personal information, login credentials, customer data, or banking or credit card information.
We’ll walk you through how to protect your business from phishing and minimize potential damage.
Up-to-date software is critical in thwarting cyberattacks. Many phishing attempts launch a malware or ransomware attack, which may aim to exploit a known vulnerability. In a study by ServiceNow and Ponemon Institute, 60% of breach victims reported that hackers exploited an unpatched vulnerability for which a patch was available. So while zero-day vulnerabilities may strike dread in the hearts of sysadmins everywhere, patchable vulnerabilities can be just as problematic if you don’t stay on top of updates.
Use antivirus software
It’s always a good idea to use a high-quality antivirus solution. After all, it can help prevent, detect, and halt malware attacks. But beyond that, many antivirus tools also include antiphishing protection to screen emails and attachments for viruses. Since antiphishing software warns users of suspicious attachments or links or even blocks the dubious content, your users hopefully won’t click anything they shouldn’t. Hopefully.
The alerts may also help your more astute users learn what a real phishing email looks like so that they’re less likely to fall for any that slip through the cracks.
Set up firewalls
Firewalls are a vital part of a secure environment. They protect against unauthorized network traffic, which can, in turn, thwart some phishing attempts. With the right configurations, you can block user access to known malicious websites and inspect incoming and outgoing traffic for suspicious activity (like attempts to steal sensitive data).
Use a secure email gateway (SEG)
Leveraging threat intelligence, a secure email gateway (SEG) checks email content for suspicious attachments and URLs. The SEG then blocks email-based threats from your mail server.
That means if an email contains a malicious link, a suspicious attachment, or directs readers to a fake website, it might not reach the user’s inbox. Depending on the SEG, admins may still have access to the quarantined emails for further investigation.
Secure email gateways also include domain-based message authentication, reporting, and conformance (DMARC). This cumbersome term refers to a protocol that helps protect domains from spoofing. Once there’s a DMARC entry for a domain, incoming mail is authenticated by confirming that the From: field aligns with the authenticated domain. That means you can not only help prevent many spoofed, realistic-looking phishing emails from reaching users, but you can also reduce the risk of a hacker successfully spoofing your domain. You have better things to do than deal with that nonsense.
Enforce password policies
IT policies set the foundation for your security success (or failure, as the case may be). When it comes to phishing, a strong password policy is particularly valuable.
Password reuse restrictions, age limits, and complexity requirements provide some level of protection against phishing-related risks. For example, a phishing email may trick users into inputting their credentials into a malicious website. If the user’s credentials are the same across multiple platforms, the attacker gets access to all those accounts in one fell swoop.
Similarly, hackers may maintain lingering access to accounts if the user doesn’t change their password regularly. Social engineering attacks may also solicit personal information in an attempt to deduce a user’s password. The more complex the password, the less likely the cybercriminal will be able to guess it.
Requiring the use of a company-approved password manager adds another layer of protection. Not only do these powerful tools automatically generate complex passwords, but they can protect against phishing by not filling in credentials on realistic-looking login screens unless the domain is correct.
Use multifactor authentication
Multifactor authentication (MFA) requires more than one form of authentication for access. The second form may be a security token, a biometric scan, a PIN, or some other factor. Even if a user hands over their credentials in a successful phishing attack, the cybercriminal can't get into the account unless they’ve figured out a way around the additional authentication method. Compromised credentials don’t need to spell certain doom for your sensitive information!
Back up devices
Backing up data gives you a recoverable copy in case of disaster. For example, a phishing attack might install malware that could wipe out data. Alternatively, it could launch ransomware that keeps your files just out of reach. With up-to-date, secure backups, you can just restore to a previous state to get your files back.
To be clear, restoring from backups still isn’t ideal and should be your last resort. The attacker could have already collected valuable information from your business. However, at least you may be able to avoid halting operations while you recover from the attack.
The statistics say it all: 82% of data breaches involve a human element, and 25% of employees say they’ve clicked on a phishing link. That means you can’t just take a technological approach to securing your environment; you also need to take a human approach. Cybersecurity training is the way to do that. Teaching your users about cybersecurity threats can turn them into your first line of defense in recognizing phishing messages, preventing fraud, and protecting corporate assets. Promote the following habits:
Be suspicious of unsolicited emails
Even if the sender seems to know you, looks can be deceiving. In a spear phishing attack, the cybercriminal may have already collected personal data to disguise the phishing message. If you didn’t expect to receive the email, think twice before clicking anything.
Look at the domain name
Email addresses are often a clear tipoff that the message is a phishing attempt. While domain names can be spoofed, other attackers rely on look-alike domains to impersonate familiar brands. Users checking their email quickly might not spot the difference.
Some attackers even use free email services, like Gmail. While most users should recognize that a real organization is unlikely to reach out that way, a handful truly believe the IRS might use Hotmail or Microsoft trusts Yahoo Mail.
Explicitly teaching users what to look for can help put them on the right track.
Watch for generic greetings
Some cybercriminals are all about efficiency. Using generic greetings is an easy way to cut corners and save time. A half-hearted phishing campaign that reaches thousands of recipients may ultimately yield better results than a highly targeted attempt against just one individual.
To be fair, many legitimate companies also use “hey there” or “dear customer.” But let’s be real. Any sender that claims to have an urgent deadline, an invoice, or your account details should be able to address you by name.
Keep an eye out for threats and tight deadlines
Phishing emails often try to create a sense of urgency through threats or tight deadlines. This is intended to compel action before the user has time to think things through or spot holes in the scammer’s story. Users must remain aware of this common tactic so that panic doesn’t override their logic.
Look at the email content
While a suspicious email may look incredibly legitimate at first glance, some really don’t hold up when you look more closely. Phishing emails often contain spelling errors, bad grammar, and other inconsistencies that belie their credibility.
Confirm details via another channel
If an email appears to be from another employee, a client, or a business partner, there’s no shame in confirming via another channel before acting. Phishers often impersonate known connections to try to get account credentials, payment information, and anything else they can turn into profit. Simply checking in via another channel — like in person, on Slack, or through a phone or video call — is a quick and easy way to make sure you know who the email really came from.
Don’t click links or open attachments
As a general rule, employees should avoid clicking links and opening attachments unless they anticipated receiving them via email. Even then, they should double-check the sender information and the email content to make sure everything checks out.
Not to break any hearts, but no method is 100% effective in protecting against phishing. As long as there are cybercriminals looking to make a quick buck, phishing attempts will continue.
PDQ Deploy and Inventory simplify installing updates and pushing out essential security software to fortify your environment. While we can’t convince your users that the CEO isn’t actually emailing them to beg for Blockbuster gift cards, we can at least simplify updating your systems to help curtail disaster. Sign up for a free 14-day trial to try it yourself!
Part writer, part sysadmin fangirl, Meredith gets her kicks diving into the depths of IT lore. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.