Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.
To help businesses better understand how they can work to avoid falling victim to phishing attacks, we asked a number of security experts to share their view of the most common ways that companies are subjected to phishing attacks and how businesses can prevent them. Below you’ll find responses to the question we posed:
“How do companies fall victim to phishing attacks and how can they prevent them?”
The one mistake companies make that leaves them vulnerable to phishing attacks is…
Not having the right tools in place and failing to train employees on their role in information security.
Employees possess credentials and overall knowledge that is critical to the success of a breach of the company’s security. One of the ways in which an intruder obtains this protected information is via phishing. The purpose of phishing is to collect sensitive information with the intention of using that information to gain access to otherwise protected data, networks, etc. A phisher’s success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.
There are various phishing techniques used by attackers:
- Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
- Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department
Here are a few steps a company can take to protect itself against phishing:
- Educate your employees and conduct training sessions with mock phishing scenarios.
- Deploy a SPAM filter that detects viruses, blank senders, etc.
- Keep all systems current with the latest security patches and updates.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes but isn’t limited to password expiration and complexity.
- Deploy a web filter to block malicious websites.
- Encrypt all sensitive company information.
- Convert HTML email into text only email messages or disable HTML email messages.
- Require encryption for employees that are telecommuting.
There are multiple steps a company can take to protect against phishing. They must keep a pulse on the current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Informed employees and properly secured systems are key when protecting your company from phishing attacks.
The one mistake companies make that leads them to fall victim to phishing attacks is…
Careless internet browsing.
Companies fall prey to phishing attacks because of careless and naive internet browsing. Instituting a policy that prevents certain sites from being accessed greatly reduces a business’ chance of having their security compromised.
It’s also important to educate your employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation. Inform them to be wary of e-mails with attachments from people they don’t know. Let them know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are fraudulent, as are sites that begin with IP addresses.
There are several human and technological factors that companies should consider to avoid falling victim to phishing attacks:
On the subject of security breaches and social engineering, some of the most high profile breaches (Target, Sony) were instigated with phishing campaigns. In the case of Target, a 3rd party was compromised via email which allowed the malicious actors to eventually access the Target network.
Phishing/whaling is one of the key components of social engineering. The emails are crafted to resemble correspondence from a trustworthy source (government, legal, HR, bank, etc.) and often dupe individuals to click on a malicious embedded link. More sophisticated phishing emails execute hidden code if the mail is simply opened on the target’s computer.
Employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection. This is best covered in an effective security education program.
A big component of protecting against phishing is employee training that actually works. Most security training delivered in the enterprise today is either a yearly event or held at employee orientation. If the training is given online the employees rapidly click through the content, ignoring most of the information. This is usually done at lunch while surfing other content. If actually given in person, the training is usually a deck of PowerPoint slides in small font narrated by an uninterested speaker for an hour. The enterprise really needs an effective Training, Education and Awareness (TEA) program for security.
There are several different technological approaches to combating phishing attacks. Certain products send test phishing emails to corporate staff which then provide metrics to security leadership about the efficacy of their anti-phishing training programs. The quality of these can vary but Wombat is a popular product in this space.
Another technological approach is to use a heuristics product to determine if an email is fraudulent. The success rate of these solutions is mixed. They filter out many of the obvious scams, but leave the more cleverly designed emails intact. IronPort is a leader in this niche. Outside of attempting to control social engineering exploits, businesses can also manage risk by investing in cyber security liability insurance. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach.
The one thing companies need to keep in mind for phishing attack protection is…
Defending against these attacks requires a coordinated and layered approach to security:
- Train employees to recognize phishing attacks to avoid clicking on malicious links. For example, if the domain of the link to which you are being directed doesn’t match the purported company domain, then the link is a fake.
- Many spam filters can be enabled to recognize and prevent emails from suspicious sources from ever reaching the inbox of employees.
- Two factor authentication should be deployed to prevent hackers who have compromised a user’s credentials from ever gaining access.
- Browser add-ons and extensions can be enabled on browsers that prevent users from clicking on malicious links.
Phishing is a method used to compromise the computers of and steal sensitive information from individuals by pretending to be an email from or the website of a trusted organization. For example, a person receives an email that appears to be from the recipient’s bank requesting that recipient verify certain information on a web form that mimics the bank’s website. When captured by the hackers, the data allows them access to the recipient’s banking information. Alternatively, the web-link may contain malicious code to compromise the target’s computer. One of the things that makes phishing attacks tricky is that they can be distributed by compromising the email address books of compromised computers. So the email may appear to have been sent by a known and trusted source.
A subset and highly effective form of phishing attack is a spear-phishing attack in which a hacker will research an intended target and include details in an email that makes the email seem more credible. The details may, for example, reference a corporate social event from the previous month that was published on a public website.
The one mistake companies make that leads them to fall victim to phishing attacks is…
Not following this two step approach:
1. Sound security policies
You set the rules as to how you should respond to strange or out of place emails and requests. Your policies should also show people what to do in case they see something out of place. Now you ask, what is a strange or out of place email or request?
2. Security awareness training.
Teach your associates what good emails look like. Try to teach and show people what bad emails tend to look like.
To coincide with that teaching is testing. Perform phishing attempts against your own staff to gauge their level of sophistication handling phishing attempts. This will help you know if your staff is ready to handle such intrusion. Also test your management to see if they are adequately enforcing the policies.
Really at the end of the day, educating users is what’s going to reduce the success of attacks and testing will make sure security and/or management know how to respond to them.
Securing BYOD and educating end users is critical for phishing attack protection.
A new threat vector that has been introduced by the BYOD trend is that apps on employees’ mobile devices can access their address books and export them to sites on the Internet, exposing the contacts to attackers who use them for targeted spear phishing. One important step for businesses to take is preventing prospective attackers from accessing the corporate directory, which includes names, email addresses and other personal employee information. Installing mobile security software on user devices that scans apps and prevents users from accessing the corporate networks if they have privacy leaking apps is recommended.
Another step is to protect mobile users from visiting phishing sites, even when they are on a Wi-Fi network that the company does not control. These protections must be done at the network level because email filtering is not sufficient. Phishing and spear phishing attacks can be delivered through corporate email, through a user’s personal email that may be connected to their mobile device or through SMS messages to the user. Mobile users should be connected over Virtual Private Networks (VPNs) to services that provide secure Domain Name System (DNS) and blacklisting to prevent access to phishing sites.
Also, it turns out that the users themselves are often the best channel through which to detect, report and defend against phishing attacks. An important practice enterprises should implement is to put in systems where users can quickly and easily report a phishing attack, have it routed to IT, have it filtered and have it put in a system so that IT can quickly and easily add it to blacklists that will protect both internal employees and those that are remote or on mobile devices.
One key fact to remember when it comes to protecting against phishing attacks is…
All it takes is one employee to take the bait.
In a company with, say, 1000 employees, that’s 1000 possible attack vectors. The IT department can set up inbound spam filtering and outbound web filtering. They can run security drills, education campaigns, and spend enormous amounts of money to monitor traffic in detail. These are all helpful, but all it takes is one person, one time, to become careless and fall prey to an online con job – which should be the real name for a phishing attack.
So how to prevent them is the wrong question to ask. A better question is, how to limit the damage any successful phishing attack can cause. Here, a few low cost tactics will offer a high reward. In retail – isolate those POS terminals from the rest of the network. Sharing should be baked into security practices everywhere. This is counter-intuitive, but the best way to defend against attack is to share how all the defenses work. In detail.
In cryptography, the algorithms are public. Everyone knows them. That’s why we have strong cryptography today – the surviving algorithms have all been peer and public reviewed, attacked, and strengthened. CIOs should operate similarly. Openly discuss security measures, expose them to public and peer review, conduct public post mortem incident reviews, publish the results, and adjust the methods where necessary.
Bad guys are already reviewing, discussing, and probing security in the shadows. Bad guys have a whole supply chain dedicated to improving their ability to plunder, complete with discussion forums and specialists in all sorts of dark endeavors. The bad guys have unlimited time and creativity and the good guys are out gunned and out manned. Against such an adversary, what CIO in their right mind would want to stand alone? Smart good guys should join forces out in the open for the common good.
The technique of phishing is probably one of the easiest and hardest things to stop because…
This type of attack is predicated on sending out a bunch of random emails and thereby forcing people to click on a link that opens up a whole franchise to vulnerabilities. Then there is spear phishing which is highly personalized emails that go to a person higher up in an organization who has greater access than typical phishing email targets.
Tips on how to avoid phishing consist of non-technical safeguards since the user must click on an untrusted source that enters through an outward-facing environment. The best and sometimes only way to address this is to show employees how to read emails, thereby reducing the knee-jerk reaction.
Here are a few other tips to share with email users:
If the email comes directly from an acquaintance or source that you would typically trust, forward the message to that same person directly to ensure that they indeed were the correct sender. This means, do not simply just hit reply to the email with whatever information was requested in the email.
Similarly, when you receive an email from a trusted source and it seems phishy (pun intended), give that person a call directly and confirm that the email was from them.
You’ll be able to check to see what is or what is not legitimate by dragging your cursor over the email sender as well as any links in the email. If the links are malicious, they will likely not match up with the email or link description.
The one mistake companies make that leads them to fall victim to phishing attacks is…
Phishing today has become about as mainstream as a typical spam was back in 2004, basically meaning no one is immune to a possible phishing attack. One new way we’ve seen are campaigns that use embedded Excel spreadsheets. The spammers break the words into individual cells to bypass anti-spam tools. When viewed in an email it looks like a typical HTML attachment but it’s much more difficult to analyze.
Here are a few tips to avoid being hit by such attacks for everybody:
- Always treat your email password like the keys to the kingdom, because that’s what it is for spammers.
- Use a short phrase for a password (longer is better, and can be simpler) rather than just a few characters, and change it regularly.
- Never share your email passwords unless you are logging in to your email provider’s website.
- Never click on links in an email – always type the address directly into the address bar.
- Keep your desktop AV, anti-spam, etc. up to date.
The most important thing to remember to avoid falling victim to phishing attacks is…
Education is the key.
No matter what people read or see in the news, when that phishing email lands in the inbox, they honestly don’t know what separates that email from a real communication. In order to improve phishing awareness, companies should regularly test employees with fake phishing emails. This method enables employees to recognize what is real and what is a phishing attack.
No matter how secure a company’s IT security platform is, the company is only as secure as its user base. Unfortunately, compromised credentials represent the vast majority of hacks (over 90%) and phishing and spear phishing attacks are responsible for the majority of those breaches. So, with all the investment capital devoted to securing IT infrastructure, how can companies prevent employees from opening phishing emails? The best answer is continuous, hands-on employee education.
Securing against phishing attacks requires businesses to keep up with the ever evolving threat of phishing.
Phishing has become far more sophisticated than a suspicious email tempting a random individual to click on a link or provide their personal details. Usually phishing focuses on targeting an individual.
Here are three key phishing techniques that compromise companies to obtain several individuals’ details:
- DNS-based phishing compromises your host files or domain names and directs your customers to a false webpage to enter their personal or payment details.
- Content-injection phishing is associated with criminal content, such as code or images, being added to your or your partners’ websites to capture personal information from your staff and customers such as login details. This type of phishing often targets individuals that use the same password across different websites.
- Man-in-the-middle phishing involves criminals placing themselves between your company’s website and your customer. This allows them to capture all the information your customer enters, such as personal information and credit card details.
Four ways that companies can defend against phishing attacks include:
- Use an SSL Certificate to secure all traffic to and from your website. This protects the information being sent between your web server and your customers’ browser from eavesdropping.
- Keep up to date to ensure you are protected at all times. You and your providers should install all the latest patches and updates to protect against vulnerabilities and security issues. This includes website hosting, shopping cart software, blogs and content management software.
- Provide regular security training to your staff so that they are aware of and can identify phishing scams, malware and social engineering threats.
- Use a Securely Hosted Payment Page. This is the best practice for reducing risk to your customers’ card data. Use a payment gateway provider that has up-to-date PCI DSS and ISO 27001 certifications from independent auditors. This ensures that your customers’ payment details are protected at all times.
Companies are falling victim to phishing attacks from both educational and technical standpoints.
From the educational standpoint, enterprises are not preparing end users correctly, and need to educate employees on evolving attacker methods. Companies have traditionally done a good job educating employees on standard phishing emails that are often poorly worded, and not well executed – making them easy to spot. However, advances in spear phishing have made attacks targeted, highly relevant and personalized with the help of social media.
It’s no longer enough to watch out for crudely worded emails – recipients must also consider context, content and sender, particularly if monetary transactions are involved. Concerted coaching to teach employees to be vigilant by not clicking suspicious links or downloading attachments is critical. To verify authenticity, employees should cross check by sending a separate followup email, texting the alleged sender or even calling to validate that the email is from the correct source.
From the technical standpoint, too many companies allow full egress out of the network, rendering loopholes to external security measures. A well structured security system should have strong policies dictating the uses for inbound and outbound gateways through the firewall. But enterprises can’t only monitor what’s coming into the network, they need to better monitor and curtail traffic going out of the network with DLP and outbound email scanning tools.
One thing to remember to avoid being susceptible to phishing attacks is…
Phishing attacks constantly happen. If someone came up to you on the street and said they had a package for you, you would say no thank you and walk away. When people get emails that say, DHL has a package for you, they think that because it’s on a computer screen they should click the link or open the attachment. A good rule of thumb is to take the same precautions you take online as you would in the real world.
Similarly, when it comes to passwords, if you happen to forget yours you can have it reset by answering personal questions. Those questions were once secure, but now many of the answers can be found on your social media accounts: birthdate, hometown, high school, etc. Think about what you share on social media in terms of being useful to cyber criminals.
Any company can take recent security breaches as more cautionary tales about the need for succinct security practices to protect company and consumer data. A very important aspect in email security is making sure your email provider uses technology like DMARC. It’s the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, and Microsoft all use it to stop phishing.
Use the link above to purchase antivirus/malware from our store.