Here we look at the extent of phishing scams, what they look like, and how to protect against them.
Phishing is an insidious and cynical method used to further the nefarious activities of cybercriminals. It would be a rare person who had not encountered a phishing email in some guise or other. Yet still, cybercriminals are using the technique to install malware, steal credentials, personal information, and commit scams such as Business Email Compromise (BEC).
A 2021 CISCO cyber security threat trends report places phishing and crypto-mining as the two top business threats. The report also found that 86% of organisations employees click on phishing links.
Protecting against phishing scams is vital to keeping your organisation safe, as 90% of data breaches originate from phishing attacks.
Here are 10 ways to ensure your organisation does not become victim to a phishing scam.
10 Ways to Prevent Phishing Scams
Protecting against phishing scams is a case of using multiple layers of protection:
Learn What a Phishing Attack Looks Like
Cybercriminals work hard to make phishing emails look legitimate. As a result, phishing scams are increasingly sophisticated and often target specific individuals and businesses. A targeted phishing campaign is called spear phishing. This form of phishing involves intelligence gathering to tailor phishing emails that are hard to differentiate from genuine emails.
Employees across all units of a business must be trained to spot tell-tale signs of phishing. Tailored phishing campaigns often use well-known business brands such as Microsoft Office 365 that are used to cleverly conceal a phishing scam.
Phishing simulation platforms are an ideal way to train employees to spot a phishing attempt. In addition, advanced phishing simulation platforms allow a company to tailor these simulations based on roles within an organisation so that even spear phishing attempts can be prevented.
Read more details on phishing in the MetaCompliance Ultimate Guide to Phishing
Don’t Click on Unknown Links
End-users and consumers have been trained by clever user experience and UI tactics to click links to make their online life more manageable. But this has led to cybercriminals exploiting this behaviour.
The urge to click needs to be intercepted to prevent a cyber attack. A simple rule can distinguish between preventing a cyber attack and being a cyber security statistic – “don’t click on a link in an email unless you are 100% sure it is valid”. If an email or text message contains a link, always stop, and think before you click.
Don’t Download Unverified Attachments
It goes without saying, yet it still happens; employees open an attachment, and your organisation becomes infected with malware. Don’t download an attachment if you are not 100% sure it is legitimate.
A recent phishing attack demonstrates the sophistication of attacks that use infected attachments. The SVCReady phishing campaign uses a particular type of property inherent in a Microsoft Word document, known as shellcode, to deliver a loader onto a machine. The infected machine is then used to gather sensitive information, set up a remote-control centre, and generally hang around until the attacker decides to go in for the kill, install further malware, and/or steal data.
Don’t Overshare on Social Media
Cybercriminals gather information on their target so that their phishing attacks are tailored and more likely to trick recipients. Social media is an ideal pond to phish for information. Cybercriminals will research the company and its employees, looking for information that can be used to create spear phishing campaigns.
Social media is also a place where over-sharing can result in password sharing. For example, a report identified widespread password sharing on insecure collaboration channels like Slack. Ensure that your employees know the dangers of giving out private data and passwords on channels including Slack, discord, and social media platforms.
Be Password Hygiene Aware
Password sharing and password reuse increase the chances that a phishing campaign will end in compromised data and IT systems. Password sharing is a serious issue in organisations. According to a Google survey, 62% of people reuse passwords, and 52% reuse passwords to access multiple accounts.
In addition, 34% of employees share passwords with co-workers. If passwords are ‘passed around’ and reused, people are less likely to see the security value and therefore have a more laissez-faire attitude towards password safety. Make password hygiene a central theme in Security Awareness Training.
Patch in Time
Phishing email campaigns often depend on an exploitable security vulnerability. For example, the 2021 Zimbra phishing attack exploited vulnerabilities in the Zimbra email client via a phishing email. Therefore, ensuring that software applications are patched as soon as possible is vital to ongoing anti-phishing measures.
Keep Accounts Current
Old online accounts are helpful to cybercriminals who can use them to create synthetic identities and commit fraud. These accounts can also be used as part of a BEC scam or to extract intelligence for further cyber attacks.
If you have an old email or online account that you never use, close the account, or re-establish its use and keep a regular check on it. Make sure that you change the password frequently and check HaveIBeenPwnd to see if an email account or password has been exposed during a data breach.
Use 2FA (but still be careful)
A best practice to help protect against phishing scams is applying a second factor (2FA) wherever this measure is supported. However, 2FA is no guarantee that a phishing attack will be unsuccessful, only that it reduces the risk.
Poorly implemented 2FA measures, for example, can be useless in preventing phishing attacks. Use 2FA, but back this up with Security Awareness Training.
Report Anything Suspicious
Encourage employees to report a suspicious email or text to help prevent an incident from occurring. Create an environment that encourages security cooperation. Keep an open door and an open mind about employees who click on a malicious link by giving them the space to feel they can report an error.
Incident reporting will help protect your organisation against phishing scams, but reporting must be easy and based on an advanced reporting system designed to escalate and provide triage options.
Consider Using Anti-Phishing Tools
Security Awareness Training is part of a broader set of measures that can be used to protect against phishing scams. Other measures that can be employed that add layers of protection include: DNS filtering software that helps prevent an employee from navigating to a malicious website; and a cloud-based email spam filter that can stop phishing emails from entering an employee’s inbox.
However, these security measures alone are not enough. Cybercriminals who develop phishing emails are increasingly designing the emails to evade detection. Only by using multiple-layered methods, including your employee’s knowledge about phishing, can an organisation protect against phishing scams.