How to Prevent Phishing Attacks
Phishing attacks are an evergreen cyber threat that companies continually have to contend with. In fact, according to statistics cited by smallbiztrends.com, “In 2018 83% of people received phishing attacks worldwide.” To put this into perspective, if your business has five employees total, then four of them have already been phished at least once this year.
Knowing how to prevent phishing attacks is a critical cybersecurity skill for any organization. Unfortunately, many people aren’t fully aware of what phishing attacks are, how they work, why cybercriminals use them, and how to prevent phishing attacks.
To help your organization thwart phishing attacks and prevent a security breach, here’s a quick primer on how to prevent phishing attacks.
What is a Phishing Attack?
The first step in stopping any cyberattack strategy is learning to recognize it. The trouble with phishing attacks, however, is that they can come in many forms. The broad definition of a phishing attack is that it’s a type of cyberattack where the attacker tries to trick a person into taking an action that may compromise their (or their organization’s) cybersecurity in some way. This can mean:
- Fooling the recipient into opening a link to a malicious website or to a malware download;
- Tricking people into sharing sensitive information, such as credit card numbers, account passwords, or other information that can be used for future phishing attempts; or
- Directly transferring money or making payments on a fraudulent invoice.
These attacks often use a form of spoofing to fool the victim into believing that they’re receiving a legitimate communication from a trusted source.
For example, a phishing email might list the sender as an employee’s direct supervisor or a company executive. Phone calls might use a spoofed caller ID to pose as a tech support department trying to troubleshoot a problem with an account. Or, attackers might create entire fake websites that spoof ones the target normally visits.
Why Cybercriminals Use Phishing Attacks
So, why do cybercriminals use phishing attacks against companies and individuals. The reasons behind a phishing attempt are as varied as they are for any cyberattack. The most common reason, however, is profit.
Phishing attacks—especially ones carried out using email or social media—are fairly easy to complete and don’t require much in the way of resources to make. Yet, these attacks can be incredibly lucrative when they succeed.
For example, say a phishing email to an accounting department gets through and a clerk approves a fake invoice for $50,000 that wires money directly into the attacker’s overseas bank account. If this trick works just one time, the attacker has made more than many people do in a year. Even if it only works once out of every 10,000 tries, the investment of time and resources to make those attempts is a drop in the bucket compared to what a single success can provide. For some companies, a $50,000 invoice might be so minor or routine as to not raise suspicion.
Worse yet, if a phisher is able to trick someone with that kind of authority into giving up user account credentials, they could use that power to steal far, far more money.
How to Prevent Phishing Attacks
Okay, so phishing attacks are a major cyber threat, and they aren’t likely to go away any time soon because of how easy and effective they are. So, what can you do to stop phishing attacks before they start?
There are a few things that organizations can do to counter phishing attacks, including:
- Increasing Email Security. One of the most basic defenses against phishing is email security—such as malware/virus scanners to check email links and downloads for threats and anti-phishing solutions that block blacklisted email domains or spoofed email addresses.
- Employing Verification Policies for Requests. When an email, text, or phone message asks an employee to approve a fund transfer, share sensitive information, or take some other action that could result in a security breach, that employee should perform an independent verification of that communication. Instead of replying directly to the sender, the employee should reach out to whichever supervisor, department head, or CEO is named in the request through pre-established channels. This might take some time, but it’s better than exposing the organization to a security breach.
- Create a Phishing Awareness Program. While the “human firewall” created by security education, training, and awareness (SETA) programs aren’t 100% proof against cyber threats like phishing, they can help to prevent some attacks. SETA programs can boost cybersecurity by teaching employees to recognize phishing attacks and by ensuring that they know existing verification policies and data security standards.
- Increasing User Account Security. When phishing attacks succeed in stealing account credentials, they can do untold harm to the organization. Increasing account security by using multi-factor authentication (MFA), which employs biometric or token identity verification in addition to user passwords can prevent attackers from being able to use a stolen password. Additionally, having employees change their passwords on a regular basis can further enhance security by rendering compromised passwords useless.
- Restricting User Account Privileges. There is no reason for every employee in the business to be able to approve $1,000+ invoices. Instead, these types of account privileges should be restricted to only those employees who need them—which makes randomly-targeted phishing emails less likely to succeed. Even if account credentials are stolen, the damage caused can be limited to just those systems that the account had access to.
- Use SIEM Tools to Track Abnormal Activity. Security information and event management (SIEM) systems can be a powerful tool for logging activity on a business network and identifying abnormalities. While SIEM tools won’t stop a phishing attempt, they can be useful for identifying unusual activity and tracing it back to its source so future attacks can be prevented.
Need help protecting your organization from cyber threats like phishing attacks? Reach out to the Compuquip team to get started.