Every IT admin has asked themselves, “How can I stop phishing attacks?” Phishing is unfortunately one of the most common, effective, and damaging attacks hackers use to break into bank accounts, steal data, steal money and overall – scam your company.
Phishing attacks have always been on the rise, but since Covid-19 caused many organizations to move to remote work, phishing attacks have increased exponentially. According to F5, Phishing attacks increased by 220% during the Covid-19 peak. Some of these attacks capitalized on the fears surrounding the pandemic, including fraudulent hand sanitizer and mask offers.
By learning a few tricks, stopping phishing attacks can be easier for your company. There is a wide range of tricks and tools that you can use to protect your users and data from phishing attacks, including just knowing what to look out for. Sharing this knowledge, and implementing these tools can help you improve your overall cybersecurity, save time, and protect your business’ money long term.
What is phishing & how can it be prevented?
Phishing is an attack made by a cybercriminal, where the attacker poses as an institution or known person. The goal of this trickery is to easily convince an individual to share sensitive information. This information may include bank account numbers, credentials, credit card numbers, or any other personally identifiable information (PII). Additionally, these attacks may be performed in any of the following ways:
- Phishing Emails: The most common type of phishing attack is an attack via email. These emails are likely to contain a ‘call-to-action.’ The actionoften leads to a spoofed login page designed to harvest passwords, but it could also include instructions to click a link or open a file, which will then install a virus or ransomware onto your computer system.
- Spear-Phishing and Business Email Compromise: These types of attacks are more advanced than regular mass phishing attacks. Spear-phishing is when hackers uniquely target an individual or business using information specific to them. This includes impersonating a trusted sender, such as a business contact. They will then target users, impersonating familiar suppliers, services, or business topics, and ask them for specific account information, such as banking credentials. Business email compromise is similar, except the senders are usually impersonating the company’s executives or using a compromised account within the organization.
- Phishing Websites: When surfing the web, users might come across a page that looks legitimate (it may even utilize HTTPS), but it may be scraping your user data. According to Google’s Transparency Report, they detected an average of 46,000 new phishing websites every week in 2020.
Why is phishing so damaging?
Phishing attacks have still been so successful due to the fact that they constantly slip through email and web security technologies. Exchange, Office 365, and G-Suite are commonly used in the workplace for business communications. While these platforms filter out well-known malicious emails, zero-day and targeted email threats consistently slip through the cracks. Unfortunately, when these emails do not look overtly scammy, users can fall for these traps, which can have massive repercussions for organizations. Take a look at some of the most shocking phishing damage statistics from the past few years:
- In 2019, the FBI reported a whopping 100% increase in the number of CEO scams, costing businesses over $26 billion in losses since 2016. They also reported that there were more than 11 times as many phishing complaints in 2020 compared to 2016.
- In 2020, Proofpoint found that 75% of all organizations experienced some sort of phishing attack in 2020. Additionally, 35% of organizations experienced spear phishing attacks, and 65% faced Business Email Compromise attacks.
- IBM also found that nearly 20% of companies suffered a malicious data breach in 2020, which was infiltrated due to lost or stolen credentials.
Tips to prevent phishing scams
With a few tips and tricks, you can keep your organization safe from phishing attacks. Let’s take a look at some of these tips and why they are so helpful:
API-level detection layer
API-level email security provides several advantages over the email filter approach for detecting and responding to evasive phishing attacks. This new approach continuously scans messages for threats and anomalous behaviours post-delivery, not just in a single pass at the server. Inspecting emails post-delivery allows for time to apply frameworks like machine learning, natural language process, sender-recipient email history, etc. When a threat is identified, it can automatically “claw back” suspicious messages from all impacted inboxes. This addresses a second shortcoming in the current email security model—the labor-intensive process of investigating, containing, responding to and remediating malicious emails across the organization.
Provide training to your employees
Providing your employees with email security training can give them the knowledge they need to avoid a phishing attack. Here are some key points to touch upon during that kind of training:
- The concept of “think before you click”: This concept involves educating your employees about how to recognize and report a phishing attack. Some of the things to look out for might include suspicious email addresses, a generic greeting, a threatening tone, grammatical errors, external links to a site you don’t recognize, and more.
- Segment networks: This can help to keep sensitive data more restricted, which makes it more difficult for cyberattacks to penetrate your network.
- Audit the cybersecurity environment: This will help your organization assess any vulnerabilities, as well as identify threats, and develop necessary defensive strategies.
- Don’t respond: It’s crucial to not respond to emails requesting your personal information, such as bank details, passwords, etc.
- Check grammar: Make sure to thoroughly check any poorly spelled emails for grammatical errors.
- Checking on mobile: On mobile devices, try pressing and holding the link, URL, or web address of the page, so that a preview will appear, and you can determine if it’s a legitimate site.
Utilize end-to-end encryption
A very reliable method for stopping phishing attacks, encryption is always a great first measure your organization should adopt. End-to-end encryption is the best way to ensure email messages are fully encrypted by your employee. The intended recipient is the only person who can decrypt the email on their device. This type of email is secured throughout every stage of delivery – they cannot even be read by the email servers. This can make it difficult for cybercriminals to gain access to sensitive information or even attachments.
Check & set rules for your spam filter
The first step you can easily take is checking your email provider’s settings. While most email providers do a great job at blocking phishing attempts, a few may still slip through filters. Fortunately, you can report any of the attacks that do slip through. Additionally, you can also set up rules within your spam filter. Depending on the host of your email server, you can set up specific rules so that incoming emails are marked as junk based on parameters, and then put in the trash.
Install anti-phishing software
An anti-phishing software provides users with the extra protection they may need. Solutions such as Cyren Inbox Security can really help to detect phishing attacks and automate the incident response workflows to keep your organization safe. While major email providers have spam filtering capabilities they are necessary for email hygiene but not enough for the prevent, detect, respond, predict cycle required to address the risk.
The first line to phishing attack prevention is a secure email gateway. Email gateways are helpful because they can be used to filter harmful and malicious emails. They also quarantine them automatically so that they do not reach the user inboxes. A great, secure email gateway blocks 99.99% of spam emails – removing emails that contain any malicious links or attachments. They are essential to stopping users from receiving almost any phishing emails.
Conducting phishing simulations is an important way to see how effectively your employees recognize phishing attacks. This helps IT admins to understand the risk their organization has by way of phishing. This can also be helpful to direct training as needed.
Phishing emails are unfortunately built to trick users into clicking, sending credentials, and more. Since the sophistication of these attacks are constantly evolving, users need to stay vigilant to stop phishing attacks from happening.
Learn more about Cyren Inbox Security for 365, and how it can help your business stop phishing attacks in their tracks.