A Business Guide to Preventing Phishing
Phishing is one of the biggest cybersecurity threats businesses of all types and sizes face. Research shows 74% of all phishing attacks targeting U.S. organizations were successful in 2020. These attacks can be relatively simple in approach but highly devastating for the business.
Below is everything businesses should know about phishing in general and the steps to take in 2022 to prevent these attacks or mitigate the risk.
What is Phishing?
First, let’s get back to the basis—what is phishing?
In the most general sense, phishing is a type of cyberattack where a scammer tries to get sensitive data or information from individuals or businesses. Phishers will create the illusion they’re a trustworthy source.
No matter the specific method a scammer uses, the goal is to get your personal information or the personal information of your business. They’ll send fake emails and text messages, and some will look like obvious scams, but others are increasingly sophisticated.
A phisher will determine who their target is going to be. This can be an individual or an organization. From there, once a target is identified, phishing scammers will develop strategies to collect data. That data is used during the launch of the attack.
A phisher will most often create fake emails but may also use phony web pages or text messages.
The messages seem trustworthy from the perspective of the victim. After the attack is deployed, phishers monitor and then collect data. The data can then be used for financial gain or further fraudulent activities.
There are many subcategories of phishing.
For example, some phishing emails ask a victim to click on a link. Then, once that link is clicked on, you might enter personal or sensitive financial information, leading to identity theft.
The most basic phishing email will impersonate a legitimate company or person. You provide log-in information, or you click a link. If you click the link, you’re allowing malware or viruses to be installed on your devices, and hackers can take control of it and steal information.
Spear phishing is a highly personalized attack rather than a more generic email and sent to a larger group. Spear phishing can target not just an individual but also a business or organization.
A scammer who’s launching a spear-phishing attack will spend time researching the target, which Is known as social engineering.
In a business, spear-phishing emails might appear to come from a boss, and it could be requesting access to company information.
Clone phishing is one of the toughest subtypes of these scams to detect.
In a clone-phishing attack, scammers create almost identical versions of emails that the target has already received. The email address of the sender is cloned almost exactly.
Whaling is a term where big targets like chief executive officers are the target.
These attacks are very sophisticated in that they rely on first doing a lot of research.
Trends In Phishing
While phishing itself isn’t new, and it remains a relatively simple way to infiltrate an organization, there are constantly evolving trends and strategies these criminals use.
For example, bait attacks are techniques attackers are starting to use with increasing frequency. In a baiting attack, the cybercriminal sends a test email to see who will actually respond. Then, the attacker can use that information for more targeted attacks in the future.
The initial email might be very short or not even have content. The goal is to verify the email account or potentially start a conversation with the target.
A survey recently cited by Forbes indicated 35% of organizations reported being targeted by at least one phishing attack in September 2021 alone.
Another area of concern for businesses is that cybercriminals are using deep fakes and AI to create even more convincing campaigns against their targets.
Phishing and ransomware can tend to go hand-in-hand, both garnering significant attention in the business world right now. Phishing scams are one means of getting ransomware on your device.
Ransomware is a particular type of malware that encrypts data, so you don’t have access to it anymore. A cybercriminal will demand a ransom be paid to regain access to your files and have them decrypted.
A report back in 2017 found 93% of all phishing emails contained ransomware.
Ransomware tends to be most often spread through fraudulent email attachments.
So what can businesses do?
The most basic things you can do include email filters and antivirus software. When you use email filters, it can help, but it doesn’t guarantee malicious emails won’t’ come through, which we talk about more below.
Depending on how much of a threat you feel it could be to your business, you can also disable hyperlinks on email settings. That means your employees won’t be able to receive links from legitimate senders, though.
Up-to-date antivirus software can protect against phishing and other types of threats, but it’s not perfect.
Use SSO and MFA
Single-sign-on or SSO is a way to help your employees deal with the many passwords they may need on a daily basis to do their jobs. One of the fundamental steps you should take to prevent an organizational phishing attack is to use an SSO security solution. With SSO, you can reduce the number of attack surfaces.
SSO solutions improve productivity but at the same time create layered security and a good overall user experience.
SSO shouldn’t be used on its own, though. There is a risk of doing so. If a cybercriminal were to steal credentials, they might have access to a lot more with SSO than they would otherwise.
Layer SSO with multi-factor authentication or MFA.
MFA requires that users prove their identity in the authentication process. Identity can be verified by adding another factor in addition to the password.
There is something called step-up authentication which can be helpful to prevent phishing.
Step-up authentication allows users to access some resources to do their jobs without providing a second authentication factor. Still, when they need to access more sensitive information, they have to take the step for further authorization. Step-up authentication can occur within a system or application.
Even if the user initially logged in, if it’s within a system, then they’re again asked to apply a second factor.
Even if you don’t use SSO, you should absolutely be using MFA across employee accounts.
The best-case scenario in terms of not only phishing by cyber threats, in general, is to use an SSO platform with integrated MFA.
You need formalized cybersecurity policies relevant to your current work environment, especially if you now have remote or hybrid employees when maybe you didn’t before. For example, you want to combine solutions like SSO and MFA with password complexity requirements.
Taking a Zero Trust Approach
Zero Trust is the principal goal you should have in mind for cybersecurity in our increasingly remote world. Zero Trust has implications specifically to protect against phishing and to secure emails as well.
Legacy email security solutions will often focus only on spam or maybe a message body with questionable content. That’s not good enough now.
Zero Trust has added layers of protection for even social engineering, phishing, and business email compromise attacks.
The Zero Trust approach puts the focus on authentication. This authentication element helps make sure emails that are coming into the business environment are from legitimate domains, brands, and individuals.
No email is trusted in Zero Trust unless it can pass several authentication protocols, including Sender Policy Framework and DomainKeys Identified Mail.
Email Training and Buy-In
No matter what policies, procedures, and safeguards you put in place in a business, you aren’t going to be able to protect against phishing without well-trained employees who understand it, are vigilant and realize the importance of cybersecurity.
It would help if you formalized written policies that your employees are then well-trained on. Training should be frequently updated because the threat landscape evolves quickly.
If you use a Zero Trust model, you need your employees to also play a part in the detection and reporting of suspicious emails.
What tends to make phishing attacks so successful is that they take advantage of human vulnerabilities and weaknesses rather than your cybersecurity technology.
Cyber awareness end-user training can help with this. Your employees should learn how to spot the red flags of an email impersonation attack, and there should be a simple way for employees to report anything they’re questioning.
No matter the specifics of your cybersecurity approach for 2022, you need to be planning for phishing attacks to be more devastating. A lot of cybercriminals are taking advantage of current issues in their attacks, like supply chain problems or situations related to employees working remotely.
Business owners and their employees have to be vigilant because it’s now becoming the norm rather than the exception to be the victim of phishing and similar cyberattacks.