Phishing is currently a hot topic in cybersecurity due to the increasing number of attacks. When it comes to preventing phishing attacks, best practices need to be adopted to improve resilience and reduce the susceptibility of the workforce. By combining these anti-phishing best practices, it is possible to mount a formidable defense against this common attack vector.
What is Phishing?
Before explaining the preventing phishing attacks best practices, it is useful to explain what phishing is. Phishing is a technique used by cyber threat actors to trick victims into disclosing sensitive information, such as login credentials or credit card numbers, or taking a specific action, such as opening an email attachment that triggers the downloading of malware.
Essentially, phishing is all about deception and is a type of social engineering, which is the psychological manipulation of people into performing certain actions.
Types of Phishing
It is important to understand that while phishing is commonly conducted via email, there are many different forms of phishing. Knowing about the different types of phishing attacks will help you develop an effective anti-phishing strategy. Phishing is a broad term covering many different subtypes, the most common of which is email phishing, but phishing can occur via SMS or instant messages (SMiShing), over the telephone or in-person (voice phishing or vishing), or via social media sites. These social media phishing attacks are often referred to as angler phishing, where the attacker masquerades as the customer support staff of a business via fake corporate social media accounts to obtain sensitive information. Attackers may observe the websites individuals visit and then seek to compromise those sites and use them for malware distribution or harvesting credentials in a watering hole attack.
Phishing attacks are often conducted in large-scale, non-targeted campaigns but smaller campaigns are often more effective. Spear phishing is where the attacker opts for highly targeted attacks on a small number of individuals. These attacks are often referred to as big game hunting or whaling attacks, as they target the big fish – the CEO, CFO, or other C-Suite members. If the email account of a CEO can be compromised in a phishing attack, it can be used in a business email compromise (BEC) attack, where the account is used to send emails to employees responsible for wire transfers or payroll to try to divert funds.
Phishing attacks used to be quite easy to spot. The emails contained spelling and grammatical mistakes and often involved too-good-to-be-true offers. While these campaigns are still conducted, phishing has become a lot more sophisticated. Many phishing attacks are so believable that it is very difficult to distinguish a phishing email from a genuine message.
Phishing attacks have been increasing in number because they are so effective, and during the pandemic, there was a massive increase in attacks. According to the Federal Bureau of Investigation (FBI), phishing attacks doubled in 2020 and the FBI’s Internet Crime Report shows phishing was the leading type of cybercrime in terms of victim count, with 323,972 complaints from victims submitted – the next highest type of crime was non-payment/non-delivery scams with 82,478 victims.
At least $44,213,707 was lost to phishing scams in 2021, and $2,395,953,296 was lost to BEC attacks, which often start with phishing emails. A 2021 report on the state of phishing by Proofpoint found that 70% of U.S. businesses experienced at least one phishing attack in 2021.
Phishing is used so often by cybercriminals for several reasons. Firstly, attacks are easy to conduct and require little investment or technical skill. Phishing kits can be purchased and added to websites to harvest credentials, and even malware can be hired and used in attacks under the malware-as-a-service model. Phishers can then sell access to malware-infected devices to other cybercriminal operations, such as ransomware gangs. Secondly, phishing is effective. Enough people will respond to make the attacks financially worthwhile.
Preventing Phishing Attacks: Best Practices to Adopt
Phishing can take several forms and there is no single best practice or cybersecurity solution that is capable of blocking all attacks. What is required is a defense-in-depth approach that combines preventing phishing attacks best practices with multiple technical safeguards and end user training.
Email Security Solutions
The single most important anti-phishing measure is an email security solution. Spam filters and secure email gateways are technical solutions that secure digital communications and block the most vector used in phishing attacks. Email security solutions will block phishing emails at source to prevent them from being delivered to inboxes. They will assess links in emails to determine if they are malicious, analyze message content looking for commonly used phishing formats, and block emails from malicious IP addresses and those with poor reputations. They will also search for malicious code that delivers malware.
SpamTitan Email Security from TitanHQ is one of the most effective and easy-to-use anti-phishing solutions for blocking email-based phishing attacks. SpamTitan incorporates robust anti-malware protections and blocks over 99% of spam and phishing emails with a low false positive rate of 0.003%.
Web Security Solutions
Many email phishing attacks have a web-based component. Links to malicious websites are included in emails or email attachments that direct users to websites where credentials are harvested or malware is downloaded. These websites can also be encountered via general web browsing, and individuals may be redirected to these sites via search engines or through malicious online adverts. Web security solutions, such as web filters and DNS filters, provide time-of-click protection against malicious links in emails, control the web content that users can access, and block malicious websites and malware downloads.
WebTitan DNS Filter is an award-winning DNS-based web filtering solution for blocking the web-based component of phishing attacks. The solution provides administrators with full visibility into web traffic, blocks malware downloads and command-and-control communications, and allows administrators to carefully control the types of web content users can access.
Preventing phishing attacks best practices include standard IT security measures such as using anti-virus software on all endpoints and ensuring that software is set to update automatically. More advanced antivirus solutions can do more than identify signatures of known malware variants, and also include behavioral detection methods to identify previously unseen malware and traces of malicious code injection.
Update Browsers and Disable Pop-ups
Phishing is used to direct users to malicious websites hosting exploit kits – malicious code that probes for and exploits vulnerabilities in browsers. You need to keep browsers updated to prevent vulnerabilities from being exploited, patch all software promptly, and disable popups on websites. Popups are often added on compromised websites that redirect visitors to malicious content.
Implement Multi-Factor Authentication
Multi-factor authentication will not prevent phishing attacks, but it is one of the most important measures for preventing stolen credentials from being used to access accounts. If credentials are stolen in a phishing attack, they cannot be used to access the account without an additional factor for authenticating the user. Microsoft reports that 99.9% of automated attacks on accounts can be blocked with multifactor authentication.
Provide Regular Security Awareness Training to Users
All preventing phishing attacks best practices lists include technical measures for blocking attacks, but it is important not to forget about the human element. All users need to be trained on how to spot phishing emails and other types of cyberattacks. There are usually multiple red flags in phishing emails, and users should be trained to be constantly looking out for them and be taught email security best practices.
SafeTitan from TitanHQ is an award-winning security awareness training platform with a huge library of training content for improving security awareness. The platform provides behavior-based security awareness training that is triggered in response to events in real-time – when training is likely to have the greatest benefit.
Conduct Phishing Simulations
Before providing security awareness training, conduct phishing simulations to get a benchmark against which training can be measured. Then conduct regular phishing simulations to monitor improvements over time and to identify types of phishing emails that are fooling employees. Individuals who fail phishing simulations can then be provided with extra training. SafeTitan includes a comprehensive library of phishing templates for conducting automated phishing simulations and will assign training in real time when individuals fail phishing simulations.
Set up a Reporting Mechanism
IT departments should set up a reporting mechanism to allow employees to report suspicious emails. It is likely that if one employee receives a phishing email, there will be other copies in the email system that need to be found and removed. An email plugin that allows one-click reporting to the IT department or security team is one of the most important preventing phishing attacks best practices and will allow IT teams to take prompt action to address the threat.
Phishing is the biggest cybersecurity threat faced by businesses and attacks are increasing in number and sophistication. You should adopt preventing phishing attacks best practices and implement a defense-in-depth strategy incorporating multiple layers of protection. TitanHQ can help by providing email security, web security, and a security awareness training and phishing simulation platform. Contact the TitanHQ team today for more information and to sign up for a free trial of these award-winning anti-phishing solutions.