Preventing Phishing Attacks: 9 Simple Steps for Prevention
A Tiered Approach to Preventing Phishing Attacks
Preventing phishing is no longer as simple as deploying an anti-malware tool. This is an era where teams run on tight deadlines. They work on multiple projects at the same time. And they cooperate with external, contract staff. All these factors contribute to overlooking a dodgy ‘from’ addresses or to opening a malicious email attachment.
In many instances, preventing phishing attacks is now made possible by an individual employee. Employee actions ultimately impact enterprise-level security and risk performance. Phishing awareness programs expand security knowledge, change security behaviours and improve organizational compliance.
To safeguard enterprise-level data and systems, businesses must train staff to keep a watchful eye out for malicious attacks.
Preventing Phishing: Requires a Two-Tiered Approach
There’s a clear demand for both employee training and anti-malware infrastructure in the enterprise. New research suggests that competitive organizations consider anti-phishing training basic hygiene, just like having anti-malware on all desktops.
Education ensures that every member of an organization is equipped to identify and react to a phishing attack. Awareness of the risks goes a long way. Understanding the tactics helps too.
Relying on anti-malware software simply won’t cut it with most enterprises in 2019. With phishing attacks growing more sophisticated, employees need to understand which actions and behaviours make phishing attacks successful.
Anti-Phishing Best Practices
Creating a set of Enterprise-Level Anti-Phishing Best Practices provides employees with a benchmark of what they may do to help preventing phishing attacks. These best practises can also help employees take action in the unfortunate case a phishing attack takes place.
Anti-phishing best practices include:
- Encouraging in-office behaviour change
- Policies on opening suspicious emails, links and attachments
- Policies on clicking shortened URLs
- Recommendations on using free WiFi
- Recommendations on disclosing confidential data
In-Office Behaviour Changes
Employee habits provide the easiest path into an enterprise network. Something as simple as a Post-It stuck on a computer monitor might be all an attacker needs to penetrate a corporate network.
Alternatively, weak passwords are easy for attackers to predict. Organizations need to educate users about the importance of strong passwords. Regular password inspection also goes a long way to protect a corporate network. These are low-cost, high-impact prevention tactics that help protect a business.
Suspicious Links & Attachments
Phishing attacks aren’t just hitting your employee’s inboxes. Many phishing attacks direct users to a malicious website that asks for sensitive personal information.
Best practices should indicate that employees avoid clicking on links or attachments in suspicious looking emails. Even if the link or attachment look familiar.
Emails demanding that confidential information (banking, government issued data) be entered online should be flagged. Financial organizations will never ask for personal data. When in doubt, your employees should contact the organization directly and alert their supervisor.
When attachments are in question, best practises should indicate every document be scanned before opening.
Phishing attacks often rely on shortened links, like you’d use for social media. The links often look legitimate. When the recipient clicks the link, a page associated with a totally different URL launches. More importantly, the link also launches a malicious code that attacks the employee’s computer/device.
These shortened URLs are traps. Once the malicious code is activated, attackers can use the device to access IT systems and confidential enterprise data.
By educating employees about the risks of shortened URLs, your business can prevent a phishing attack before it bypasses your security controls.
Errors and Exaggerations
Perhaps the best-known element of a phishing attack is the unusual use of capital letters, colourful fonts, personalization and punctuation (especially exclamation marks!). Poor grammar and spelling are also telltale signs of a phishing attack.
Attackers purposely include errors to bypass Spam filters.
Once employees know to watch out for unusual content, they can use their discretion to avoid certain emails.
Avoid Free WiFi
Public WiFi networks pose a threat to any connected device. We’re talking about open networks (the ones that don’t require passwords) and private passwords used by a variety of people (the ones in hotels, airports).
Employees using corporate devices to connect to nearby WiFi networks put any system that requires sensitive information at risk. The open security on WiFi networks allows attackers to lurk and monitor network activity. Sensitive information, like usernames and passwords, workplace networks access, or banking info can easily be obtained.
If connection to workplace networks is required, employees should use cell phone data plans.
Disclosing Personal Data
Emails demanding personal information regarding a financial institution or government agency suggest an attempt to breach network security.
Should a request feel compelling enough to click through, encourage employees to look for "https://" before the URL, or the lock icon. These are both indicators of a secure website. All banking websites use this secure domain approach.
Best practices should indicate that employees avoid clicking URLs starting with 'HTTP'.
Prevent phishing attacks relies heavily on the creation of a security-aware culture. That being said, infrastructure also plays an important role in isolating and preventing IT system infection by malware – including phishing attacks.
In most enterprises, the IT department maintains security policies and protocols that protect the organization from phishing attacks. The department will deploy some anti-malware service, including anti-phishing services to filter content and build a defence based on the symptoms of phishing. The system will monitor network traffic and ensure endpoint security.
Most importantly the department will customize the policies and protocols as new threats emerge, and keep the employees updated. Malware education is a two-way street requiring communication and collaboration between employees and the IT team.
Email authentication is the first line of infrastructure defence. This prevents spear phishing attacks, where an outside attacker mimics an internal address. With email authentication, only authorized senders can use your domain to send email messages. Email authentication will block the vast majority of fake messages (the direct spoofs/exact-domain attacks).
Regulatory and compliance requirements now frequently require email authentication as part of a business continuity plan.
A secure email gateway (SEG) can also stop inbound messages with suspicious content, including malware or malicious links.
While they may be old school, firewalls are still critical security measures essential for preventing phishing attacks. A firewall may not prevent the phishing attack, but it can help to lock down a system and minimize the consequences of an attack.
Support Preventing Phishing Attacks
As the majority of the phishing attacks are the result of human behaviour, education and awareness are key to preventing phishing attacks. Employees must understand both the part they play in preventing phishing attacks, and the role of infrastructure in prevention and detection.
Are you running a small enterprise without an IT department and the capacity to plan for phishing prevention? HostedBizz offers a range of anti-malware defences, from infrastructure tools to professional services. We can help organizations, small and large, to manage their employee education and infrastructure management.