How to Protect Your Business from Phishing Attacks
Phishing scams have increased over the years. The number of reported phishing attacks in the first half of 2019 was 165,772. Also, the initial part of this year witnessed 146,994 reported phishing attacks.
Phishing involves intruding into a business’s system to steal an individual’s username and password for implementing data breaches and cyber-attacks. It has become a huge threat to the IT security of businesses.
Organizations need to have a proactive approach when dealing with various types of phishing attacks such as email phishing, spear phishing, smishing, and vishing. Let’s take a look at the various anti-phishing strategies that can help businesses protect themselves.
Ways to Avoid Phishing Attacks
1. Enable Multi-Factor Authentication (MFA)
Businesses can prevent phishing attacks to a great extent by incorporating MFA. Cyber-attackers can steal an employee’s username and password through phishing emails. However, with MFA activated, cybercriminals will need to provide additional information to gain access. This information can include a one-time password (OTP) sent to the employee’s device, an answer to a security question, or the employee’s fingerprint/iris scan. Since cyber-attackers don’t get access to these additional credentials, the misuse of an employee’s stolen credentials is prevented.
2. Incorporate Cybersecurity Training
Organizations should train employees to spot phishing emails by looking out for the following tell-tale signs:
- Poor Grammar, Formatting, and Typos
Reputed organizations send well-crafted email copies written by professional copywriters. Employees can easily spot a phishing email through its bad grammar. The email might also have poor formatting and spelling errors.
- Use of Public Domain
Large companies have their own email domain. If an employee receives an email from a public domain claiming to come from a big brand, it is probably a phishing email.
- Misspelt Domain Name
Apart from using a public domain, cyber-attackers can spoof an organization’s domain name to trick employees. For instance, the domain name of the e-commerce giant Amazon is “amazon.in.”Cyber-attackers can impersonate the brand’s domain name and send an email with the misspelled domain name “amazonn.in.”
- Request for Revealing Sensitive Information
Legitimate organizations never ask an individual to provide his/her personal and confidential information such as passwords, tax numbers, and credit card details. Employees should not click on suspicious links and attachments that ask them to provide their sensitive information.
- Shortened URLs
Cyber-attackers can use URL shortening to hide the real target of the link. Employees should be wary of clicking on shortened links as they can be directed towards phishing or malicious websites.
Businesses should also conduct regular phishing simulation tests to understand how well-versed their employees are in identifying phishing attacks.
3. Enforce Password Management Policy
To maximize the strength of the passwords used by employees, a robust password management policy should be enforced by organizations. The policy should make employees aware of the following aspects:
- Employees should create complex and long passwords.
- They should not include their critical security information such as social security number, credit card pin, and date of birth in their passwords.
- They should use different passwords for their personal and official accounts.
- If employees suspect that their password has been compromised, they should immediately report the incident to the IT authority.
4. Use Anti-Phishing Software
Anti-phishing software intercepts and analyzes the websites that an employee visits and compares them against a comprehensive list of reported phishing and malware sites. If the site visited by the employee is found on the list, the anti-phishing software immediately blocks it.
Anti-phishing software also analyzes emails for harmful attachments and links. This, in turn, prevents malicious and spam emails from getting delivered to the employee’s inbox.
5. Work on End-point Encryption
Organizations should encrypt and protect each end-point, such as desktop, laptop, and mobile device, which is connected to their network. End-point encryption software scans and removes identified malicious code and viruses, thereby preventing phishers from causing a breach.
6. Regularly Update Security Patches and Software
Patching software vulnerabilities is important to prevent phishers from exploiting them. Businesses should instantly update their software as soon as they receive a prompt for it. These updates correct and remove the security gaps arising from vulnerabilities such as cross-site scripting, critical data exposure, and injection flaws.
7. Use Virtual Private Network (VPN)
A VPN secures the connection between an employee’s system and the business’s network. The data is transferred through this protected and encrypted tunnel. The encryption ensures that the data is not disclosed during the transfer. In other words, VPN facilitates the secure transmission of data and ensures that phishers are unable to access or steal it for malicious use.
8. Include Email Security Gateway
An email security gateway can help businesses minimize the likelihood of phishing attacks. From analyzing the domain name of the email to scanning emails for malicious content, it prevents phishers from accessing a business’s network. It can also recognize unfamiliar traffic patterns, identify malicious URLs, and proactively block them.
9. Leverage the Services of a Managed Services Provider (MSP)
A good IT Support Company or MSP can offer the latest cybersecurity services such as email and spam filtering, strong authentication policies, updated anti-virus solutions, and more to help businesses counter phishing attempts seamlessly.
10. Use Domain-Based Message Authentication, Reporting & Conformance (DMARC)
As mentioned already, phishers can spoof a company’s domain name to send phishing emails. However, organizations can protect their domain name from being misused for phishing scams by implementing DMARC. It makes use of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure that the email is sent from an authorized source. If the email is found to come from a spoofed domain, it is either rejected or sent to the spam folder.
Businesses should be aware of the types of phishing attacks they might face, the risks associated with these attacks, and ways to mitigate them. The above-mentioned strategies can help organizations get started with fighting phishing attacks effectively.
John Boden is a Managing Partner at QuestingHound, Inc., a Deerfield Beach IT support company that has been helping small businesses in South Florida stop focusing on IT and getting back to doing business the past 18 years. He promotes a culture that is dedicated to the highest standard of ethics, hard work, and outstanding customer service. Connect with John on LinkedIn.