Phishing is one of the oldest and most widely-used cyberattack tactics for one reason: because it works. No matter how you harden your systems against intrusion, there’s always the chance that someone will open a malicious attachment. You can’t prevent that entirely, but you can mitigate it. Here’s how.
Phishing is one of the oldest tricks in the book. Part of the reason is that pulling off a successful phishing attack is incredibly simple. There’s no need to crack through several layers of encryption, search for unpatched vulnerabilities, or find a willing malicious insider.
All you need to do is send out an email attachment or message pretending to be a trusted entity. Maybe you’re posing as the CEO of a company or an upper-level executive. Maybe you’re account services for one of the platforms a business uses. Or maybe you’re simply posing as an unrelated entity, sending out malicious payloads and waiting for someone who’s careless enough to fall for your schtick.
And before you get derisive, we should emphasize that it’s not just naive senior citizens or the technologically-incompetent falling for these attacks. Anyone can fall for a phishing scam. All it takes is a single moment of carelessness, maybe at the end of a long, hard day of work.
Not surprising, cybersecurity agency Retruster found that phishing accounts for approximately 90 percent of data breaches. To make matters worse, once a phishing attack is successful, there’s a good chance the victim will be targeted again - 15 percent are. Finally, 76 percent of businesses reported to Retruster that they were the victim of a phishing attack within the past year.
In short, phishing is simple. It’s easy. And it works. As noted by enterprise tech publication CSO Online, phishing has resulted in some extremely high-profile cyber incidents over the past few years including, but certainly not limited to:
- The release of confidential emails from Clinton campaign chairman John Podesta.
- The publication of a massive number of intimate photos of celebrities, stored on iCloud.
- Lost paychecks by a large number of employees at the University of Kansas.
And that’s just scratching the surface.
It gets worse. Thanks to the growth of cybercrime-as-a-service, there are now phishing kits widely available on the dark web. These allow a criminal quickly and easily mirror a wide range of legitimate websites, increasing the likelihood that someone will fall for the scam.
Anyway, that’s enough about the threat posed by phishing attacks. Let’s talk about what your business should (and shouldn’t) do to safeguard against them.
Do: Engage in Mindfulness Training
There are many reasons someone might fall for a phishing email, but in an enterprise context they ultimately boil down to simple carelessness.
An executive rushing from one meeting to another opens an attachment they assume is from one of their colleagues (it’s not). At the end of a long workday, an exhausted employee responds to a fake account security notification, handing over their corporate login. An HR coordinator forwards payroll information to someone they think is their CEO (it isn’t).
When we’re tired, rushed, or stressed, we tend to get careless. That’s basic human psychology, and it’s exactly what criminals are counting on. Phishing emails don’t need to work every time. They don’t need to fool everyone.
They just need to work once.
There are a few things you should do here.
First, teach your employees to recognize the signs that an email is a scam. This could be a sense of urgency, unusual language used by a colleague, or poor spelling and grammar.
Second, coach them in mindfulness. It’s a pretty simple concept. It just means being present and paying attention to our thoughts, feelings, and surroundings. It means stopping to think about each action before we take it.
That pause is usually all that’s required to realize someone’s trying to scam you.
Don’t: Expect Employees to Always be Cautious
In the same vein as the above, you can’t expect everyone to follow your mindfulness practices all the time. Mindfulness training is meant to mitigate the risk of a successful phishing attack - not prevent it. Even with proper education, people will still make mistakes.
For that reason, you need to ensure you have processes and systems in place for when that happens. For ransomware, air-gapped backups and the ability to quickly isolate compromised systems from the rest of your network. For compromised accounts and network intrusions, monitoring tools that alert you to any suspicious or unusual activity, both by users and by unidentified parties.
Do: Harden Internal Web Browsers
Given how many phishing attacks try to hijack login information by posing as legitimate websites, one possible means of defeating them is to run a browser extension that prevents users from connecting to websites that aren’t running HTTPS. There are also extensions that verify the URL of a site when someone connects to it. Install these extensions on all internal systems, and encourage employees to install them on personal devices as well.
Don’t: Neglect Your Password Policy
A strong password policy is also a must, both for defeating phishing attempts and for general security. This policy should focus on encouraging staff to create strong, unique passwords for each of their accounts, with guidelines around what makes a password memorable. Don’t force password resets as they rarely improve security enough to be worth the stress they’ll cause, both for employees and for your helpdesk.
Do: Encourage Two-Factor Authentication
It’s no secret that passwords are a dated technology. These days, people have too many accounts to keep track of - too many logins that creating a unique password for each is even feasible. With that in mind, you should look into incorporating authentication processes that eliminate the need for passwords where possible.
Two-factor, device-based authentication is the way to go in the immediate future. Moving forward, biometric and behavior-based authentication may also be feasible alternatives.
Don’t: Assume All Phishing Scams Happen via Email
Last but not least, it’s important to remember that while most phishing happens via email, not every phishing scam does. Some use other platforms, such as Facebook, LinkedIn, or Twitter. While they’re unlikely to be directed spear-phishing, but rather a shotgun approach to cyber-crime, it’s still important that you’re aware of the potential risk they pose, and that you make sure your staff is aware as well.
It’s really no surprise that phishing has gained such prominence as an attack method. It’s simple, it’s cheap, and it’s effective. The most you can do as a business is to train your employees and hope you have the proper mitigation tactics in place.
Beyond that, it’s ultimately a matter of luck.