The 10 best practices for identifying and mitigating phishing
Phishing (a form of social engineering) is escalating in both frequency and sophistication; consequently, it is even more challenging to defend against cyber-related attacks. These days, any industry, any workplace, any work role can be targeted by a phishing scam that is spreading beyond simple malicious email attachments and link manipulation techniques (i.e., phishers may disguise links to malicious URLs that possibly will download code once clicked). Hackers are often also utilizing new attack vectors to exploit people through all electronic and digital channels.
With phishing, automated tools can be of help; however, being a threat that primarily targets humans directly, anti-phishing technologies, including anti-spam and anti-virus software solutions, as well as content and URL filtering, file sandboxing and secure web gateways, can only mitigate the problem; the best way to counteract is not only to use multiple defenses but also, above all, strict (and enforced) security policies and a robust awareness program that spreads through the entire organization and involves all sections and ranks. One of the first steps in identifying and mitigating these types of phishing attacks is, in fact, to understand the threat, and to be mindful of the tactics that are employed.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
"Phishing attacks are successful because they target basic human natural responses as the urge to open correspondence, especially when it reaches their work account or it's believed to be coming from legitimate sources, colleagues or friends." Phishers, who attempt to trick the recipient into believing that they are from a legitimate company or put themselves out to impersonate specific senders if not masquerade as a trustworthy entity, do so in the hope to lure some digital users into releasing requested info with a purpose to exploit the human factor. When users respond with the asked for data, attackers can use it to gain access to their personally identifiable information (PII) or sensitive personal information (SPI), which can not only harm the organization as a whole but also lead to more "personal" problems like identity theft, fraud, and related scams.
To identify and mitigate phishing, it is important to understand how it works to be able to employ best practices and safe human behaviors; these can include even basic advice like not clicking on links in an unsolicited email message, or "in online ads, status updates, tweets and other posts," as mentions Stay Safe Online, which is powered by the National Cyber Security Alliance (NCSA), a nonprofit with the goal to empower cyber users through awareness and then takes steps in making the Internet a better, safer and more secure place for all consumers to use.
So, what else can you do to keep hackers from hijacking your data?
10 anti-phishing best practices
1. Recognize the need for a holistic approach to the problem. Be ready to defend the need to apply and fund appropriate technical countermeasures and non-technical countermeasures for phishing. Both types of countermeasures are a crucial component in the anti-phishing strategy of any business to ensure proper human response behaviors and the correct use of systems and software.
2. Seek the help of technology to screen e-mails. Emails are one of the main means of communication for many organizations today: dozens of messages are exchanged daily containing intra-company communications, personal exchanges, information to and from customers. It is very easy for malicious hackers, then, to attempt phishing through this means. Employing a number of anti-phishing tools is the first barrier against the most common attempts. Installing a good spam filter is essential to catching phishing emails before they end up in an inbox and to prevent accidental opening of malicious attachments or the collection of sensitive information through unwary employees. Many e-mail applications and web services already offer good security protection, so it is important those defenses are used. Of course, spam filters cannot catch everything and, on their own, will not ensure a risk-free environment.
3. Secure the environment from malicious websites. Use anti-phishing services (ideal for Content Filtering, Symptom-Based Prevention, Domain Binding) to counter phishing attacks. A browser-integrated anti-phishing solution, such as SpoofGuard and PwdHash, for example, could provide effective help by protecting against unauthorized IP and MAC addresses to prevent and mitigate online scams.
4. Stick to security basics. Old school tools like firewalls and antivirus software are still a good safety barrier. They might not stop a phishing attempt but can help mitigate their consequences by catching, for example, the infections given by clicking on attachments or spoofed links.
5. Concentrate on phishing security awareness. In most cases, phishing attempts require some kind of user's action or response to succeed, so it is obvious that making employees aware of the tactics used by scammers and the consequences of certain behaviors is paramount. Investing in awareness training is a first step towards creating a resilient workforce and organization that can, in addition to technical countermeasures, avoid phishing. It is important that all training is tailored to the needs of the specific organization; the more job-relevant the campaigns are, the higher the level of retention of all the information given. It is also important that all ranks in the organization are involved including executives: this is not only because the involvement of the higher management sends a signal to the entire organization about the importance of the program, but also because executives are one of the favorite targets of spear-phishing attempts. Furthermore, make sure training is also engaging. Involve staff in role-based simulations and training. For instance, the Infosec IQ Module Library has 'Lessons for Phishing and Malware' that provides best practices for avoiding such threats. SecurityIQ offers an expansive library of modules for all learner types with content that is regularly reviewed, revised and expanded by security education experts to cater to the needs of all sections and levels in an organization.
6. Establish a knowledge baseline via the phishing simulation service. Identifying phishing attempts is often a user's prerogative as many are crafted to escape the watchful eye of automated tools. At a minimum, any good awareness training should make users cautious of anyone asking for personal information or sensitive data; they should learn how to verify the actual sender's address or URL with simple actions like hovering above links and know when to go the extra step of actually contacting the source to verify the legitimacy of the request. Note: Users should also be warned of messages that convey a sense of urgency or "lost opportunity" as well as those that contain grammatical errors and spelling mistakes that would very rarely be contained in e-mails from legitimate entities. Another important topic should be the explaining of relevant parts of the firm's IT policy in the context of safeguarding PII data that resides on a company system or device.
7. Reinforce what is learned with continuous simulation and training which ought to be an ongoing activity that provides the current practice of sending security notices. Sitting in an awareness class, completing online courses or reading about phishing is great, but nothing beats practice when it comes to learning new, safe behaviors behind the keyboard. One of the ways is to provide activities like, for example, Social Engineering quizzes. A great tool is also phishing simulation. Using the tricks of phishers in a controlled environment might be a good first step in educating computer users to protect themselves. This is a great way to give your employees a real taste of what phishing is really all about and the knowledge to prevent social engineering, phishing and ransomware attacks. Prevention starts with awareness and the knowledge that can help users become 'human firewalls' and drive a behavior change that could reduce the impact of scams specifically targeting their habits. There are plenty of free resources and phishing simulators that can help.
8. Involve and empower employees to take proactive participation in organization-wide training, as it is important to give employees a sense of their importance as a human barrier against phishing attempts. If they suspect phishing, they should be asked to be proactive and report any suspicious IT-related behavior to an IT security point of contact if present in the organization. In the alternative, users could report scams to the Anti-Phishing Working Group (APWG) by sending an email to reportphishing@apwg.org for analysis or else address the message to phishing-report@us-cert.gov. Some larger organizations and government entities are already providing automated, easy ways for users to report anything worth noting using tools like the Infosec IQ PhishNotify plugin that can report suspicious emails with the click of a button. "Once reported, emails are safely quarantined and classified for future analysis." That is why taking action and report phishing may be the best practice to help mitigate such scams to spread or target other potential victims.
9. Take advantage of gathered intelligence. Although the widespread deployment of spam-filtering solutions has also reduced their value for real-time web traffic analysis, there are software and analysis tools that can help take advantage of the analysis of all suspicious activity reported. PhishHunter™ (Coming Soon), for example, might come in handy to analyze and classify every reported email based on malicious content and threat level with real-time threat intelligence. Banking on past experience can be an invaluable tool for the prevention and prompt identification of future attacks.
10. Prepare for the worst. Mitigating attacks also means mitigating their effects. No company, nowadays, is small enough to withstand unscarred the loss of sensitive data or the effects of ransomware. Every organization should be devising, implementing and updating policies that not only have to do with the proper use of IT systems, but also with the protection of data and their recovery. Frequent tests, backup procedures and the application of industry-mandated standards are all an additional layer of defense against the effects of phishing.
Conclusion
Because "28% of all breaches stem from human error" and "as many as 30% of your employees unable to spot a phishing email," mitigating and identifying phishing attempts passes necessarily through the involvement of users in specific training and familiarity with anti-phishing resources.
"Unless [cyber] users are educated (i.e., know various types of phishing techniques), they will be lured to the spoofed sites," say experts at Phishing.org. So, to protect staff from getting phished, they must be made aware of the different phishing techniques used to obtain personal information from users, or what makes them vulnerable in whatever profession they're in.
All told, a good mix of advances in technical tools and employees' resilience is the best way to mitigate phishing attempts and harden the IT environment of any at-risk company.
See Infosec IQ in action
Sources
- .Top 9 Free Phishing Simulators
- Phishing Definition, Prevention, and Examples
- Fight Phishing Attacks With Phishing Tactics -- It Works. ScienceDaily
- State of the Phish: Phishing Data, Insights, and Advice
- The Phishing Landscape
- Cyber Security Awareness Month: Phishing
- Phishing Prevention: Six Reasons Spam Filters Can't Catch Everything
- Anti-Phishing Services: Pros and Cons
- Top 10 Anti-Phishing Best Practices
- Journal of Management Information Systems
- Volume 34, 2017 - Issue 2. Pages 597-626
- Best Spam Filters of 2018
- Phishing Techniques
- Phishing Facts: What you need to know
- To Mitigate Phishing Risk, Let Employees 'Fail Forward'
- Online Safety Basics: Spam and Phishing
- What is phishing awareness success?