Phishing is a type of social engineering where an attacker sends a fraudulent message to trick a victim into revealing sensitive information, such as passwords or credit card data, or to deploy malicious software like ransomware. It is perhaps the oldest trick in the cybercrime book, and yet the most efficient. So how to prevent phishing in the workplace?
According to the 2021 State of the Phish report by Proofpoint, 57% of respondents said their organization experienced a successful phishing attack in 2020, up from 55% in 2019. Alarmingly, more than 1 in 10 users clicked on a simulated phishing email.
Today we share tips on how to spot malicious emails to prevent phishing, ransomware, and other malware attacks in the business network.
Prevent Phishing by Understanding How it Works
Over the last year, there has been a surge in coronavirus-themed phishing scams and ransomware attacks. At the same time, information security professionals have struggled to keep their users secure amid an abrupt shift to remote work due to the pandemic.
The problem with phishing is that it can often lead to more serious vulnerabilities and malware attacks. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their device, creating a gateway for criminals.
Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. We’ve seen phishing campaigns pretending to come from nearly everything from Netflix and Instagram to the IRS.
Preventing Phishing in the Workplace
Email is not the only medium phishers use —vishing involves video calls and landline telephone calls; and smishing involves text messages. The point remains: attackers will request personal information such as account numbers, passwords, or Social Security numbers by any means and with any pretext.
This also applies to the work environment. Spear phishing, whaling, and business email compromise (BEC) are other forms of phishing targeted at specific and narrower audiences. These types of attacks reach fewer people, but their level of focus and sophistication make them more difficult for users to spot and for technical tools to block.
65% of organizations faced BEC attempts in 2020, with campaigns trying to lure them into executing “urgent” wire transfers or paying fake invoices that pretend to come from a trusted provider.
Attackers are adept at researching and targeting specific roles and people, which means these techniques should remain firmly on everyone’s radar.
Read More: 10 Ransomware Tips from a CISO – How to Prevent, Detect, Contain, and Respond to Attacks
7 Tips to Prevent Phishing
CISA and the NCSA have put together the following tips to prevent phishing at home and in the workplace.
1. Play hard to get with strangers
Links in email and online posts are the most common conduit for cybercriminals. If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments.
Be cautious of generic greetings such as “Hello Bank Customer,” as these are often signs of phishing attempts. If you are concerned about the legitimacy of an email, call the company directly.
2. Think before you act
Be wary of communications that implore you to act immediately. Many phishing emails create a sense of urgency, trying to make you think your account or information is in jeopardy. If you are prompted to do something urgently, reach out to that person or entity directly to verify the request.
3. Protect your personal information
If people contacting you have key details from your life—your job title, multiple email addresses, full name, and more that you may have published online somewhere—they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.
4. Be wary of hyperlinks
Avoid clicking on hyperlinks in emails and hover over links to verify their authenticity. Also ensure that URLs begin with “https.” The “s” indicates encryption is enabled to protect users’ information.
5. Double your login protection
If multi-factor authentication (MFA) is an option, make sure to enable it. That way, you’ll be the only person who has access to your account. Use it for email, banking, social media, and any other service that requires logging in. You can associate a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.
6. Shake up your password protocol
Consider using the longest password or passphrase permissible. Get creative and customize them for different sites, which can prevent cyber criminals from gaining access to multiple accounts in the event of a breach.
No need to memorize your strong passwords and passphrases: Use password managers to generate and store them.
7. Install and update antivirus software
Make sure all of your computers, Internet of Things (IoT) devices, mobile phones, and tablets are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
Be Cyber Smart Across Your Supply Chain
Rising regulatory pressure is coupled by increasing third party risks, and your organization needs to extend cyber hygiene practices beyond its own perimeter.
This strategy guide explains how to sustain a secure vendor ecosystem by solving security and compliance problems for enterprises and third party vendors.
