Phishing is one of the biggest threats that businesses have to deal with but unfortunately, there is no single cybersecurity solution that can fully protect against phishing. Phishing prevention requires a multi-faceted approach, multiple layers of protection, and a combination of technical and non-technical defenses. To help you develop an effective phishing prevention strategy we have provided a list of measures that you should consider implementing.
What is Phishing?
Phishing is a form of social engineering that exploits human weaknesses. In the context of cybersecurity, social engineering is the manipulation of people to get them to do something they would not usually do, such as telling someone their password. If someone were to walk up to you in the street and ask you what your online banking password is, you would naturally not tell them, but that is exactly what happens with phishing.
For example, a threat actor sends an email to a company employee with the email address configured to make the email appear to have been sent by the company’s IT department. The email explains that the employee’s password has expired, and they need to log in and set a new password. The link provided directs the employee to a website where they must disclose their old password and set a new one. The site is under the control of the hacker, and their password is captured and used to remotely access the employee’s account.
Phishing occurs through virtually all communication channels: email, SMS, instant messaging, social media, websites, and over the telephone. The attacker usually impersonates a trusted individual or company and provides a pressing reason for action to be taken quickly. A threat is often issued to get people to take the requested action – If no action is taken, there will be negative repercussions.
Why is Phishing Such a Major Threat?
Phishing attacks are conducted to steal sensitive information, distribute malware, and gain unauthorized access to business networks. Phishing is often the initial access vector in ransomware attacks, nation-state threat actors use phishing to gain persistent access to business networks for espionage purposes, and hacktivists use phishing to access and sabotage IT systems. Phishing attacks are low cost, require little technical skill, and they can be highly effective. Phishing campaigns have also become more sophisticated and much harder for cybersecurity solutions to identify. An email security solution, for example, is an excellent phishing prevention solution and it will block the majority of malicious emails, but no email security solution will block all phishing emails and these phishing prevention solutions do not block phishing attempts over SMS, social media, instant messaging services, and the Internet.
Phishing campaigns may also be conducted that use a combination of communication channels. Callback phishing, for example, involves initial contact by email, with the “phishing” taking place over the telephone. These hybrid phishing campaigns have become much more common, especially with ransomware gangs, precisely because the phishing prevention strategies of businesses fail to block these threats.
Phishing Prevention Measures to Consider Implementing
As previously mentioned, there is no phishing prevention solution that you can put in place to block all phishing attacks. The number of cybersecurity solutions you will need to implement will depend on the level of risk you face. For very small businesses, an email security solution and security awareness training for your employees may be sufficient, whereas larger businesses will need to implement a wider range of phishing prevention measures as they will be targeted more often and are more likely to encounter sophisticated threats.
Many of the phishing prevention measures listed below will not only help you to block phishing attempts they will also improve your defenses against other types of cyberattacks.
Phishing Prevention Solutions
A range of cybersecurity solutions are available for preventing phishing attacks. You should consider implementing a combination of these solutions to great multi-layered defenses.
Email Security Software
Most phishing threats will arrive via email, so an email security solution is one of the most important phishing prevention solutions. These solutions – often called secure email gateways or spam filters – are the first line of defense and will check all inbound emails for signs of phishing and malicious software. Email security software will check the headers of emails and will block emails from known malicious IP addresses and domains with poor reputations, and scans will be performed on email attachments to look for malicious code. Many solutions include machine learning technology or artificial intelligence algorithms that can distinguish between the standard emails normally received by a business and potentially malicious emails.
While these solutions are effective, the tactics, techniques, and procedures of phishers are constantly changing, and some phishing emails will not be correctly identified and blocked – at least not without blocking an unacceptable number of genuine emails, so other measures are also required.
Web Security Software
Phishing campaigns that aim to steal sensitive information such as login credentials often trick people into visiting a malicious website. The websites appear to be genuine sites and they can be difficult for people to identify as malicious. Web security software – aka web filters and DNS filters – have lists of known malicious URLs and will block attempts to visit malicious web pages. New malicious URLs are constantly being created for use in phishing campaigns, so these solutions also include the real-time scanning of web content. They also categorize web pages and content and allow businesses to block access by category, can be configured to prevent certain file downloads from the Internet, and can also identify and block communications between threat actors and malware.
Multifactor Authentication
Multifactor authentication provides another layer of protection and prevents stolen credentials from being used to access accounts. If a threat actor obtains a username and password in a phishing attack, those credentials will be used to remotely access the account. Multifactor authentication – or 2-factor authentication – requires a second form of authentication in addition to a password before access to the account will be granted. That could be a one-time passcode sent to a mobile phone, a hardware-based device such as a YubiKey, or an inherence factor, such as a fingerprint.
Antivirus Software
Endpoint security solutions such as antivirus software will protect against malware infections. Standard antivirus software uses signature-based detection mechanisms, so it will only block malware that has previously been identified by the software provider. More advanced endpoint security solutions are now available that have behavior-based detection capabilities and can identify anomalous activity that could indicate a malware infection. These advanced solutions will protect against new (zero-day) malware threats.
End User Training and Testing
The above technologies are effective at blocking phishing threats; however, they will not block all phishing threats, especially threats via SMS, instant messaging, social media channels, and over the telephone. For instance, callback phishing campaigns involve sending a benign email that has no malicious content. A phone number is provided in the email that the employee is told to call to address an important issue, with the person manning the telephone line tricking the caller into taking the required actions. Email security solutions are unlikely to block the email as they cannot tell if the phone number is genuine, and a web security solution will be ineffective since no website is used.
Phishing targets employees, so a phishing prevention strategy needs to involve security awareness training. Employees need to be prepared for phishing and be taught how to identify phishing attempts and cybersecurity best practices. Security awareness training is one of the most effective ways of reducing phishing risk. For training to be effective, it needs to be relevant and be provided regularly. Consider implementing an ongoing training program that provides short training modules that are conducted every month, rather than a single training session once a year. These shorter sessions – 10 minutes or so – are more likely to keep cybersecurity fresh in the mind and are easy to fit into busy workflows. Cover real-world phishing methods and keep employees informed about the latest threats. Working with a training vendor is the easiest way to provide training.
You should test employees’ knowledge after each training session to make sure the training content has been understood and consider conducting phishing simulations internally – fake phishing emails sent to test whether employees are applying their training. If an employee falls for a fake phishing email, you can provide further training. Choose a platform that provides training in real-time in response to security mistakes – SafeTitan from TitanHQ for example. When there is a timely intervention to correct an error, it is more likely to be taken onboard.
Summary
Phishing prevention requires a combination of measures, including technical solutions to block phishing attempts, workforce training to improve awareness of phishing, and measures to reduce the impact of a successful attack. Implement all of these solutions and you will be well protected against all forms of phishing.