Companies are juicy targets for threat actors from the dark web because their proprietary data is a commodity that can be traded and leveraged for industrial espionage, blackmail, unfair competition or outright theft of funds. To their credit, lots of organizations use high-end defenses to thwart unauthorized access nowadays, including sophisticated IDS and IPS (Intrusion Detection/Prevention Systems) that stop the classic hacker incursions in their tracks.
Under the circumstances, cybercrooks are increasingly focusing on social engineering techniques to pull off their breaches. They know human factor is one of the most vulnerable segments in an organization’s security posture, and the overall protection of enterprise assets is only as strong as its weakest link.
Whereas there are numerous different flavors of social engineering, phishing is by far the most common one. It denotes a tactic where hackers send rogue emails to a company’s employees, requesting sensitive corporate information or containing hyperlinks to fake login pages and malicious websites. Its goal is to wheedle out valuable data, such as bank details or account credentials, or infect the IT infrastructure with spyware. These phony emails are getting harder to identify, and some of them will circumvent email filters and get past even the most vigilant users.
According to PhishMe, phishing campaigns grew by 65 percent in 2017 versus the previous year, with the average attack costing a mid-sized organization roughly $1.6 million. Whether you represent a small or big business, you will be confronted with this hoax at some point. So you’d better be prepared for the inevitable. The following best practices will help your company avoid phishing attacks and mitigate the risk if the breach gets through.
1. Configure user accounts the right way
Administrator privileges should be something exceptional rather than mundane. Therefore, as an executive, you should stick with the “least privilege” principle regarding your staff. In other words, give your employees the minimum scope of access to the company’s digital infrastructure that will just suffice them to do their jobs. This way, if one of your staff members falls for a phishing or spear phishing scam, the potential impact will be isolated to the network area this user can access.
Another useful tip is to implement reasonable web surfing restrictions for standard user accounts so that employees cannot visit malicious sites even if they end up clicking a link in a booby-trapped email.
Enable two-factor authentication for all valuable accounts, including corporate email. With 2FA active, even if an adversary gets hold of someone’s access credentials, all of their login attempts will fail.
2. Know your business to tell the norm from the anomaly
It’s worthwhile analyzing the specific phishing vectors that criminals might use to target your organization. For instance, they can send a bogus invoice to personnel or request a money transfer while impersonating some entity you do or don’t do business with. Consider what properties of these messages can raise red flags from the average staffer’s perspective.
Make sure your employees know your business processes well enough to spot suspicious email subjects. Do you use the services of an organization that the invoice came from? Is it normal for partnering companies to request certain type of information from your staff? Communicate with your team to let them know how you operate and what companies you have relationships with so that they can easily differentiate a potentially fraudulent message from a genuine one.
3. Look out for apparent signs of phishing
Expecting your personnel to spot and delete all phishing messages is a futile approach because it will keep them from performing their regular duties, thereby impacting business productivity. Nevertheless, there are some common traits of these tricky emails to look out for. Here’s a lowdown on the typical indicators of a phishing attack:
- Most of these frauds hail from overseas and often have spelling, grammar and punctuation errors. They may also mimic official requests or notifications and thus include logos and other graphics related to companies being impersonated. If these components are poorly designed or have low quality, you should treat such an email with caution.
- In case the email imposes a deadline or otherwise pressures you into taking some action immediately, this may be a signal of phishing.
- Are you being addressed by name? If it’s something like “dear customer” or “valued partner” instead, it might denote that the sender doesn’t know you for real and it’s a phishing scam in action.
- Some paranoia, in the good sense, won’t hurt if you receive an email that appears to come from a top manager in your company. This is particularly important if the sender requests a payment and indicates a specific bank account it should go to. Scrutinize that person’s name and check the email address for typos or rogue domain name part following the “@” character. Perhaps you’re dealing with an impostor.
4. Adjust your email filters
The goal of email filtering solutions is to identify potentially malicious messages and automatically move them to the Spam or Junk folder. However, this is easier said than done, because the filtering criteria should be appropriate for your organization, so it’s important to define those rules. The default configuration may allow scam emails to end up in your inbox or, on the contrary, get legit emails blacklisted.
5. Report phishing attacks
Instruct your personnel to notify the IT department whenever they think they may have fallen victim to phishing. Detecting common malware and changing compromised access credentials right after a breach will reduce the adverse effects to a minimum. Refrain from punishing your employees in such scenarios, otherwise, they will hesitate to report these scams in the future and may spend an unreasonable amount of time and resources vetting every received message.
6. Don’t spill too much information online
Do you know what OSINT is? Well, cybercriminals do. They typically collect all sorts of publicly available information about a company when prepping their phishing campaigns. This way, they can make their scam emails appear credible. You should assess your organization’s Internet footprint and make sure there’s no overly sensitive data posted on the official website and social media. The same applies to the details that your partners and suppliers disclose about your company online.
Relying on automated services to prevent phishing attacks is a losing strategy. The protection boils down to the prudence of your staff. Therefore, be sure to focus on phishing awareness training and provide simulations on a regular basis so that your team knows exactly how to identify and treat fraudulent messages. By investing in training programs today, you will save yourself the trouble of recovering from hacker raids tomorrow.