Originally Published July 2021
Updated August 2023
You can't stop someone from sending you a phishing email, but you can put in place strong defense measures to prevent phishing emails from harming you.
What can you do to prevent phishing email attacks? We recommend a multi-layered approach, and that starts with your weakest link: the end user.
In this blog, we cover what phishing is, shed light on the motives driving these attacks and offer practical strategies to effectively safeguard your workplace against potential harm caused by phishing attempts.
What is a Phishing Email?
Phishing emails can be tricky. We all know not to mess with an email from a sender we don’t recognize.
But, it’s easy for an unsuspecting user to click on a link they thought was from a trusted source – a link that gives criminals access to your systems and/or your data. Phishing email attacks can take on several forms:
A phishing attack occurs when an email attempts to gain access to privileged information, including usernames, passwords, credit card data or bank account numbers.
They might ask for your credentials, and if you enter them, the hacker has your account information.
Phishing emails often employ deceptive tactics, urging recipients to click on suspicious links or open malicious attachments. These actions can unwittingly introduce a trojan horse into your system, enabling cybercriminals to exploit vulnerabilities and launch targeted attacks against you.
Spear phishing is a targeted and highly personalized form of phishing attack. Unlike traditional phishing, which casts a wide net and sends generic emails to a large number of recipients, spear phishing focuses on a specific individual or a small group of individuals within an organization.
You wouldn’t expect hackers to take the time to make such a targeted attack on you or your company, but it happens every day.
They’ll use your name, your company name, your manager’s name, a familiar phone number or a customer name. Anything to gain your trust and get you to click or give them information.
Whaling is a type of phishing attack that specifically targets high-profile individuals within an organization, such as top-level executives, CEOs, CFOs or other key decision-makers.
Similar to spear phishing, whaling attacks are personalized and tailored to exploit the specific roles and characteristics of the targeted individuals. Attackers research their victims extensively to gather detailed information about them, including their job titles, responsibilities, personal preferences and even their connections with other employees or business partners.
A hacker may disguise themselves as a C-Level executive in your organization to provoke action. They might even use a false domain name that looks similar to yours at first glance.
Be extra careful with emails that appear to be from file-sharing services like SharePoint, OneDrive, Google Drive or Dropbox.
They will ask you to click a link and login to your account. These can look very real, when in fact they are set up to steal your login information.
Why Do Hackers Use Phishing Emails?
Hackers have all kinds of tools and tricks to make them “smart.” What they don’t have is privileged access to your systems.
They want to gain access to your systems and elevate their privilege as high as they can within them. The minute they gain credentials, payment information or any access in your system, they have succeeded in their quest.
Phishing emails are so common because:
- Hackers want your money. Phishing scams aim to blackmail victims, steal data or gain credit card and bank information. This is a big, lucrative business for hackers and can be the first step in many ransomware attacks, data breaches and other cybercrimes. Sometimes they may be in the system accessing information and waiting for the most opportune time to strike.
- End users are easy targets. No one intends to be a phishing victim, but many forget to think before they click. Recognizing a phishing email is sometimes easier said than done.
- Anyone can do it. You, me or any inexperienced hacker can send a phishing email. Thousands of tools and “script kits” are for sale on the dark web.
End User Education
Educating the end user is the best defense. We always advise a multi-layered approach to IT security (more on that below), but end users are the easiest access point for hackers.
Recognizing Phishing Emails
To prevent phishing email attacks from harming your systems, teach end users these email rules:
- Think before you click. Links and attachments (compressed or executable attachments like .zip files) should never be clicked unless you recognize the sender and you’re expecting something from them. Even when you recognize the sender, is the link or attachment something you were expecting from them? Does it look legitimate, like something they’ve sent before? When in doubt, it doesn’t hurt to give them a quick call or email them in a separate email (do NOT reply to the suspected email) before opening.
- Privileged information should never be shared over email. This can include usernames, passwords, credit card details and bank account numbers.
- Double-check the domain of the sender’s email address, not just their name. While it may look like you’ve received an email from your CEO, it’s common practice for hackers to use a random, unrelated email address or even mimic a domain name to trick you by swapping letters no one would notice with a quick glance.
- If an email comes with a banner warning, the email could be a scam. They see phishing attacks regularly and will tell you if something doesn’t look right.
How to Prevent Phishing Emails from Harming Your Workplace
Hackers are smart. They slip through cracks. Nothing can grant you 100% safety, but the best line of defense is a multi-layered approach.
- Share the phishing prevention tactics listed above with your end users. Anti-phishing end-user education is key.
- If you don’t know what your current IT security posture is, find out. Most organizations aren’t able to define the current state of their IT security. Assessing your environment is an important first step in understanding where you are now, and what you can do to improve.
- Use an enterprise password tool, so you can manage your passwords completely. We always advise requiring difficult passwords. And don’t save them in a spreadsheet on your network; use enterprise-grade password management tools meant for securing the keys to the kingdom. Spreadsheets are not secure or manageable!
- Implement multi-factor authentication for all users. You have to find a balance with this, so it doesn’t become a slowdown for your business processes. While multi-factor authentication is a best practice, it’s not always easy to implement correctly, but it’s something to consider.
- Make sure your firewall is properly configured. Firewalls should be configured to only allow in trusted external IP addresses. Ports should be closed except where necessary, and ports like RDP (Remote Desktop Protocol) should never be open.
- Use an anti-spam service. They help to intercept phishing emails before they enter your email system.
- Ensure your anti-virus and anti-malware are up-to-date and effective. It’s one thing to have them in place; it’s another to maintain them for optimal protection.
- Use a Security Operations Center (SOC) to look for anomalies in your system. They can watch while you’re not and identify when a hacker has gained access to your network by aggregating and investigating suspicious activity. If you don’t have the resources to build your own, and very few organizations do, you can use a SOC-as-a-Service organization to provide this service for you.
- Create a response plan. Have a plan in place for when your system or systems get compromised.
When it comes to phishing emails, an ounce of prevention is worth thousands of dollars in cyberattack mitigation. Your end users have the power to keep your network, and your employees, safe from these cyber threats. It’s your job to empower them to do so.
Loffler is in the business of helping organizations keep their systems secure. Equipped with our CISSPs (Certified Information Systems Security Professionals) and vCISO (Virtual Chief Information Security Officer) security experts, our IT Solutions Group can help you put in place a multi-layered security strategy that fits your organization.
Mike is the Vice President of Information Technology at Loffler. He has been in the IT field since 1993 and was previously an owner of a successful IT solution provider for 12 years. Mike has managed both security and managed service teams and consulted on IT management for both large and SMB organizations. Little known fact: While in college, Mike was the lead singer for a garage band called Mojo and the Kingsnakes. This is now known as “Classic Rock."