You can't stop someone from sending you a phishing email, but you can put in place strong defense measures to prevent phishing emails from harming you.
What can you do to prevent phishing email attacks? We recommend a multi-layered approach, and that starts with your weakest link: the end user.
What Is a Phishing Email?
Phishing emails can be tricky. We all know not to mess with email from a sender we don’t recognize. But it's easy for an unsuspecting user to click on a link they thought was from a trusted source — a link that gives criminals access to your systems and/or your data. Phishing email attacks can take on several forms:
A phishing attack occurs when an email attempts to gain access to privileged information, including usernames, passwords, credit card data or bank account numbers. They might ask for your credentials. If you enter them, the hacker has your account information. Phishing emails can also ask a recipient to click a link or an attachment that sends in a trojan horse to find vulnerabilities in your system that can be used to attack you.
Spear phishing is a more targeted version of phishing that is becoming more common. A spear phishing email will include specific information to gain your trust. You wouldn't expect hackers to take the time to make such a targeted attack on you or your company, but it happens every day. They'll use your name, your company name, your manager’s name, a familiar phone number or a customer name. Anything to gain your trust and get you to click or give them information.
Whaling is spear phishing targeted at an executive. These attacks are dangerous because if they can get the executive to click, they can cause next-level harm to your organization. In a whaling attack, a hacker may disguise themselves as a C-Level executive in your organization to provoke action. They might even use a false domain name that looks similar to yours at first glance. This is a real threat. We’ve seen three companies in the last week fall victim to a whaling attack.
Be extra careful with emails that appear to be from file-sharing services like SharePoint, OneDrive, Google Drive or Dropbox. They will ask you to click a link and login to your account. These can look very real, when in fact they are set up to steal your login information.
Why Do Hackers Use Phishing Emails?
Hackers have all kinds of tools and tricks to make them "smart." What they don't have is privileged access to your systems. They want to gain access to your systems and then elevate their privilege as high as they can within them. The minute they gain credentials, payment information or any access into your system, they have succeeded in their quest.
Phishing emails are so common because:
- Hackers want your money. Phishing scams aim to blackmail victims, steal data or gain credit card and bank account information. This is a big, lucrative business for hackers, and can be just the first step in many ransomware attacks, data breaches and other cyber crimes. Sometimes they may be in the system accessing information and waiting for the most opportune time to strike.
- End users are easy targets. No one intends to be a phishing victim, but many forget to think before they click. Recognizing a phishing email is sometimes easier said than done.
- Anyone can do it. You, me or any inexperienced hacker can send a phishing email. Thousands of tools and "script kits" are for sale on the dark web.
End User Education: Recognizing Phishing Emails
Educating the end user is the best defense. We always advise a multi-layered approach to IT security (more on that below), but end users are the easiest access point for hackers. To prevent phishing email attacks from harming your systems, teach end users these email rules:
- Think before you click. Links and attachments (compressed or executable attachments like .zip files) should never be clicked unless you recognize the sender and you’re expecting something from them. Even when you recognize the sender, is the link or attachment something you were expecting from them? Does it look legitimate, like something they’ve sent before? When in doubt, it doesn’t hurt to make a quick call or email them in a separate email (do not reply to the suspected email) before opening.
- Privileged information should never be shared over email. This can include usernames, passwords, credit card details and bank account numbers.
- Double check the domain of the sender’s email address, not just their name as it appears in your inbox. While it may look like you’ve received an email from your CEO, it’s common practice for hackers to use a random, unrelated email address or even mimic a domain name to trick you by swapping letters no one would notice with a quick glance.
- If an email comes with a banner warning you the email could be a scam, take precautions. Services exist to detect phishing emails and warn you when something doesn't look right. Trust them and delete potential scams.
- When all else fails, ask your IT team what they think of the suspicious email. They see phishing attacks regularly and will tell you if something doesn’t look right.
Beyond Vigilance: How to Prevent Phishing Emails from Harming Your Workplace
Hackers are smart. They slip through cracks. Nothing can grant you 100% safety, but the best line of defense is a multi-layered approach.
- Share the phishing prevention tactics listed above with your end users. Anti-phishing end-user education is key.
- If you don’t know what your current IT security posture is, find out. Most organizations aren't able to define the current state of their IT security. Finding your Cyber Security Score is an important first step in understanding where you are now, and what you can improve.
- Use an enterprise password tool, so you can manage your passwords completely. We always advise requiring difficult passwords. And don’t save them in a spreadsheet on your network; use enterprise-grade password management tools meant for securing the keys to the kingdom. Spreadsheets are not securable or manageable!
- Implement multi-factor authentication for all users. You have to find a balance with this, so it doesn’t become a slow-down for your business processes. While multi-factor authentication is a best practice, it’s not always easy to implement correctly, but it is something to consider.
- Make sure your firewall is properly configured. Firewalls should be configured to only allow in trusted external IP addresses. Ports should be closed except where necessary and ports like RDP (Remote Desktop Protocol) should never be open.
- Use an anti-spam service. They help to intercept the phishing emails before they enter your email system.
- Ensure your anti-virus and anti-malware are up-to-date and effective. It's one thing to have them in place; it's another to maintain them for optimal protection.
- Use a Security Operations Center (SOC) to look for anomalies in your system. They can watch while you are not and identify when a hacker has gained access to your network by aggregating and investigating suspicious activity. If you don’t have the resources to build your own, and very few organizations do, you can use a SOC-as-a-Service organization to provide this service for you.
- Create a response plan. Have a plan in place for when your system or systems get compromised.
When it comes to phishing emails, an ounce of prevention is worth thousands of dollars in cyber-attack mitigation. Your end users have the power to keep your network, and your employees, safe from these cyber threats. It’s your job to empower them to do so.
Loffler is in the business of helping organizations keep their systems secure. Equipped with our CISSPs (Certified Information Systems Security Professionals) and vCISO (Virtual Chief Information Security Officer) security experts, our IT Solutions Group can help you put in place a multi-layered security strategy that fits your organization.
Read More: Want to Know Your Cyber Security Score?
Mike is the Vice President of Information Technology at Loffler. He has been in the IT field since 1993 and was previously an owner of a successful IT solution provider for 12 years. Mike has managed both security and managed service teams and consulted on IT management for both large and SMB organizations. Little known fact: While in college, Mike was the lead singer for a garage band called Mojo and the Kingsnakes. This is now known as “Classic Rock."