Experts reveal procedures for businesses to minimise phishing attacks

Experts reveal procedures for businesses to minimise phishing attacks

Experts, Richard Archdeacon, Advisory CISO, Duo Security, now part of Cisco; and John Ford, VP and CISO of ConnectWise Cybersecurity Centre of Excellence, give their opinions on how companies can implement certain business techniques to avoid phishing attacks.

Richard Archdeacon:

The starting point for the vast majority of cyberattacks is a click on a phishing email; the fact that it’s still the most common entry route for cybercriminals – and worryingly successful – reveals a widespread lack of solid security fundamentals.

Services such as social media sites or, in some cases, the organisation’s own website can be a wealth of information to attackers. Using this information, criminals can determine who you are with a high degree of accuracy, what role you have in the company, who you work with and more. This information is then used to craft very personalised spear phishing campaigns.

While high-profile breaches have compelled more organisations to strengthen their information security strategies, many still don’t have the expertise or guidance to implement basic mitigations. However, there are some simple procedures and policies organisations can put in place to prevent phishing attacks:

  • Provide your users with the ability to recognise phishing emails. This should cover what a phishing email looks – is it written in poor language and does it have a legitimate email address? To encourage users, make it clear that these skills apply just as much at home as they do in the office – transferable skill with a personal benefit
  • Continuous education through phishing tests. Sending test phishing emails to users will
    keep up their identification skills. This should be emphasised as educational and not a pass/fail test, so it is a positive experience for them. In addition, very clear instructions should be provided as to what to do if a phishing email is detected and most importantly, if inadvertently triggered
  • Implement and require two-factor authentication (2FA). Even if a user’s password is compromised through a phishing attack, their accounts will still be protected by a second factor of authentication. Attackers cannot log in without possession of a user’s physical device
  • Encourage users to update devices on a timely basis. Devices running older versions of software without security features enabled are more likely to be affected by publicly-known vulnerabilities that can hide in malicious email attachments masquerading as legitimate files or documents
  • Get visibility into the health of the devices access the network. Many employees use their personal smartphones and laptops to log into corporate resources from different networks at different times. Gaining insight into the health of these endpoints means that organisations can prevent insecure and poorly-patched devices from accessing company information
  • Get visibility into the personal vs. corporate-owned devices on your network. Personal devices in the workplace may have multiple work and personal accounts, as the line between the two continues to blur. BYOD can introduce risks but these can be mitigated by identifying whether a device is personal or corporate, and strengthening access security policies to require more stringent checks for personal devices using work applications

By establishing trust in users and their devices before granting them access, you can protect your organisation against the impact of phishing attacks.

John Ford:

As we know, endpoints are the target of many network attacks. Phishing, ransomware and malware count on the vulnerability (and often gullibility) of end-users to make an entrance and infiltrate deeper into the network.

Here are some simple steps users can take to avoid becoming a victim:

  • Be suspicious of any email or communication (including text messages, social media post, ads) with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements to get people to hand over their usernames, passwords, credit card numbers, social security numbers, date of birth and other personal information
  • Avoid clicking on links. Instead, go to the website by typing the web address directly into your browser or by searching for it in a search engine. Calling the company to verify its legitimacy is also an option
  • Pay attention to the website you are being directed to and hover over URLs. An email that appears to be from PayPal could direct you to a website that is instead ‘http://www.2paypal.com’ or ‘hxxp://www.gotyouscammed.com/paypal/login.htm’
  • Don’t send personal financial information via email and avoid filling out forms in email that ask for your information
  • Only ever communicate information such as credit card numbers or account information via a secure website or telephone. Use a secure website (https:// and a security ‘lock’ icon) when submitting credit card or other sensitive information online
  • Never use public, unsecured Wi-Fi for banking, shopping or entering personal information online, even if the website is secure
  • When in doubt, your 3/4G or LTE connection is always safer than using public Wi-Fi

A few other helpful tips include:

  • Subscribe to a tool bar add-on that users who see something suspicious can forward the email to, which routes it to a ‘sandbox’ account or internal IT to be evaluated
  • Unless an email is digitally signed, you can’t be sure it wasn’t forged or spoofed
  • Double-clicking the ‘lock’ icon on a website will display the security certificate for the website. If the certificate isn’t displayed, or you get a warning message that the address of the website does not match the certificate, do not continue
  • Typically, phisher emails are not personalised, but they can be. Valid messages from your bank and e-Commerce companies are personalised. When in doubt, call the company directly to see if the email is in fact from them

Phishers have the ability to spoof and/or forge the https:// that you normally see on a secure web server and a legitimate-looking web address, which – again – is why you should always type the web address yourself instead of clicking on displayed links.

Click below to share this article

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive