Phishing

The Best Techniques to Avoid Phishing Scams

Irfan Shakeel
January 10, 2017 by
Irfan Shakeel

Phishing is a form of online identity theft in which fraudsters trick Internet users into submitting personal information to illegitimate websites. These attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. So far the hackers have used emails to launch this type of attack, but with the widespread use of social media networks and smartphones with internet access, the attacking vectors are growing in number.

Best Techniques to Avoid Phishing Scams

Whether it's getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can perform to steal valuable data. Businesses, of course, are a particularly worthwhile target.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

There are various phishing techniques that attacker uses:

  • Embedding a link in an email that redirects your employee to an unsecured website that requests sensitive information.
  • Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information.
  • Spoofing the sender address in an email to appear as a reputable source and request sensitive information.
  • Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.

Due to improper readiness and awareness about the phishing attacks, many companies fall prey to phishing attacks. However, the question is how can we prevent phishing attacks and scams?

There are several human and technological factors that companies should consider to avoid falling victim to phishing attacks:

Never respond to emails that request personal financial information:

Banks and e-commerce companies generally send personalize emails to their customers, while phishers do not. Phishers often include some sensational messages, (e.g., "Urgent - your account details may have been stolen") to get an immediate reaction from the recipient. Due to security reasons, reputable organizations avoid asking personal information from their customers in an email. Even if such the email seems legitimate, don't respond. Contact the company by phone or by visiting their website. Pick up the phone and speak to a real person, or type the URL in yourself by hand rather than clicking a link in a suspicious email.

Avoid clicking on provided links in suspicious emails:

Most of the phishing emails contain some URLs that redirect you to the page where entries for financial or personal information are required. That page is delicately built to replicate some other trusted website to gain users trust. So, an Internet user should never make confidential entries through the links provided in the emails. Make sure to type the URL yourself to avoid any phishing scam.

Protection through Software:

Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system. Also, do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.

Another technological approach is to use a heuristics product to determine if an email is fraudulent. The success rate of these solutions is mixed. They filter out many of the obvious scams but leave the more cleverly designed emails intact.

Employee training:

A big component of protecting against phishing is employee training that actually works. Most security training delivered in the enterprise today is either a yearly event or held at employee orientation. Employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection. This is best covered in an effective security education program.

Moreover, to coincide with that teaching is testing. Perform phishing attempts against your own staff to gauge their level of sophistication handling phishing attempts. This will help you know if your staff is ready to handle such intrusion.

Be cautious about opening attachments and downloading files:

Web browsers provide settings to prevent access to malicious web pages, and when you try to access a malicious site, an alert message will appear. Don't avoid such warnings and avoid surfing that website or accessing that file. Be aware of malicious files, a phishing attack can be sent to you as an attached file. Make sure that you are expecting any file or the sender of the source is trusted party. Never download files from suspicious emails or websites.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Preventing phishing attacks can be easy, but it takes education and having plans in place to protect your company if something does slip up. In most cases, companies fall for phishing attacks due to not training their employees and assuming that people know more than they do. They are needed to educate their users about the risks of phishing emails. If the employees don't understand the risks associated with clicking on phishing links, then nobody can stop an organization to falling victim to phishing attacks. Educating the employee is the best way to identify such attack and prevent it.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.