The 10 Best Practices for Identifying and Mitigating Phishing
Phishing (a form of social engineering) is escalating in both frequency and sophistication; consequently, it is even more challenging to defend against cyber-related attacks. These days, any industry, any workplace, any work role can be targeted by a phishing scam that is spreading beyond simple malicious email attachments and link manipulation techniques (i.e., phishers may disguise links to malicious URLs that possibly will download code once clicked). Hackers are often also utilizing new attack vectors to exploit people through all electronic and digital channels.
With phishing, automated tools can be of help; however, being a threat that primarily targets humans directly, anti-phishing technologies, to include anti-spam and anti-virus software solutions, as well as content and URL filtering, file sandboxing and secure web gateways, can only mitigate the problem; the best way to counteract is not only to use multiple defenses but also, above all, strict (and enforced) security policies and a robust awareness program that spreads through the entire organization and involves all sections and ranks. One of the first steps in identifying and mitigating these types of phishing attacks is, in fact, to understand the threat, and to be mindful of the tactics that are employed.
“Phishing attacks are successful because they target basic human natural responses as the urge to open correspondence, especially when it reaches their work account or it’s believed to be coming from legitimate sources, colleagues or friends.” Phishers, who attempt to trick the recipient into believing that they are from a legitimate company or put themselves out to impersonate specific senders if not masquerade as a trustworthy entity, do so in hope to lure some digital users into releasing requested info with a purpose to exploit the human factor. When users respond with the asked for data, attackers can use it to gain access to their personal identifiable information (PII) or sensitive personal information (SPI), which can not only harm the organization as a whole but also lead to more “personal” problems like identity theft, fraud, and related scams.
To identify and mitigate phishing, it is important to understand how it works to be able to employ best practices and safe human behaviors; these can include even basic advice like not clicking on links in an unsolicited email message, or “in online ads, status updates, tweets and other posts,” as mentions Stay Safe Online, which is powered by the National Cyber Security Alliance (NCSA), a nonprofit with the goal to empower cyber users through awareness and then takes steps in making the Internet a better, safer and more secure place for all consumers to use.
So, what else can you do to keep hackers from hijacking your data?
10 Anti-Phishing Best Practices
- Recognize the need for a holistic approach to the problem. Be ready to defend the need to apply and fund appropriate technical countermeasures and non-technical countermeasures for phishing. Both types of countermeasures are a crucial component in the anti-phishing strategy of any business to ensure proper human response behaviors and correct use of systems and software.
- Seek the help of technology to screen e-mails. Emails are one of the main means of communications for any organizations today: dozens of messages are exchanged daily containing intra-company communications, personal exchanges, information to and from customers. It is very easy for malicious hackers, then, to attempt phishing through this means. Employing a number of anti-phishing tools is the first barrier against the most common attempts. Installing a good spam filter is essential to catching phishing emails before they end up in an inbox and to prevent accidental opening of malicious attachments or the collection of sensitive information through unwary employees. Many e-mail applications and web services already offer good security protection, so it is important those defenses are used. Of course, spam filters cannot catch everything and, on their own, will not ensure a risk-free environment.
- Secure the environment from malicious websites. Use anti-phishing services (ideal for Content Filtering, Symptom-Based Prevention, Domain Binding) to counter phishing attacks. A browser-integrated anti-phishing solution, such as SpoofGuard and PwdHash, for example, could provide effective help by protecting against unauthorized IP and MAC addresses to prevent and mitigate online scams.
- Stick to security basics. Old school tools like firewalls and antivirus software are still a good safety barrier. They might not stop a phishing attempt but can help mitigate their consequences by catching, for example, the infections given by clicking on attachments or spoofed links.
- Concentrate on phishing security awareness. In most cases, phishing attempts require some kind of users’ action or response to succeed, so it is obvious that making employees aware of the tactics used by scammers and the consequences of certain behaviors is paramount. Investing in awareness training is a first step towards creating a resilient workforce and organization that can, in addition to technical countermeasures, avoid phishing. It is important that all training is tailored to the needs of the specific organization; the more job-relevant the campaigns are, the higher the level of retention of all the information given. It is also important that all ranks in the organization are involved including executives: this is not only because the involvement of the higher management sends a signal to the entire organization about the importance of the program, but also because executives are one of the favorite targets of spear-phishing attempts. Furthermore, make sure training is also engaging. Involve staff in role-based simulations and training. For instance, SecurityIQ Module Library has ‘Lessons for Phishing and Malware’ that provides best practices for avoiding such threats. SecurityIQ offers an expansive library of modules for all learner types with content that is regularly reviewed, revised and expanded by security education experts to cater to the needs of all sections and levels in an organization.
- Establish a knowledge baseline via the phishing simulation service. Identifying phishing attempts is often a user’s prerogative as many are crafted to escape the watchful eye of automated tools. At a minimum, any good awareness training should make users cautious of anyone asking for personal information or sensitive data; they should learn how to verify the actual sender’s address or URL with simple actions like hovering above links and know when to go the extra step of actually contacting the source to verify the legitimacy of the request. Note: Users should also be warned of messages that convey a sense of urgency or “lost opportunity” as well as those contain grammatical errors and spelling mistakes that would very rarely be contained in e-mails from legitimate entities. Another important topic should be the explaining of relevant parts of the firm’s IT policy in the context of safeguarding PII data that resides on a company system or device.
- Reinforce what is learned with continuous simulation and training which ought to be an ongoing activity that provides the current practice of sending security notices. Sitting in an awareness class, completing online courses or reading about phishing is great, but nothing beats practice when it comes to learning new, safe behaviors behind the keyboard. One of the ways is to provide activities like, for example, Social Engineering quizzes. A great tool is also phishing simulation. Using the tricks of phishers in a controlled environment might be a good first step in educating computer users to protect themselves. This is a great way to give your employees a real taste of what phishing is really all about and the knowledge to prevent social engineering, phishing and ransomware attacks. Prevention starts with awareness and the knowledge that can help users become ‘human firewalls’ and drive a behavior change that could reduce the impact of scams specifically targeting their habits. There are plenty of free resources and phishing simulators that can help. SecurityIQ from the InfoSec Institute, for example, combines a phishing simulator and computer-based security training in one easy-to-use cloud-based service. This is a great way to boost engagement in a security awareness program. PhishSim’s realistic simulations can teach staff how to detect and prevent phishing attacks with realistic phishing simulations; the tool provides realistic tests, custom templates (make use of a WYSIWYG editor) and automatic education for employees to learn to detect and avoid phishing attacks. In alternative, there are tools like ThreatSim, which was acquired by Wombat Security in October 2015. PhishSim via simulated or mock attacks can really teach individuals to identify certain cues or apply a set of rules to avoid phishing attacks and can help to drive measurable human behavior changes beyond the theory learned during formal training and awareness activities. A great place to start, of course, is at InfoSec Institute, which has the following sources: Awareness Campaign Builder; Phishing Simulations Library; FREE SecurityIQ phishing diagnostic test.
- Involve and empower employees to take a proactive participation in organization-wide training, as it is important to give employees a sense of their importance as a human barrier against phishing attempts. If they suspect phishing, they should be asked to be proactive and report any suspicious IT-related behavior to an IT security point of contact if present in the organization. In alternative, users could report scams to the Anti-Phishing Working Group (APWG) by sending an email to email@example.com for analysis or else address the message to firstname.lastname@example.org. Some larger organizations and government entities are already providing automated, easy ways for users to report anything worth noting using tools like the SecurityIQ PhishNotify plugin that can report suspicious emails with the click of a button. “Once reported, emails are safely quarantined and classified for future analysis.” That is why to take action and report phishing may be the best practice to help mitigate such scams to spread or target other potential victims.
- Take advantage of gathered intelligence. Although the widespread deployment of spam-filtering solutions has also reduced their value for real-time web traffic analysis, there are software and analysis tools that can help take advantage of the analysis of all suspicious activity reported. PhishHunter™ (Coming Soon), for example, might come in handy to analyze and classify every reported email based on malicious content and threat level with real-time threat intelligence. Banking on past experience can be an invaluable tool towards the prevention and prompt identification of future attacks.
- Prepare for the worst. Mitigating attacks also means mitigating their effects. No company, nowadays, is small enough to withstand unscarred the loss of sensitive data or the effects of ransomware. Every organization should be devising, implementing and updating policies that not only have to do with the proper use of IT systems, but also with the protection of data and their recovery. Frequent tests, backup procedures and the application of industry-mandated standards are all an additional layer of defense against the effects of phishing.
Because “28% of all breaches stem from human error” and “as many as 30% of your employees unable to spot a phishing email,” mitigating and identifying phishing attempts passes necessarily through the involvement of users in specific training and familiarity with anti-phishing resources.
“Unless [cyber] users are educated (i.e., know various types of phishing techniques), they will be lured to the spoofed sites,” say experts at Phishing.org. So, to protect staff from getting phished, they must be made aware of the different phishing techniques used to obtain personal information from users, or what makes them vulnerable in whatever profession they’re in.
All told, a good mix of advances in technical tools and employees’ resilience is the best way to mitigate phishing attempts and harden the IT environment of any at-risk companies.
Antipov, A. (2018, May 18). Top 9 Free Phishing Simulators. Retrieved from https://resources.infosecinstitute.com/top-9-free-phishing-simulators/
Appleby, T. (2016, June 1). Phishing Definition, Prevention, and Examples. Retrieved from https://resources.infosecinstitute.com/category/enterprise/phishing/
Carnegie Mellon University. (2007, October 4). Fight Phishing Attacks With Phishing Tactics — It Works. ScienceDaily. Retrieved from https://www.sciencedaily.com/releases/2007/10/071002131117.htm
Egan, G. (2018, January 18). 2018 State of the Phish: Phishing Data, Insights, and Advice. Retrieved from https://www.wombatsecurity.com/blog/2018-state-of-the-phish-phishing-data-insights-and-advice
Fahey, R. (2016, May 17). The Phishing Landscape. Retrieved from https://resources.infosecinstitute.com/category/enterprise/phishing/the-phishing-landscape/
Goodspeed, L. (2016, October 6). Cyber Security Awareness Month: Phishing. Retrieved from https://blog.pcisecuritystandards.org/cyber-security-awareness-month-phishing
Hawthorn, T. (2015, November 12). Phishing Prevention: Six Reasons Spam Filters Can’t Catch Everything. Retrieved from https://www.wombatsecurity.com/blog/phishing-prevention-six-reasons-spam-filters-cant-catch-everything
Imam, F. (2017, August 29). Anti-Phishing Services: Pros and Cons. Retrieved from https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-services-pros-and-cons/
Imam, F. (2017, August 31). Top 10 Anti-Phishing Best Practices. Retrieved from https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-countermeasures/anti-phishing-best-practices/
Jensen, M. L., Dinger, M., Wright, R. T. & Thatcher, J. B. (2017, August 17). Training to Mitigate Phishing Attacks Using Mindfulness Techniques. Journal of Management Information Systems
Volume 34, 2017 – Issue 2. Pages 597-626. doi.org/10.1080/07421222.2017.1334499
Johnston, N. (2018, April 20). Best Spam Filters of 2018. Retrieved from http://www.toptenreviews.com/software/security/best-spam-filter/
Phishing.org. (n.d.). Phishing Techniques. Retrieved from http://www.phishing.org/phishing-techniques
PhishingBox, LLC. (n.d.). Phishing Facts: What you need to know. Retrieved from https://www.phishingbox.com/resources/phishing-facts
Robinson, J. (2018, January 2). To Mitigate Phishing Risk, Let Employees ‘Fail Forward’. Retrieved from https://www.infosecurity-magazine.com/opinions/mitigate-phishing-risk-fail/
StaySafeOnline.org. (n.d.). Online Safety Basics: Spam and Phishing. Retrieved from https://staysafeonline.org/stay-safe-online/online-safety-basics/spam-and-phishing/
Winkler, I. (2016, September 6). What is phishing awareness success? Retrieved from https://www.csoonline.com/article/3116490/security-awareness/what-is-phishing-awareness-success.html