How Can Organisations Combat Phishing
How Can Organisations Combat Phishing?
Every day, Australian organisations are targeted by cyber scams. In fact, reports have shown that out of 286,607 scams reported in Australia in 2021, 71,299 were phishing scams.
With Australians having lost A$323.7 million to scams, there has never been a better time to familiarise yourself with ways of protecting your organisation from phishing email attacks. Knowing how to defend your email inbox and keep your organisation’s confidential information safe should be a top security priority. In this post, we’ll look at the measures you can take to combat phishing attacks.
What Is Phishing?
Phishing is a form of cyberattack where a cybercriminal uses some form of communication channel — in this case, email—to trick a user into taking a given action. This “action” can include things such as clicking a malicious link, downloading malware, or providing sensitive information about your organisation. Ultimately, the goal of a phishing scam is to dupe an unsuspecting user into providing the cybercriminal with information that they can exploit for monetary gain. The common forms of email phishing scams include:
- Tech support phishing scams: these allege that you have malware on your computer. The threat actor will request to install remote access software on your computer to “fix” the issue, but instead install actual malware.
- Spear phishing scams: these are attacks which are aimed towards a specific individual or organisation. The hacker will research their target to find out details that lend credibility to the email.
- Clone phishing scams: these phishing scams involve hackers creating malicious emails that are similar to those from reputable organisations in order to dupe you into unknowingly sharing confidential information.
- Whale phishing scams: these refer to attacks directed specifically at senior management and other high-profile targets.
What Measures Can You Take To Combat Phishing?
Given that phishing emails target human behaviour, appear to come from trusted senders, and create a sense of urgency, they can be very difficult to detect. Whether they impersonate an internal system, a known brand, or a trusted source, identifying a phishing email is key to staying safe. Let’s look at how you can do that.
As an employer, here are some of the measures you should take:
Deploy Proactive Phishing Prevention Tools
Deploying security software and phishing prevention tools is your first line of defence against phishing scams. Strong spam filters, Endpoint Protection and EDR software are quite effective against phishing scams. You can also deploy web filters to prevent employees from accessing malicious websites. These tools can help you identify malicious domains and other threats before cybercriminals can use them in a phishing attack. Upon identifying the threat, your IT personnel can quickly remediate compromised endpoints to prevent the attack from spreading further.
Build a Robust Email Security Awareness Program
There is no email without users. Similarly, there is no email security to prevent phishing attacks without user awareness. Build a robust and engaging email security awareness program so that employees can learn how to spot phishing tactics and how they can avoid falling victim to them. Ensure that you provide updated information on current phishing attacks and share insights about your organisation’s cybersecurity strategy. Make all your employees aware of the organisation’s policies and solutions to mitigate or prevent phishing attacks. As part of your security awareness program, it’s also necessary to:
- Inform employees that they should forward suspicious emails to the security team
- Reiterate why they shouldn’t click on malicious attachments and links
- Provide feedback on whether they are flagging suspicious emails correctly
- Maintain an educative and positive culture rather than a punitive one when it comes to phishing prevention
- Train all employees in your organisation, regardless of whether they are junior staff, senior staff or remote employees.
As an employee, here are some of the measures you should take to protect your organisation from phishing scams:
Be on the Lookout for Threats and Urgent Deadlines
When spoofing is combined with threats of urgent deadlines, the chances of falling for a phishing scam are heightened. When there’s a sense of urgency, people often tend to make rushed decisions. Suppose you are unsure of the legitimacy of an email, forward it to your security team or contact the entity in question separately via their website.
Don’t Provide Information to Unverified Sources
In case you are unsure whether you should be providing your information, check with your IT team or privacy officer. Suppose the email is from someone familiar, but the contents seem to be suspicious, contact the person via phone via a number that you already hold to confirm if they were the ones who actually sent the email.
Watch Out for Fake Attachments and Links
Whenever you suspect an email to be a phishing attempt, reach out to your IT team. Don’t click on any links or open any attachments or forward the email to another device. If you’re unsure, open a new browser window and type the URL into the address bar instead of clicking the link. Another technique of identifying malicious links is hovering your cursor over the links in emails on a computer or tap and hold on a mobile device.
Attend Security Awareness Training That’s Offered Internally
Employees should ensure that they not only attend the security awareness training programs offered by their organisation, but also that they are actively engaged throughout the training. By attending these training programs, employees are better positioned to identify phishing scam attempts and take the necessary security measures to ensure they don’t fall victim to such scams.
The strategies outlined above provide a robust approach to preventing email phishing scams. However, in addition to these strategies, you should limit access to high-value data and systems. Implementing this approach can help protect confidential and business-critical data from both negligent and malicious compromise.