People are always looking for an easy come-up. As long as vulnerabilities in security exist, people willing to rip you off do too. Phishers aren’t just sending out the same old scam emails. Technology has advanced, and so have schemes.
That’s right, phishers have become so-phish-ticated (sorry, I couldn’t resist), and they won’t give up as long as there’s loot to be found. Help your team defend against phishing attacks (and learn how to defend themselves in the future) so you don’t find your data plundered or your team lost at sea.
Phishing, Spear Phishing, Whaling, Oh My!
This marine-based metaphoric nomenclature aims to gain some advantage at the expense of someone or something else. It could be dollars, identity, run-of-the-mill mischief, corporate embarrassment, or even political advantage. The prize of crime comes in many unpleasant flavors.
Phishing generally happens through email. Phishing attacks against businesses are designed to steal corporate data by tricking users into giving up valuable information. That info could be an access code such as a username, password, or other things like company data. With such data, a phisher can turn it into cash through nasties like locker or crypto-ransomware.
Spear phishing is even more creepy because it’s an email that knows all about you. Your personal information is all over social media or the corporate website, so targeting individuals has become easy. That spear phishing email might look like it’s from a trusted colleague, e.g., from Marcus in Sales, who’s asking you to sign off the sales targets. But (uh oh!) you’ve been sent to a fake page, and now the spear phisher has your login. Dang!
A whaling attack adds a sense of terror and urgency by masquerading as a demanding email from your big, big boss for a login, access to funds, or something else. You’ve got kids to feed, so are you gonna say, “Big big boss, take a hike!”? Probably not.
How To Defend Against Phishing Attacks
You’re looking at two ways to keep phishers from getting their hooks into your business: IT infrastructure protections and behavior change.
| Phishing Attacks Defense Techniques | |
| IT infrastructure protection |
|
| Behavior changes |
|
IT Infrastructure Protections
Many of these protections are super-easy to deploy. Some, such as correctly configuring a domain, take literally seconds. Infrastructure protections close down vulnerabilities, monitor for weirdness and flag it up, and prevent human error by automating a load of stuff, and protecting people from themselves, e.g., through password management systems.
IT infrastructure protection to defend against phishing attacks includes:
- SPF and DKIM email authentication: These validate the authenticity of an incoming email and check if an email has been fiddled with illegally between sending and receiving.
- Third-party filters: These filters use AI to review incoming emails and decide whether they’re dodgy. You’ll know they’re working because you’ll get a “Woah there! This looks weird!” banner.
- DNS and web filtering.
- 2-factor authentication: This strengthens user ID by asking your people to log in based on something they know (e.g., a passcode) and something they have (e.g., a smartphone or index finger).
- Cloud SSO: This ditches a user’s list of bad passwords for a single login to a super-strengthened front door to access multiple cloud accounts.
Behavior change
Tackle human error by giving your people the knowledge, tools, and practice they need to avoid getting hooked. Make sure you have a no-blame culture. Because who’s going to own up to clicking a phishing email when they know they’ll be tarred and feathered before lunch break? Also, create a clear reporting procedure so they’ll know what to do if the worst happens.
But the key is to prevent them from falling for it in the first place. Here’s where phishing training is your bestie, and we’re not talking about a Powerpoint.
Consistent and regular anti-phishing training is key to defend against phishing attacks, and here’s how we do it:
- At seemingly random yet cunningly-planned times, we send a super “phishy” email out to our client’s people. We know who clicks, who doesn’t, who reports the phishing etc.
- If someone falls for it, they get a “Hey, you fell for it!” message and are guided to training previously agreed with our client.
- We track “fall for it” rates throughout a phishing campaign, which, in our experience, drop to zero over time. Troublespots, like individuals who keep on being hooked, can be identified and trained (this sounds a lot scarier than it is).
Defending Yourself Is One Way To Give A Hacker The Finger
And we’ll help you do it! We have an awesome toolbox of anti-phishing defenses that we can deploy by Monday or even sooner. Some we can sort out for you in 10 minutes. We’ll also take a sniff around your IT infrastructure and check for any festering vulnerabilities. Wouldn’t that feel better? Let us help you get your metaphorical cannons raised to defend against phishing attacks today.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!