Phishing makes you feel special. Lucky you! A prince has selected you as a most trustworthy and esteemed personige [sic.] to help get his riches out of the country. But you’re wise to that now. You delete that stinky phishmail and get on with clicking the link in that email from Amazon, because you bought a thing.
Ooops. You’ve been caught!
Phishing has become so sophisticated that it’s almost an art form. People who phish drop us credible-looking emails from companies we use or buy from every day, asking us to confirm our details, or make a payment. They take the form of our co-workers asking for a link to that oh-so-secret corporate data.
Prevention is much better than embarrassment, financial loss and data breaches, so let’s check out some phishing prevention best practices. Not just to prevent phishing, but to make hackers really mad.
Erm, Remind Me, What’s Phishing?
Phishing is deceiving people for gain by using emails, SMS, or text messages to prompt them to do something advantageous to the phisher, such as divulging information, giving access to data, or paying money. The phisher’s goal is to steal, blackmail, or in cases of “hacktivism,” protest against a corporation’s activities, or to reveal its weak spots.
Phishing preys on your emotions and knee-jerk instincts, and usually leverages your trust in your colleagues like Wendy in HR, platforms like Microsoft Teams, or organizations like Netflix and PayPal.
Phishing Comes in Every Flavor but Seafood
Phishing usually arrives in the form of an email, but it’ll look different depending on what the phisher is after. You might be the victim of:
Standard Boring Old Phishing
The phisher impersonates a legitimate organization, such as Amazon or Netflix, with frightening realism. It looks pukka, you’ve got a Netflix account, and dearie me, last month’s $5.99 payment didn’t go through. Yep, just click to pay it now. It seems reasonable.
Just nope.
Spear Phishing
Here’s an email that’s all about you. The phisher has your name, who you work for, and your job role. It may be disguised as an email from your trusted co-worker (a ‘spoof’ email), Wendy, who’s asking you to sign the new employee handbook, but oh dear, you’ve been tricked into accessing a fake login page, and now the phisher has your login credentials. Dang, it. Not again!
Whaling
Here’s an email that leverages the normal human condition of “Oh crap, the boss is asking me to do X. I’d better do it because I have a partner and children and dogs to feed this month.” Whaling attacks masquerade as the big boss—“the big phish,” even though a whale isn’t a fish, but why ruin a metaphor?—who asks their underlings to transfer money or reveal sensitive data. In 2015, toy people Mattel lost $3 million through a whaling attack. That’s a lot of Barbies.
Phishing Prevention Best Practices
Phishing defense needs a layered approach, because a business-as-usual phishing attack consists of three broad stages:
- Before the email lands in your inbox.
- When it lands in your inbox.
- After you’ve (sadly) clicked the evil link contained therein.
The plan is to have a layer of defense for each attack stage, because no protection is wholly effective on its lonesome. Prevention is better than cure, obv, so we’ll focus on preventative defenses, rather than clearing up the custard once you’ve clicked on that fraudulent link.
Phishing prevention defenses are technical or behavioral, and they’re both vital if you want to reduce your phishing vulnerability. You’ll need the technical stuff because it’s super-effective at weeding out phishy things from the truckload of emails sprayed at your company every day. And you’ll need the behavioral stuff, because it’s not a computer that clicks the evil link, it’s people.
Technical Defenses Against Phishing
Configure Anti-Spoofing Controls on Your Domain
Three key authentication mechanisms will make it difficult for phishers to send spoof emails from your company’s domains. It’s techy but easy and perfect for people who love acronyms. Simply add some records in three tasty flavors: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting & Conformance (DMARC).
(Too acronymy? We’ll do it for you.)
Third Party Filters
These plug into your inbox and keep a close eye on your incoming emails. It barks like a rooster if it sees something suspicious and your computer lights up. This isn’t true, but we wish it were. Instead, it pulls out the iffy email and sticks it in quarantine within seconds of delivery. You’ll see an alert banner at the top of the email saying, “Careful, now!” or similar. It gives you time and headspace to pause and check that iffy email properly.
DNS Filtering
Uh-o, you’ve clicked a malicious link, but don’t worry, DNS filtering is here to save you from yourself. DNS filtering keeps a wary eye on everything you’re doing on the web and will block you from visiting an evil site. Phew!
Behavioral Defenses Against Phishing
Despite it sounding like a protest march placard, behavioral defenses against phishing are really all about learning, changing behavior, and practicing that behavior.
One of the best methods to train your people to identify and resist phishing emails is through phishing simulations. Phishing simulations:
- Identify poor security behavior down to name, rank, and serial number level.
- Identify poor security hotspots.
- Train people to think about and react differently to emails at the moment.
- Help people become generally resistant to phishing at work and home.
- Can demonstrate a reduced risk to audit-happy compliance officers.
- Reduce your overall risk of security breaches.
- Help show an organization’s commitment to data security.
Here’s How We Perform a Phishing Simulation:
- At what appears to be random intervals, but is superbly planned, we email our clients’ workforce with different flavors of fake phishing emails (very meta).
- Our shiny system tracks what the recipients do with the email. Do they ignore it, mark it as spam, trash it, open it, read it, click the link, open an attachment, or something else? We’ll know.
- Employees who fall for the phishing are automatically notified that they’ve been phished, and will be gently pushed towards the security awareness training we’ve agreed with our client.
- Over time, we’ll build up a picture of risk hotspots and consistent offenders for our clients to spank/fire/train up more. We’ll also demonstrate a decreased risk of data breach as people improve at resisting phishing.
Phishing simulations should never be a one-off. Scary Verizon research reveals that people who have fallen victim to phishing have a greater likelihood of continuing to do so in the future. Phishing simulations should happen regularly and unexpectedly to reinforce awareness of phishing emails and how to tackle them.
Phishing. Just Say No.
Phishing is becoming ever more sophisticated and clever, because it’s lucrative for the baddies and will not go away anytime soon. It’s essential to get your phishing prevention best practices actually practised. Between you and us, we have eight (and counting) defenses against phishing, and one day all these could be yours. Let that day be today.
Want to talk more about phishing prevention best practices? Call us now.