6 Tips to Ensure Users Don’t Take the Phishing Bait

essidsolutions

In 2020, we sent around 306.4 billionOpens a new window emails every day. So, it makes sense that phishing attacks via email would be a major concern for organizations worldwide. This has gained an entirely new dimension in the wake of COVID-19, with hackers taking advantage of people’s fears, uncertainty, and anxiety to get them to click on suspicious online elements. And between malicious malware campaigns and targeted phishing campaigns, IT and security teams are under immense pressure to mitigate these cyber risks that abound. 

How can organizations curb this risk? What can you do to prevent your users from taking the phishing bait? 

Before we answer this question, let’s briefly look at why anti-phishing mechanisms should be on every IT decision maker’s priority list going forward. 

Phishing Is at an All-Time High in 2020

Phishing was already a problem, even before the coronavirus crisis. Add a pandemic and the likelihood of attacks increases at an unprecedented rate. In the last year alone, 3 in 10 employees have clicked on a phishing link due to a number of reasons: 

  • Phishing attempts are getting better and look like genuine emails (59%) 
  • The appropriate phishing prevention tools aren’t in place (42%) 
  • There hasn’t been enough training on how to spot phishing attempts (30%) 

In the early months of the pandemic, around 4000+ coronavirus-related domain addresses were registered across the globe since January, and these are 50% more likely to be malicious than regular domains. An email sent from a coronavirus-related domain can appear urgent or official, inciting even the most skeptical user to click. 

That’s why ITDMs must take a proactive stance against phishing instead of leaving it entirely up to the end-user. 

Learn More: 3 Out of 10 Workers Clicked a Phishing Link in the Past Year: Webroot Survey 

6 Ways to Curb Phishing Threats In Organizations

There are several ways you can stem the phishing tide and stop your users from taking the bait. This ranges from training your user community and giving them the right tools to implementing control mechanisms that mitigate the risk even if there is any exposure to phishing. 

Here are our top six recommendations to avoid getting phished:  

1. Train users to watch out for an obvious carrot or stick

At its core, phishing attempts to tap into an undeniable trait of human psychology: we are always looking to gain a reward or avoid a penalty. That’s why most scams lure users with carrot or stick baits – for example, “Check your tax compliance before <<data>> to avoid government fines” or “New research finds cheap coronavirus cure with household items.” 

When training your user community, break down the psychological drivers behind our response to online messaging and how a hacker/malicious actor could take advantage of this. They should know exactly which carrot or stick signals to look out for, such as urgent deadlines, hefty fines, financial rewards, product vouchers, etc. 

2. Encourage offline authentication channels

A common response to suspected phishing attempts is to forward the email to a colleague in the organization. But this can be counter-productive. If a user forwards an email containing a malicious link to a group of users, the risk only multiplies and someone else might click on that link, infecting the entire system. Offline authentication can halt this in its tracks. 

An offline authentication channel involves a group of security stakeholders who are available either in person or telephonically (any analog means) to cross-check/verify a suspicious event. Encourage users to step over to a nearby cubicle to discuss a possible phishing incident instead of forwarding it via email. Ensure that these offline channels of recourse are in place to mitigate the risk as much as possible. 

3. Configure “automatic disabling of links” to ON

Most phishing attempts work by getting the user to click on a malicious link that redirects to an interactive website. The email itself cannot extract any information – but the website could record keystrokes, obtain personally identifiable information (PII), get hold of banking detail, etc. For this reason, it is advisable to make links shared via email “unclickable.” 

Fortunately, nearly every major email client lets you automatically disable in-mail links for exactly this purpose. Microsoft Outlook disables all links on spam/suspicious emails automatically, by default. Gmail has a similar feature where it displays a warning whenever a user wants to click on a link to untrusted domains, be it on a genuine or suspicious email. Make sure that the right configurations are in place to mitigate link-based risks.

Learn More: Rise in Phishing Scams Emphasize a Need for AI in Email Security 

4. Use an inbound email sandboxing layer

Some phishing emails can replicate genuine communication with surprising accuracy, making it grader to detect. This is particularly dangerous when the email carries attachments, directly injecting a malicious file into the user’s system as soon as they download it. Instead of leaving it to the user’s discretion, ITDMs should implement measures that place suspicious emails and attachments in a virtual quarantine or “sandbox” until they are proven legitimate. 

You can set up an inbound email sandbox using your existing client or a dedicated security services provider. For instance, Google’s attachment protection features let you automatically send attachments from untrusted senders, attachments with scripts, and anomalous attachments types to quarantine. Cybersecurity providers like ForcePoint, AnubisNetworks, etc. offer similar capabilities as third-party integration. 

5. Hire a cybersecurity coach for your CXOs

Senior management and C-level leaders are particularly vulnerable to phishing as they are privy to high-value information and assets. In fact, there is a dedicated term for it called “whaling” – as we discuss in a later section. When CXOs click on a phishing email, the repercussions can be severe, morphing into a much more expansive attack across the organization. Using the CXO’s credentials, a hacker might infiltrate systems or lead an even more sophisticated phishing attempt, impersonating the CXO to target a larger pool. 

An effective way to prevent this is by hiring a cybersecurity coach. Executive cybersecurity coaching is geared for senior managers and privileged users, increasing awareness in their unique contexts. 

6. Set up your email client to prevent spoofing

Spoofing is a common modus operandi among phishing threats. The hacker might mimic your company’s domain name to appear legitimate. Or, they might mimic an employee’s name to make it look like it is just another email from a colleague. Hackers could even mimic your company’s domain name when attacking other organizations within your partner or customer ecosystem. 

Set up anti-spoofing configurations to stop this from happening. For example, Gmail lets you sandbox emails without SPF or DKIM authentication, pretending to be from your domain. You can apply these measures to domains that almost look like yours, with a character or a space missing. 

Learn More: Best Practices to Fight Phishing & Strengthen Cybersecurity in COVID-19 Era 

Phishing vs. Spear-Phishing vs. Whaling Explained 

Phishing comes in a variety of shapes and sizes and spear-phishing and whaling are more targeted email campaigns. Traditional phishing tries to reach the widest possible user pool hoping that someone will take the bait. Spear phishing and whaling are more targeted because: 

  • Spear-phishing is backed by precise information about your organization. It will try to spoof a trusted party (e.g., the HR head), target a specific employee need (e.g., getting a new employee to register for insurance) and get the user to click
  • Whaling targets the “big fish” or high-value users that are the most lucrative for a hacker. CXOs, product managers, financial process owners, and intellectual property owners are most vulnerable to it 

Knowing the difference between phishing vs. spear-phishing vs. whaling can help you formulate the right email security strategy for your users. Remember the six tips, encourage users to be cyber smart and make widespread security awareness a foundational step – particularly during these complex times. 

Do you have a #ProTip for our readers that can help keep phishing at bay? Share on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window or comment below. We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA