Did you know that 85 percent of modern data breaches now involve an email phishing attack? These attacks usually consist of fake emails designed to look like they’re coming from a brand or institution that you trust. Phishing isn’t what it used to be.
Malicious websites look legitimate and crooked emails appear to come from trusted senders. It’s now harder than ever to know how to prevent these kinds of attacks.
Their goal is to entice you to click a link or download an attachment, which, in turn, puts malicious files on your computer. This can enable hackers to steal your identity, breach your employer’s systems, and more. It’s called phishing and it’s just one form of social engineering, the tactics most cybercriminals employ.
These highly personalised email attacks involve a hacker researching their target and creating a message often designed to impersonate a trusted colleague or business to steal sensitive information, which is then used to commit crimes like fraud and identity theft, the report noted.
The unfortunate news is that they’re pretty common — and the emails often look real. The good news is that there are some steps you can take to protect your business against them. Here’s what to do:
- Prevent phishing emails from reaching users. This is best done using specialised anti-phishing software. A number of options exist on the market with each offering its own unique set of capabilities such as handling zero-day vulnerabilities, identifying and neutralising malware attachments, spotting man-in-the-middle attacks, detecting spear phishing emails, solutions that are specialised for handling cloud-based email communications vs. ones that can be installed with on-premise mail servers that operate behind firewalls. Such software is specifically designed to prevent suspect emails from reaching the target user inbox.
- Think twice before clicking or downloading. If an email is coming from a source you don’t recognise, it’s best not to interact with anything it contains. That means no clicking links, downloading files, or opening attachments. Generally, you should only open email attachments if you are expecting them and know what information they will contain.
- Avoid using public networks. Email communications over public networks are often not encrypted. Hackers could use this limitation to sniff out important information such as account username and passwords, saved passwords, and other financial details. Of course, rogue hackers may setup completely free hotspots and lure you into providing sensitive information even without sophisticated data sniffing technologies. A best practice to prevent phishing when using public networks is to use your mobile’s tethering and hotspot capabilities to work with its 3G/4G data connection rather than relying on public networks.
- Having an active and updated Antivirus software. Having up-to-date antivirus software isn’t just important to protect your business from phishing attacks, they’ll help protect from all sorts of dangerous threats. Some antivirus software even comes equipped with anti-phishing capabilities which will scan the attachments of emails to check whether they are dangerous or not. Make sure that you regularly scan your device too, as many phishing scams can go unnoticed without regularly checking your device.
- Investing in the right technology. Phishing involves attackers using emails, file sharing, and internet browsing of target users to gather information which then leads to a targeted attack. Effectively preventing these attacks would require monitoring all these activities and, in many cases, in real-time. This is why, users must invest in the right technology that is purpose-built for such multi-dimensional threat detection, IT Security and management scenarios. This is very different to antivirus or other protection against malware tools that look only at isolated instances of attack.
- Educate your employees for any potential threats. Educating your employees is arguably the most important step in the whole process. Although you may recognise the signs of a fraudulent email, if your colleagues don’t then your network is at risk. A good way of ensuring that your entire workforce understands the risks and knows how to identify a phishing scam is by running simulated phishing tests. Doing so allows you to be confident that everyone in your office recognises the risks.
Finally, it’s best to assume users will at some point fall victim to phishing attacks. For this reason it’s vital to have a phishing incident-management policy ready and tested with sufficient resources to handle an attack. Everyone in the organisation needs to know what role they play in restricting the damage caused by the attack. This will involve working with the police, so any evidence needs to be collated and handled carefully. Clients need to know that their business associates at the company are working to protect clients against the attack, advising them of their rights and certainly supporting any that have suffered serious loss.