11 Steps to Mitigate the Risk of Phishing Attacks
What is Phishing?
It is exactly what it sounds like. When someone goes fishing, they use a fishing rod to cast out a line with bait and a hook to attract a fish. Once the fish is caught in the hook the fisher reels it in. The fish is caught.
Phishing is the same idea. A Phisher (Attacker) will cast out bait with a hook to attract a person to do something that wouldn’t normally do. Once the person is hooked the attacker has accomplished their goal.
From there the attacker will usually use the hooked person to steal data or money.
Phishing is a form of social engineering. It is one of the most common forms of social engineering.
Phishing often leads to bigger problems.
The Odds Are Very Much Against Your Business
The odds are your business is currently under attack. 76% of all businesses report being a victim of phishing attacks in the last year. Some phishing attacks are not recognized or reported so the number of businesses is probably closer to 90%.
90% of data breaches begin with a phishing attack. Think about the information that is in your email account. We recommend our clients do not store data in the email (archive it ASAP) but realistically it happens a lot.
The odds are not in favor but there’s hope!
Phishing doesn’t just occur in email. It also occurs through text messaging (SMishing) and Voice (Vishing).
11 Steps to Mitigate the Risk of Phishing Attacks
1. Education – What I consider to be the most important step to phishing mitigation. Education is critical to reducing the risk of a phishing attack. Many of the phishing attacks that are reported show that the employees who were victimized had very little knowledge of how to identify a phishing attack.
-
- There are several things you can look for to identify a phishing attack. Some of the more common indicators are:
-
- Poor grammar/spelling
- Sent from a free email account
- Use of emotional queues to get you to do something (usually fear)
- Unsolicited email (password changes, invoice)
- URLs are not the real URL (paypal.com vs. paypa1.com)
- The website is missing images or has poor grammar
-
Employers/IT should also be able to provide awareness/alerting on potential attacks. For example, I recently alerted clients to new Microsoft Phishing Attacks and what they look like.
2. Strong Password Policies – I talk about strong passwords often and some people believe I should stop because everyone gets it.
Guess again. In 2019 the most compromised password was 12345. There is just no way this should still be happening.
A strong password means UPPERCASE, lowercase, numbers and special characters. The longer the better. I usually recommend at least 12 but none of mine are under 15.
You can accomplish this using password phrases like song lyrics or movie quotes.
Other things to point out. Don’t reuse passwords. There are password lists on the dark web for sale, sometimes for less than $2. If your password that you use across multiple websites and applications is on this list, it will be used to compromise your accounts.
I recently spoke to an attorney who told me he doesn’t use the same password on what he considers important applications and websites but for all other applications and websites he uses the same password. This instantly makes you more susceptible to a potential compromise.
Use a password manager. I get it, it’s impossible to remember all your passwords especially when they’re 15+ characters with UPPERCASE, lowercase, numbers and special characters. Use a password manager to make your life easier. Just make sure you secure it with MFA and a strong password.
3. MFA/2FA – It drives me crazy every time I hear about a HIPAA breach as a result of phishing. It shows that MFA/2FA was not active. The statement after the attack almost always includes something along the lines of “We are taking steps to better secure our email accounts”.
MFA is Multifactor Authentication is simply using multiple forms of authentication beyond their password. This often includes biometrics.
2FA/TFA is Two Factor Authentication and is usually a time-based token. This can be hardware or software-based. SMS is sometimes used for 2FA but if you can avoid using SMS for 2FA you should.
MFA/2FA is very easy to set up. Not having it set up has resulted in some extremely costly phishing attacks and ransomware attacks.
4. Anti-Phishing Software/Service – There is software that identifies potential phishing emails. It then either notifies an admin, quarantines it or alerts the receiver. The admin/receiver has the option to mark it as a legitimate email or phishing.
5. Anomaly Based Malware Protection – The intention of some phishing attacks is to install malicious software on your computer or server. There is software to help detect malicious software.
For many years anti-virus/anti-malware software was signature-based. That means the security software vendor waited for new malicious software to be created and released to the world before they added a way to detect it with their software. You would then need to update your security software to protect your computer from it.
While signature-based security software is still being used a lot today there is an alternative. Anomaly-based security software identifies things that are not normally on your computer and quarantines it until someone approves it. They also identify scripts and block them until approved.
Anomaly-based security software has a much higher success rate of blocking malicious software that comes in through a phishing attack.
6. DNS/Web Filtering – Today’s web filtering software better identifies malicious/phishing websites. They can block suspected phishing sites and sites in several categories. It’s advisable that businesses block adult sites, gambling sites, new sites, and other categories.
DNS filtering also allows you to see outbound traffic that you might not be aware of, and in some cases, it can block the outbound traffic.
7. Phishing Simulation – This basically tests your employees on their ability to identify a phishing email. If they click on a simulated phishing attack, they are alerted to this. They can then be provided with more awareness training.
Usually, a baseline phishing simulation is done to identify areas of opportunity. After the initial simulation training occurs and then another round of simulated attacks to see if there is an improvement.
After that simulated attacks occur at the discretion of management and IT. Training occurs as needed based on the results.
8. Think Before You Click {IMG} – Before you click on any link or attachment think about it. Did you ask for this email? Do you know the sender? Can you type the website address in manually rather than clicking on it?
Do you even shop at that store or bank at that bank?
9. Verify Before You Click – Can you call the sender to verify they really did send the email?
A client of ours told me about an email they received from someone he knew. The email looked suspicious, so he decided to give them a call rather than respond to the email or click on anything.
He did the right thing because the “sender” said their email account was compromised and they were working with their IT to correct the issue.
If you receive an email, phone call or text message from someone who says they need to update payment information, or they need a list of aging accounts you should verify this information with members of your team, and the vendor(s).
10. Have a Response Plan – There’s a saying in IT. It’s not if you’re attacked, it’s when. You need a response plan to follow WHEN an attack occurs.
If you can identify an attack before any damage is done that’s awesome. Now work to stop the attack so that you can ensure no damage is done. This typically means identify the source and block it.
Then see the next step.
If there was a compromise you need to work quickly to disable the account and remove any data. The longer the attacker goes undiscovered the more likely they will gain access to other parts of your network and steal data.
Some of my clients have web access disabled on top of MFA and strong passwords. Others have alerting set up, so I know if/when they are accessing the account. If something seems off, we question it by reaching out to the client.
You’ve Been Hooked!
Phishing is one of the most common forms of “hacking”. It can occur through email and most often does. It can also be done through social media, text messaging, and phone calls.
To make matters worse sometimes there are targeted phishing attacks called spear-phishing attacks. These include more personalized information like your name or other relevant info. These are also harder to identify.
With the growth of Artificial Intelligence, it is easier for the bad guys to launch sophisticated phishing attacks. Throw in Deep Fakes and things can get trickier.
These steps will help significantly reduce your exposure to phishing. As technology evolves it’s critical to keep yourself and your employees/co-workers educated and aware.
If you’re not already being attacked you will eventually. If you’re prepared you can win. If you’re not prepared the loss may be more than your business can overcome.