Suspicious emails are one of the oldest cybersecurity risks around, yet the 2021 Verizon Data Breach Investigations Report notes that phishing attacks account for more than one-third (36%) of all data breaches—a fraction which has actually risen in the past years. It’s undoubtedly true that people are generally much savvier when it comes to rooting out suspicious emails and phishing scams. But the scams have gotten smarter too, enabled by automation and big data, keeping suspect emails a still relevant source of tremendous risk, loss and damage in the business world.
What is phishing?
The basic format of a phishing attack starts with an email containing a link or document that looks legitimate but is designed to steal information or otherwise infiltrate a network or system. There are three main types of phishing attacks:
- Spam phishing is a wide-net, catch-all attack that broadly targets everyone in an organization—and often goes even wider to target dozens or hundreds of organizations.
- Targeted phishing, also called spear phishing, targets employees that are particularly valuable or vulnerable. This could mean employees with access to high-value information—or employees that give signals that they are more likely to fall for a suspicious email.
- Whaling is a subset of targeted phishing, where attackers target executive, senior-level or other high-ranking employees that are most likely to have high-value credentials and access to important information or assets.
How does phishing work?
Suspicious emails and phishing attacks can be executed in a number of ways. All of them attempt to get a user to take an action—like clicking a link or downloading an attachment—that actually gives the attacker information or control that can be used to:
- Directly steal valuable or sensitive information
- Steal credentials which can then be used to access valuable or sensitive information
- Obtain control of accounts, systems or other digital assets (as in a ransomware attack)
- Infect a device, system or network with malware
5 Strategies to Prevent Phishing in an Enterprise Environment
There are several best practices around how security teams can help their organization prevent phishing attacks:
1) Training & education for staff
Most everyone has been the target of a phishing attack or the recipient of a suspicious email—both personally and professionally. But that doesn’t mean that all users in your organization understand the depth and impact of the problem—or know how to recognize a suspect email. Start staff training and education by focusing on the impact—the (increasing) prevalence of phishing attacks and the real-world damage that businesses are experiencing every day as a result. Once you’ve gained buy-in by demonstrating that this problem is real—and deserves their diligence—you can move on to best practices for recognizing and avoiding phishing scams. This includes basic tips like exercising extreme caution before clicking links, opening attachments or even loading images in a suspect email from an unknown sender.
2) Test staff regularly
Beyond training, research shows that regularly testing employees on recognition of suspicious emails has measurable impact on their retention of this important knowledge. While a recent study found that 97% of people can’t identify a sophisticated phishing email, the Ponemon Institute demonstrated that basic phishing tests for employees can achieve retention rates as high as 75%.
3) Use robust AV—and update consistently
Even with the best training, employees are human—and humans make mistakes. To prevent a phishing attack from bombing your entire network with malware, make sure you have robust anti-virus and anti-malware tools deployed in your environment. And because cybercrime evolves daily, make sure you frequently and consistently update your cybersecurity toolset.
4) Secure accounts & access
Beyond employee training, perhaps the simplest and strongest protection against phishing is to ensure all users are creating and using strong passwords—and changing them regularly. In addition, consider using multi-factor authentication or two-step verification. These actions help ensure that, if an employee does get fooled by a suspicious email, an attacker will have a much harder time breaching additional accounts and systems.
5) Don’t let executives off the hook
Executives are the biggest targets of phishing attacks. So-called “whaling” attacks target high-ranking employees because they have the most valuable credentials, information and access. They’re often also the busiest—and get emails from a broad range of senders—making them more susceptible. Make sure you’re including executives and senior-level staff in all anti-phishing and cybersecurity awareness training. Not only is this critical to protecting these most-at-risk individuals, but it is essential to building a security-aware culture from the top down.
How to define a policy for handling suspicious emails and phishing attacks
The unfortunate reality is that, like other forms of insider threat, phishing attacks will happen, because people are fallible. That’s why it’s critical to have a defined policy in place for how your staff and your security team should respond to suspicious emails and phishing attacks.
Put the right tools in place
As mentioned, make sure you have robust anti-virus and anti-malware technology deployed. Tools to monitor user activity and data or file movement are also essential for enhancing response in the event of an attack.
Train employees on what to do if they receive a suspect email
How employees respond in the critical moments after they’ve received a suspicious email, or clicked on a suspect email link or attachment, can play a big role in how much damage is done. Here’s the basic process employees should follow:
- Report it: Let IT security know that you’ve received a suspicious email—and whether or not you clicked a link or downloaded an attachment.
- Delete it: Do a hard delete of the email.
- Manually block the sender: This will protect you from future phishing attacks from this source, and help cybersecurity tools establish a blacklist of suspicious senders.
- Contact the sender: If the suspect email purports to come from someone you know, contact that person separately (NOT responding directly to the suspicious email) to alert them to a possible account or credential hack.
Make Use of Endpoint Monitoring and Protection
The increasing use of personal devices at work introduces a number of new endpoints that are not fully protected under IT security systems. Monitoring endpoints and providing rapid remediation for compromised devices can prevent the proliferation of an attack originating from one of these unmanaged devices.
Analyze User Behavior to Spot Trouble Before It Begins
Insider threats—unwitting or intentional—continue to threaten enterprise security. It can be helpful to monitor user behavior for risk and analyze against a typical baseline to detect insider threats and other potentially damaging user behavior. Behavior analytics can also help identify compromised accounts easily, which can enable security teams to remediate quickly.
How to catch phishing sooner—and limit the damage
Phishing is a reality that security teams likely won’t completely stop. Yet there are simple strategies that can help accelerate the detection and effective response to a successful phishing attack in your organization:
Monitor all activity—endpoints, in the cloud, on and off network
To accurately detect the signs of a successful phishing attack as quickly as possible, security teams need to be able to see what all users are doing—everywhere. This starts with endpoint visibility, since users are almost always accessing emails from endpoint devices. This endpoint visibility needs to extend to both on and off-network activity, since remote and flexible work models mean users are increasingly working off the VPN. You should also have visibility into activity on the web and in the cloud, since web- and cloud-hosted email is now the norm in many organizations.
Understand “normal”—get a clear signal of risk
With the foundation of comprehensive visibility into user, file and data activity, it’s much easier to answer the question, “What does normal look like?” Once you’ve set a baseline, you can better tune out the noise of everyday activity—all the file and data movement that defines the modern collaboration culture—and focus in on a high-fidelity signal of risk. In other words, when compromised users start doing odd things—and files and data start moving in abnormal ways—you’ll be tipped off more immediately.