How do I prevent phishing attacks from happening?
This is the question that IT administrators in companies around the globe are often asked. Phishing is a common and highly effective attack that hackers use to hack into accounts, steal data, and then scam you company.
In the past few years, phishing attacks have increased in frequency. With Covid-19 forcing many organizations to shift to remote work, phishing attacks have risen dramatically.
Email phishing attacks have increased by an astounding 667% according to research from Barracuda, an email security company. In an attempt to trick users, attackers have impersonated the US Government and the World Health Organization.
It is possible to stop phishing attacks from happening in your company. And it doesn’t need to cost a lot. You have a variety of tools that you can use to protect users and data from phishing attacks. This will increase your security, save IT admins’ time and help your business save money over the long-term.
These are the top tips for protecting your data and users from phishing attacks.
What’s phishing?
Phishing is a criminal offense that scammers use to steal private information, such as credit card numbers or account login details, via malicious email, phone calls, or SMS messages. Phishing was first coined in 1995, when hackers began stealing America Online (AOL), account details en masse through malicious emails, calls or text messages. They also lure users into disclosing credentials, much like fishers. Hackers have traditionally replaced f by ph. Thus, ‘fishing’ has become ‘phishing.
Phishers behave in predictable ways. They will try to get the following information from you:
- Full name
- Full address
- Date of birth
- Number of bank account
- Security code and credit card number
- Social Security Number
- Online account passwords
- Answers to security questions such as your mother’s maiden names
You might get an email claiming to be from your bank, or credit institution, in which there are problems with your account and you need to immediately attention.
What are the phishing methods?
Let’s take a closer look now at the ten most common types of phishing.
- Spear Phishing
- Clone Phishing
- Whaling
- Pop up phishing
- Vishing
- Smishing
- Search engine Phishing
- DNS poisoning or Pharming
- Man in the middle
- Business Email Compromise
Spear Phishing
Spear Phishing targets individuals with important corporate information. These email scams could appear to be from your peers at work or superiors and they may need to have access to certain data. Spear phishing is different from phishing which targets broad audiences. It focuses on one type of target, unlike phishing.
Sometimes, this tactic is used by scammers to target vulnerable populations. According to a 2019 study done by the Aspen Institute’s Tech Policy Hub, senior citizens in America are statistically more susceptible to phishing attacks.
Clone Phishing
Clone Phishing is when criminals copy an email sent by a bank. Crooks insert a fake attachment or link in a legitimate email to remind bank customers and trick them into divulging sensitive information.
Whaling
Whales are people who are in the top league of phishing. These people can be CEOs, CFOs, or other high-ranking executives who make more than the average professional and have access funds. Companies can suffer huge losses if they manage to get their information.
Pop up phishing
This is also known to be in-session phishing. Pop-ups appear when people are browsing or visiting websites. They ask them to take a survey or do similar actions. Their device is infected once they click on the pop-up.
A pop-up may inform victims that the website has been attacked by viruses and require them to install antivirus software right away. When the victims download it, malware or adware is installed on their computers.
Vishing
Vishing, which is a combination o ‘voice’ & ‘phishing, occurs when criminals call to ask for private information. They can often make themselves sound professional and pretend to be representatives of banks or insurance companies, so you are comfortable sharing your personal information with them.
Smishing
Smishing is the use of SMS (Short Message Services) or text messages to Phish. Be aware of misspellings and typos when smishing. Unprofessional-sounding messages are usually a red flag too.
Search engine Phishing
Fake websites are created by fraudsters to steal login information. These websites are promoted using Google Ads in order to be highlighted in search engine results for popular queries.
Google reported an increase of more than 250% in the number of phishing websites at the start of 2020. The trend is not slowing.
DNS poisoning or Pharming
Pharming redirects legitimate traffic to a spoofed webpage to collect sensitive personal information via the internet DNS (Domain Name System).
Man in the middle
Free Wi-Fi networks are the most common type of attack. — where people may need to quickly make online purchases.
After you make a purchase and connect to the network, your credit card information is stored.
Business Email Compromise (BEC)
This is the most dangerous type of spear-phishing scam. This scam is usually posed by alleged “company executives” who urge employees to make small transactions such as purchasing gift cards quickly. The FBI estimates that BEC was responsible for almost half of all cybercrime-related financial losses in 2019.
These phishing techniques come in many variations, but all fall within the same category.
How can you protect yourself against phishing attacks?
Unfortunately, we cannot protect ourselves from phishing. There are many ways to protect your email address and personal information.
These are some practical tips to help protect your email from phishing attacks.
- Keep your data secure with security software. Effective security software can provide additional protection and peace-of-mind.
- Enable multifactor authentication (or 2FA), for your online accounts. You will be asked to enter your password and a security code that will be sent to you by SMS. Although it takes longer, it makes it much more difficult to hack your account.
- You can log in with these apps without having to keep a copy of your passwords. You can securely track all your data with services like LastPass and KeePass
- Use a VPN to browse securely. A VPN (Virtual Private Network), allows you to conceal your location and transaction details. It encrypts any information that you send. It works like sending a encrypted message to the Internet. Only the intended recipient can access the key and break the code. This means that hackers and phishers can’t spy online on your activities.
- Always make sure to update your browser/OS regularly. They are there for a reason. The software provider might have discovered vulnerabilities in their system, and made fixes to improve security.
These points may seem obvious but they are important. How often do you use a VPN or password manager when browsing Instagram? Or your local coffee shop’s Wi-Fi free of charge? We thought so. Are you sure your device isn’t infected yet?
What to Do if You Suspect a Phishing Attack
What if you click on a malicious link by accident? What if they were so clever that they convinced you, despite our warnings?
Don’t worry, there are steps you can take that will ensure that no more damage is done.
- Disconnect your device immediately from the internet. If you clicked on a malicious link that redirects to a questionable website, this is a good idea.
- Change your passwords for all online accounts.
- Call your bank immediately if you suspect your credit card was victim to this phishing attack.
- Inform your friends and coworkers if you have an account that was stolen.
- Be aware of the warning signs that identity theft is occurring. Register a fraud alert at your bank or other relevant government agencies.
- Backup your files and format your device if necessary.
- Scanning your device for malware and viruses.
It’s great to deal with phishing scams, but how about fighting back? You might wonder how to report suspicious emails after you have removed the infection.
Reporting phishing scams
Once you’ve identified an email as phishing it is time to pay back. You can take steps to make yourself more secure.
- Forward the email to the Anti-Phishing Working Group at reportphishing@apwg.org. Send phishing SMS messages to SPAM (7726)
- Report the phishing attack on the FTC at FTC.gov/complaint.
- Mark the email spam. This will remind your email provider to send emails to this address to the trash.
- You can report phishing emails to Google if the sender is using a Gmail account. Click the three dots next to the Reply link and then look for the Report as Phishing Email option.
You’ve now identified phishing and reported it. Great job! You now need to know how to avoid phishing attacks.
Tips to Prevent Phishing Attacks
Here are 10 easy tips to identify and prevent phishing scams.
1. Learn what a phishing scheme looks like
There are new phishing attacks being developed every day, but there are commonalities that can easily be identified if one knows what to look out for. Many sites are available online to keep you updated on the latest phishing attempts and key identifiers. You can avoid potential attacks by sharing the most recent attack methods with your users early on.
2. Do not click on the link
Even if you are familiar with the sender, it is not recommended to click on any link contained in an email or instant messaging. You should hover over the link to verify that it is correct. Phishing attacks can be very sophisticated. The destination URL may look like a carbon copy. This is used to steal login/credit card details and record keystrokes. It’s better to click the link than to go directly to the site using your search engine.
3. Anti-phishing add-ons are available for free
Many browsers allow you to download addons that can detect phishing websites or warn you when they are present. These add-ons are often completely free, so you don’t have to install them on every device within your company.
4. Do not give your personal information to any unsecured website
If you don’t see the closed padlock icon next the URL or the URL doesn’t begin with “https”, do not enter sensitive information or download files. Websites that do not have security certificates might not be suitable for phishing scams. However, it is better to be safe than sorry.
5. Rotate passwords regularly
Online accounts should be protected by regularly rotating passwords to prevent attackers from having unlimited access. You may not be aware that your accounts have been compromised. Password rotation can help prevent future attacks and protect you from potential attackers.
6. These updates should not be ignored
It can be frustrating to receive multiple updates messages. Do not do this. Security updates and patches are issued for a reason. Most commonly, they are released to keep you up-to-date with the latest cyber-attack techniques by fixing security holes. You could be vulnerable to phishing attacks via known vulnerabilities if you don’t upgrade your browser.
7. 7. Install firewalls
Firewalls can be used to protect your computer from external attacks. When used together, both network firewalls and desktop firewalls can increase security and decrease the likelihood of hackers infiltrating your environment.
8. Do not be seduced by pop-ups
Pop-ups can be annoying, but they are also often part of attempted Phishing attacks. Many browsers allow you to install a free ad blocker software that will block most malicious pop-ups. Don’t click if you are able to bypass the ad blocker. Pop-ups may try to trick you into clicking the “Close” button. Always look for the “x” at the corner.
9. Do not give out any important information unless absolutely necessary
You should never give your card information to a site that you don’t trust. If you are required to give your card information, make sure you confirm that the website is legitimate, that the company is legitimate, and that the site is secure.
10. To spot the signs of an attack, use a Data Security Platform
It is important that you can quickly detect and respond if you fall victim to a successful phishing attempt. A data security platform can help relieve some of the stress on the IT/Security department by alerting them to suspicious user behavior and unwelcome changes to files. Data security platforms can identify an attacker who has gained access to sensitive information and help you take steps to prevent further damage.
How to Avoid Phishing Attacks?
Unknown senders may ask for your personal information, such as your login credentials or phone number. This email may be from an unknown sender.
- You should not follow links or give out personal information to anyone until you’re certain the email is genuine.
- Use one of these methods to report suspicious emails
Here are some things to watch out for when you receive an email that looks suspiciously like a phishing attempt.
- Verify that the sender’s name and email address match.
- Verify that the domain email address is valid.
- Verify that the message headers are correct.
All you need is common sense and the ability to resist impulse. It is easier to avoid phishing by being aware of your browsing habits.
Phishing Emails
Phishing emails are the most common type of phishing attack. Almost everyone has received one of these emails at some time.
You’re likely to be asked to open a file or click on a link that will infect your computer with ransomware or viruses. It could ask you to complete an invoice, make fraudulent payments, or log in to your account. These emails are unlikely to come from trusted contacts, so savvy users will ignore them. They can be very convincing and even cause serious harm.
Phishing attacks often use domains such as “apple.iphone.com”, which appears to be legitimate but is actually a spoof site. This will fool users enough to give their passwords or make payments to attackers.
Phishing attacks are not limited to email. Users are increasingly being targeted by SMShing, Vishing, and phishing via text messages and phone calls. These attacks are often extremely successful, as we don’t approach text messages with the same caution we do email. 98% of people open all text messages they receive. Only 25% of emails are actually opened.
Spear-Phishing, Business Email Compromise
Spear-phishing is a sophisticated form of phishing. Spear-phishing refers to hackers impersonating trusted senders, such as a business contact. They will then contact users and pretend to be someone they know to request account information or to make payments.
This is a very effective tactic, since you won’t be able to suspect someone you trust or a company that you have worked with before as an attacker disguised. These types of attacks are often successful for attackers.
Business Email Compromise is a more sophisticated form of phishing. This is spear-phishing used by attackers to get access to CEO and high ranking executive accounts. They can then request multiple fraudulent invoices from employees.
Phishing websites
Phishing websites are another issue to be aware of. Users may find pages that appear legitimate but that are actually phishing sites. These pages are created to make it look authentic, but they will be collecting your data. Webroot estimates that around 1.5 million new phishing websites are created each month.
These pages are often accessed via links in phishing emails. However, users can find them by normal web browsing if the attacker is skilled enough to create a fake page and hide it within a legitimate site.
This was exactly what happened recently when a hacker group placed just 22 lines code on the British Airways website. It directed a subset their users to a website that asked them to log in and enter credit card details.
The group was able to access information about half a million customers of the airline. BA was recently fined more that PS183 million for not properly protecting this data under GDPR.
What is Phishing and How Does It Cause So Much Harm?
You can see the damage phishing attacks can cause by looking at BA as an example. According to IBM, phishing accounts for 90% of data breaches. The average breach cost is $3.86million dollars. Last year, 76% of businesses were victims of phishing. This number is expected to increase this year.
Phishing attacks are so successful because they can slip through security gaps in email and other web security technologies. Email clients such as Exchange, Office 365, or G-Suite are used by businesses for their email communications. These platforms can filter out malicious emails, such as spam or email that contains malicious links.
Many phishing attacks aren’t malicious, however. They use social engineering to trick users into giving out personal or confidential information. Emails that contain URL links can still be found in the gaps. URLs can be easily scanned and classified as safe by email filters. Malware can then be installed on them.
The same principle applies to phishing sites. Although you may have an anti-virus on your desktop that stops malicious downloads and users from preventing malicious webpages from loading from your computer, sophisticated phishing websites trick users into signing into their accounts or entering credit card details which they can sell or use elsewhere.
How can you stop phishing attacks?
Phishing attacks are difficult to detect and so they can be hard for users as well as security technology. They are often extremely successful. How can you stop them?
Email Filtering
Secure Email Gateway is your first line of defense against phishing.
Email gateways can be used to automatically quarantine malicious and harmful emails from users’ inboxes. Good email gateways will stop 99.99% spam emails and remove malicious attachments or links. They are essential in stopping fraudulent phishing emails.
Email gateways like Proofpoint can also show when accounts have been compromised. This is useful to prevent any business email compromise attempts within an organization and to stop spamming or phishing emails being sent to companies you work with.
Organizations of all sizes need an email gateway. You can stop phishing attacks by choosing from a variety of vendors that offer cost-effective, user-friendly and highly secure email gateways.
Phishing protection in your email Inbox
Phishing is a problem because admins can’t reach user inboxes to remove threat emails. This is made possible by Post-Delivery Protection platforms. Platforms like IRONSCALES offer a complete solution by providing Post-Delivery protection.
Post-Delivery Protection protects users from email threats. They use machine learning algorithms and artificial intelligence (AI), which are fed common attributes of phishing email. These attributes are then applied to the emails users send and receive. They also use anti-virus engines to analyze these emails to identify suspicious ones. These emails will be displayed with warning banners by the best Post-Delivery Protection Services. This will alert users that they could be dangerous or, if required, will be removed from your network.
Organizations that deal with sensitive or high-value data need to have strong protection against phishing attacks.
These platforms can be used in conjunction with the Secure Email Gateway. You can combine them to create a multilayered security strategy that will prevent most phishing attacks from reaching your email network. Additionally, you’ll have the tools and resources to eliminate any advanced attacks that could bypass the spam filter.
Website filtering
Web filtering is one way to stop your users accessing phishing sites. Web filtering can be done in a number of ways, including a web proxy and filtering with DNS. These filters scan web pages for viruses and sort them into categories.
The organization can then block certain groups and allow polices to block access to phishing sites. This is essential to stop users from accessing fake phishing sites that appear legitimate, downloading malware, and entering their financial information.
Web filtering systems that are sophisticated will use machine learning algorithms to analyze webpages for signs of phishing.
Isolation of Email and Web
Isolation is an alternative approach to security to the phishing options we have previously looked at. Isolation is a total protection against the threats by removing online content from the user’s desktop and placing it in secure containers. This does not impact the user experience.
This is a great way to ensure that web-based content is free from threats and is delivered to users without the possibility of compromise or infection. Any threats that a user may encounter when they visit phishing websites or open malicious attachments in emails will be stopped if isolation is used.
Isolation works by mirroring webpage content and having any malicious code removed. Many Isolation vendors are able to protect users against credential theft. Menlo Security’s Jonathon Lee explains this:
“With Isolation, a phishing site is not only isolated but also put in read-only mode. The user can still see the page and scroll through it. However, they cannot enter any information.
This is crucial because it means that users who visit phishing pages impersonating banks, for instance, will not be able enter their account details. This is also true for invoices and other documents.
Isolation is an advanced method to stop phishing attacks and is recommended for organizations that want to eliminate the threat completely. Isolation, when combined with email security is one of the best ways for organizations to prevent phishing attacks.
Phishing Simulation
It is important to determine how well your employees are able to tell whether an email is phishing. This allows admins to determine the risk to their organization from phishing and directs training to where it is most needed.
This is a very popular method, as many vendors offer a platform that allows users to create fake phishing emails and then send them to their recipients. These same vendors offer security awareness training materials that can be used to help users identify phishing emails.
Best phishing platforms offer a variety of pre-built templates that admins can modify to make them more relevant to their company. Administrators will have the ability to modify the text, call for action, and images in the email. This will allow them to make the email harder to recognize as phishing or make it more obvious, if necessary. Administrators should be able customize landing pages so that users can be warned if they fall for fake phishing emails.
Administrators will then be able send simulated phishing email to individuals, groups, or departments. Each group can have different difficulty levels. They should be able track users who fail to pass the tests and identify trends within the company.
Phishing simulation doesn’t have the main purpose of helping people identify phishing. Instead, it is a great way to assist users with cybersecurity problems. It is important to make sure that all employees are aware of phishing and have the tools to spot it.
Security Awareness Training
Phishing attacks use human error to their advantage. They don’t attempt to bypass security technology, but instead rely on human errors, such as reusing passwords and being fooled or tricked by emails and webpages that are well-crafted. They also take advantage of the fact that most people are not well-versed in cybersecurity best practices. The phishing attacks cyber professionals face every day are so sophisticated that most people don’t know how complex they can be.
Security Awareness Training is an important step in combating this, increasing awareness of threats, and how to stop them. Businesses can purchase a variety of security awareness training materials from vendors. These materials are often interactive and encourage users to learn more about security issues.
They provide information on how to increase security. This includes using two-factor authentication and not reusing passwords. Not clicking on email links from people they haven’t met before or who don’t look right. Also, checking URLs of websites. These are all essential for users to stop phishing attacks.
These are often delivered in bite-sized chunks to ensure that users can easily understand them. Many Security Awareness Training vendors offer phishing simulation. This allows admins and users to provide training for those who have difficulty identifying phishing attacks.
Your most significant security threat is your users. They are also your first line defense against security threats. It is crucial that they are educated about security issues and know how to avoid them. This is especially important when it comes down to stopping phishing.
Summary
These solutions will assist you in stopping phishing attacks. They will also reduce the chance that your employees will transfer money to criminals.
Although social engineering can be extremely damaging, it is possible to prevent phishing attacks on your users and organization by implementing security awareness training.