Here are some worrying phishing-related facts from 2020:
- Phishing was present in 36% of breaches compared to 25% in 2019
- 74% of American organizations experienced a phishing attack – 30% higher than the global average
- According to a survey, one-third of Canadian organizations were targeted with COVID-19 related phishing (and other) attacks
- There were almost 15X more phishing complaints in 2020 compared to 2016
According to the Phishing by Industry 2020 Benchmarking Report, almost all industries are at risk of phishing attacks, including:
- Healthcare & Pharmaceuticals
- Business Services
- Consumer Services
To prevent phishing scams in your organization, Packetlabs suggests the 4-step approach explained below.
#1: Deploy Proactive Phishing Prevention Tools
The best way to avoid phishing attacks is to prevent phishing attacks. One way to do this is by deploying “ahead-of-threat” attack prevention tools.
This approach, developed by IBM Research in Tokyo and IBM X-Force, involves monitoring Domain Name Server (DNS) traffic and analyzing DNS data to:
- Identify, categorize and block malicious domain names that bad actors use to register phishing websites
- Detect infected devices
- Provide actionable information for forensic investigations
This proactive approach helps organizations identify malicious domains before scammers can use them in a phishing attack and before the threat becomes visible. Another advantage is that IT leaders in organizations can quickly find and remediate compromised endpoints with this approach and thus limit the damage across the network. To further strengthen your endpoint monitoring capabilities and prevent phishing attacks from increasing across the entire network, deploy a robust Endpoint Detection and Response (EDR) tool.
#2: Detect Potential Phishing Attacks with AI
Many tools are available that prevent phishing emails from reaching users. However, scammers usually find a way around these tools and can bypass traditional Secure Email Gateways.
Artificial Intelligence (AI) tools fight phishing inside users’ inboxes. AI goes beyond simple signature detection to learn the user’s email communication habits. It can then automatically detect anomalies – and potentially suspicious – behaviours and provide security teams with actionable data so they can respond quickly to what might be a phishing scam. AI can also scan inbound links in real-time to determine whether a particular page is fake and automatically block access to verified malicious links.
#3: Build a Robust Email Security Awareness Program
There’s no email without users, and there’s no email security to prevent phishing without user awareness. Build a strong security awareness program so employees learn to spot phishing tactics and how they can avoid falling victim to them. Provide updated information on current phishing trends, and share advice about cybersecurity strategies. Make them aware of the organization’s policies and tools to mitigate or prevent phishing scams.
As part of the security awareness program, it’s also essential to:
- Reiterate why they should not click on suspicious links or attachments
- Inform that they should forward suspicious-looking emails to the security team
- Give feedback on whether they’re flagging emails correctly
- Maintain a positive rather than a punitive culture around phishing prevention
- Train employees at all levels, from the C-suite to the most junior, from at-location staff to remote workers
#4: Conduct Simulated Phishing Attack Tests
A simulated phishing attack test, also known as a phishing penetration test, aims to:
- Assess the effectiveness of enterprise security awareness training programs
- Establish whether employees are vulnerable to phishing emails
- Help users better understand phishing attacks
Penetration tests provide a benchmark for security awareness, enable security teams to take remedial action to improve this awareness, and ultimately strengthen the organization’s cybersecurity posture.
For maximum effectiveness, these tests should be conducted regularly. They should also mimic real-life phishing attacks with emails that result in users submitting sensitive emails on a fake website, e.g. passwords, credit card details, etc. Furthermore, pen testers must deploy numerous phish of varying difficulty levels and monitor which emails are opened, clicked, or have credentials entered. Use the results of this campaign to strengthen your employee education program.
A Final Word
The four strategies explained above provide a robust approach to prevent phishing. In addition, you should also limit user access, especially to high-value systems and data. This approach can help protect sensitive and business-critical information from both malicious and negligent compromise. You can also monitor user behaviours to identify and address the risks of insider threats.
The Packetlabs team are your penetration testing experts for all kinds of use cases, including phishing prevention. If you suspect that your organization is highly vulnerable to phishing attacks, we recommend you get a phishing pen test done. Talk to an expert or ask for a free quote.