Hackers send phishing emails designed to appear to be from a legitimate source. The message encourages users to reply revealing sensitive information, or to click on a malicious link contained within the email. One click can open up your network to attack.
Whaling emails are similar. However, while phishing involves mass emails sent out in an untargeted manner, whaling is highly targeted on one individual, usually a senior manager.
The effectiveness of phishing is on the rise due to social engineering. Social engineering involves hackers using your digital footprint against you. Your digital footprint is the ever-increasing, readily-available information about you found on the internet.
Hackers extract information from the internet to make a phishing message appear legitimate. This more well-researched approach is known as spear phishing. The amount of information available online is making it easier for hackers to masquerade as genuine clients, co-workers or suppliers of users.
Recently, a data breach at Hudson’s Bay was identified. It affected up to five million customers, including Saks Fifth Avenue shoppers. Hackers sent well-researched, whaling emails to key decision-makers, posing as their colleagues, encouraging them to click on a malicious attachment.
The breach went undetected for approximately one year, giving hackers access to credit card details throughout that period. Internetwork’s four layers of protection against phishing emails are outlined below.
1. Filter inbound email and web browsing
Anti-spoof controls, spam filters and blocking services can be installed onto your server and devices to act as a first layer of defence against phishing emails. This will prevent many dubious emails from reaching users at all, decreasing the risk of an employee causing a data breach.
A web filter can be installed to deny access to unapproved websites. This will block attempts to take users to phishing websites when they click on a malicious link. This should be part of your overall cybersecurity approach, along with encryption of data, password protection and ensuring your technology is kept up to date,
2. Raise awareness among users
Raising awareness of the different types of phishing occurring and promoting vigilance among members of your team are key steps to take towards preventing a data breach.
Even with email filters installed, some phishing emails are likely to slip through the net. Employees should be given guidance on how to identify fraudulent emails. Phishing user training can bring them up to speed.
Commonly, phishing emails will mimic emails you receive on a day-to-day basis in an attempt to blend in. For example, the subject will read “you’ve been tagged in a photo/comment” on a social media platform, “your mailbox is full” or “track your delivery”. With emails such as these, it is important to look closely at details before clicking any links.
Phishing emails often contain poor spelling and grammar, alongside poor-quality logos for the company the hacker is masquerading as. It is also unusual for a company to ask for usernames and passwords out of the blue via email. Banks, government agencies and large companies are unlikely to send information in attachments via email.
Email addresses can also be a tell-tale sign. Even where the body of the email looks legitimate, an email address containing a jumble of letters and numbers can identify the message as a phishing email. Most large businesses will email you from a simple email address, containing their website’s domain. Additionally, most businesses do not use standard, free, web mail addresses such as @gmail.co.uk or @yahoo.co.uk. Emails from addresses such as these should raise suspicion.
Dummy emails which imitate phishing scams can be sent to staff to test their knowledge. It is vital to regularly update user’s knowledge with cybersecurity training of this kind. However, this form of training is not a silver bullet. Even experts can be reeled in by phishing emails, so employees cannot be expected to identify every one that drops into their inbox.
3. Establish a no-blame culture
To ensure that all identified phishing emails are reported, it is vital to ensure that no blame is placed on any employee involved with a mis-click. Phishing emails prey on users’ desires to be efficient and helpful. These traits should be encouraged at work.
Punishing a user for getting caught out will only discourage them from reporting incidents, create distrust and cause distress. Any training should be based upon building confidence.
4. Prepare a response to an incident
Where a phishing email has been identified, users should be trained not to click on any links or open any attachments contained in the email. Ideally, the email should not be opened and should be marked as spam and deleted. Your spam filter will pick up on this and should begin to block similar emails in the future.
Regardless of how many precautions have been taken, it is inevitable that, at some stage, a user will click on a malicious link, attachment or download. Educating team members and ensuring that there is not a blaming culture, as described above, should ensure that the mis-click and potential breach is reported.
Once a potential breach is reported, your network should immediately be scanned for malware, and all passwords should be changed.
Don’t get reeled in by phishing scams
Overall, it is key to take a well-rounded approach to combat phishing. Staff must be clued up, cybersecurity must be strong and procedures should be in place in case a mis-click occurs. In combination, the above actions can prevent successful phishing attacks and soften their impact when they do occur.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.