Phishing Attack Prevention - How to Spot, What Should Do?
No business, small or large, is impervious to phishing attacks. Some of the largest-scale attacks have been on renowned multi-million dollar corporations.
Fortunately, there is a light at the end of the tunnel. It is possible to defend against phishing and mitigate the risks that are associated with it. With the right approach, businesses can detect phishing attempts early on, isolate suspicious emails, and alert recipients before they fall victim to the ploy.
Security is the key. Not just any kind of security, but multi-layered protocols which combine:
- Security awareness training for employees
- Fortifying email security
- Verifying suspicious communications through official channels
Security Awareness Training for Employees
Getting the right education is the first step in thwarting an attacker's scheme. Businesses need to carry out security awareness training for lower and higher-ranking employees, as everyone is a possible target.
This training focuses on raising awareness about the most common threats faced by end-users and employees are exposed to. Afterward, it is time to test their knowledge with a quiz session or real-life simulations of an actual attack. In the latter case, the company could carry out a two-step process:
- Phishing for Awareness
- Phishing for Security
Phishing for awareness involves sending out templated emails to employees. Those who fail will be notified and will be shortlisted for further training.
On the other hand, phishing for security is a simulation of an actual attack aimed at evaluating IT controls and preparing the IT team on how to handle a real-life situation. This protocol tests endpoint defenses, network-based firewalls, incidence response, security incidence and events management systems, etc.
As new phishing techniques are continually invented, it becomes even more pertinent to stay informed at all times. The training could either be a self-led course or spearheaded by an expert instructor.
Fortifying Email Security
Protecting your email communications is an indispensable step to avoiding outsider infiltration. The first step would be to use a reliable email client like Google or Microsoft. The best platforms are already secure, but you can achieve an even tighter hold with further controls, such as:
- Implement Two Factor Authentication (2FA) - In addition to your password, two-factor authentication requires something you have like a phone, an app, a personal token, etc. It may also require biometrics such as fingerprints, voice recognition, or a retinal scan. This protective measure is a must as it makes it increasingly difficult for your email account to be compromised.
- Microsoft Advanced Theft Protection and Google Safety Controls - Google safety controls scan emails, links, and attachments for malicious intent. With Microsoft ATP, you get just as much protection. It scans emails and their content to detect malware where it exists. ATP also scans email domains for intentional typos used to create lookalike URLs.
- Post-delivery protection - Post-delivery email protection uses machine learning systems to detect and eliminate phishing scams. Users can report suspected phishing emails and place warning banners on those messages or even remove them completely through this platform.
Verifying Suspicious Communications through Official Channels
Whether email, voice, or SMS phishing, you would do well to verify any suspicious contact before taking action. You can always call the official company phone line to confirm any request you may have received via mail, instant message, or phone.
If the request indicated the need for immediate action, don't let that get you anxious. A sense of urgency is a characteristic of scam mails. So there's a high chance you'll discover it's a fraud.
A bulk of the effort needs to be made on the part of end-users, as hackers prey on the lack of awareness of the average person to the inherent dangers.
What Should Users Do?
Think Twice Before You Click
Many people mindlessly browse through their emails, clicking links without even properly reading the message. According to statistics, 30% of phishing emails make it through IT security and checks provided by your email client. So a cunningly crafted mail may find its way to your inbox rather than the spam folder. You should always assess the content carefully before proceeding to click on any embedded links.
Further down, we will discuss how you can recognize a phishing email.
Check the Site's Security Certificate
Before taking any action on an email, check that the URL is legit and that it begins with "HTTPS." Look out for a closed lock icon near the address bar. If any of these is missing, then you should avoid visiting the site.
Update Your Browser
Browser updates aren't just a waste of time and data. They are part of security protocols that are released in response to loopholes in the network. These vulnerabilities are the pathways through which hackers gain access to the system, and upgrades serve to patch them up. So, do not hesitate to download and install them whenever they are available.
Check Your Online Accounts Often
It may be difficult considering the number of online platforms available nowadays, but endeavor to check in on your site accounts as often as possible. Leaving your account unattended for too long will make it an easy target for hackers. Also, change your passwords periodically and don't use the same combination on multiple sites.
Finally, get in the habit of checking your account statement regularly. We've already established that even bank-level security isn't completely immune to phishing scams.
Beware of Pop-Ups
They are quite annoying already, but these days pop-ups have become a medium for perpetrating phishing attacks. If you already use a pop-up blocker, you are on the right track. But just in case one manages to make its way to your screens, simply click on the "x" in the upper right corner of the window.
Get Your Firewall Up
Firewalls are a barrier between your computer and third-party intruders. Using a combination of desktop and network firewalls will give hackers a tough time penetrating your system or network.
Use Antivirus Software
While firewalls block the attacks of external malicious files, antivirus software scans files coming in through your network connection. It is highly recommended to install an antivirus on all your devices as the software contains special signatures that guard against common loopholes that hackers have been known to take advantage of.
Customize Your Browser with Anti-Phishing Toolbars
Anti-phishing toolbars are designed to run quick checks on sites you open. It compares them with known phishing sites and, in the case of malicious activity, alerts you right away. You can install the toolbar to your internet browser to double up on security. Plus, it is free of charge.
Avoid Using Public Networks
It is generally advised not to carry out sensitive online transactions over public networks. Email communications over such networks are usually not encrypted, making it an easy target for hackers. If the evil twin scenario is in play, your passwords and any saved financial details could be compromised. It's safer to use your mobile network when you are out of a secure WI-FI range. If you have to utilize a public network, you should install a VPN to protect your device from external interference.
Delete the Email Once Detected
Phishing emails that haven't been manually filtered into your spam folder should be deleted immediately from your inbox. It is advisable to delete the mail even without opening it as some electronic mail clients allow scripting, which launches a virus simply on opening the message.
Block the Sender
Blocking the sender is a good way to guarantee that you'll no longer receive such fraudulent alerts. If your provider offers this feature, you can add the sender's email domain to a blocked list. That way, you don't accidentally stumble upon such emails and make the mistake of clicking on them.
How to Spot A Phishing Attack?
The unfortunate truth about phishing emails is that people already know what they are and that they exist. Yet, many still fall victim. It's hard to blame the victim since these cybercriminals are becoming increasingly sophisticated. With innovative technology, bogus emails can look more legit than the original ones.
Nonetheless, a fake is always a fake, and there are subtle hints that point to the scammy nature of a fraudulent email.
Request for Sensitive Information
It's normal for you to be wary about disclosing your personal information, even when the request is from an organization you are familiar with.
Most times, a legitimate company won't send an unsolicited email asking you for your passwords, bank card details, or social security numbers. They also won't send you a separate link to log in with.
If you're uneasy about it, it's safe to assume it's a scam.
"Dear customer," "Dear valued member," "Dear account holder," etc., are common salutations that should hint at a scammer lurking in the corner. Since email phishing scams are usually directed at a large userbase for an app or website, the phisher has to use generic means of addressing the targets.
A legit company that will address you by your name regarding matters that have to do with your account. Sometimes, the email could be missing a salutation altogether, which is a huge pointer that something is off. This leads to the next point – writing errors.
Bad grammar, punctuation errors, spelling errors, and omissions are almost non-existent with authentic emails, whereas they are commonplace in email scams.
These inconsistencies often happen when copy-pasting sentences. Since the targets of such phishing attempts are less observant or uneducated individuals, hackers usually care little about rectifying these writing errors.
Domain Email Alterations
Another form of error common with phishing emails is found in the domain name. The attacker can only mimic a sender at best. For instance, Stephanie@ebay.net instead of Stephanie@ebay.com.
The full domain name is often hidden in the address box, so this error is easy to miss if you don't pay close attention to the sender's address.
Links Conflicting with URLs
Another way to spot a malicious email is through its embedded links. The concept of a malicious link is that it doesn't send you to the destination you are hoping to go, even though it says it will. This means there could be disparities between the anchor and the hyperlink's URL.
Simply hover the mouse over the link to view the URL without clicking. If the URL doesn't tally with the text link or with the content of the email, chances are it's a scam in process.
URLs without https:// at the start are also a sign that something is off. So it's best not to trust them.
Hyperlink Email Message
If you've ever opened an email that's just a hyperlink to another site, it would appear as if the sender was practically constraining you to visit their website. In some instances, a hyperlink-coded mail will send you to the required page if you touch anywhere on the screen, either intentionally or mistakenly.
A legit company would never force you to their website in such a manner. So you'd do well to carefully exit the page and send that email to the bin.
When that Costco logo is missing a line or two, or the bright blue ink is looking a bit washed, these aren't just mere mistakes. Rather, they're signs of a subpar imitation by a hacker who's pressed for time. When receiving emails from a company you are familiar with, make sure to check that the brand logo is perfectly identical to what you're used to. It's highly unlikely that the company would rebrand without letting you know.
Emails Eliciting Heightened Emotions
A common trick among scammers is emails offering large financial rewards. A popular scam is where you are notified of winning the lottery when you've never even bought a ticket before. The attackers leverage the feeling of excitement you get on hearing such news. Carried away, you end up taking the bait. Messages that trigger heightened emotions of happiness, pity, fear, etc., are strong indicators of a scam. So don't let your guard down, but be wary of such emails.
Businesses don't randomly send people emails with unsolicited attachments. They would usually direct you to their website to download any files or documents.
These tips for spotting a phishing attempt aren't foolproof. Legit companies aren't incapable of making writing errors, and an organization with your email may send you white papers with downloadable attachments. There may also be a genuine need to request your personal information.
However, according to research by Avanan, 1 in every 99 emails is a phishing scam, and 2 out of 3 phishing emails involve a malicious link or embedded malware. So, if an email arouses suspicion, it is best to avoid it.
When in doubt, you could also contact the company directly with information available on their actual website.
In A Nutshell
Businesses and financial organizations, in particular, are easy targets for phishing. They store large amounts of customer data as well as access to financial information. There isn't a way to eradicate this threat. Phishing attacks are always imminent, but the important thing is not to take the bait.
For companies, understanding how the hack occurs and what goes on during the attack is essential to mitigate the impact and protect against the occurrence altogether.
A combination of user awareness and high-grade security protocols is paramount. Since human shortcomings can lead and mistakes, it needs to be backed up by non-human attributes that are immune to errors.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.