Phishing emails have been around for decades, but they still present a very real security threat. Over the years, attackers have been adapting their methods to find loopholes in employee training and impersonate the latest companies and software solutions. Though phishing emails are one of the most popular forms of enterprise attack, research suggests 1 in 3 employees are likely to click the links in them. These links can commonly lead to ransomware, keyloggers, crypto miners, and forms looking to steal information. More concerning still is the rise in spearphishing – highly targeted phishing attempts that utilize existing stolen credentials and information.
Thankfully, there are several things organizations can do to mitigate that worry. This guide won’t tell you how to stop phishing emails entirely, because that’s nearly impossible. Instead, Virtuworks advocates a multi-tiered approach to reduce both the volume and success of such attacks.
Major security and policy elements to consider:
Email Gateways – Block Phishing Emails
An email gateway stands between the sender and your employee’s inbox, blocking, categorizing, or flagging phishing emails before they reach them. Solutions like Mimecast, Barracuda, and Forcepoint block malware-infested attachments. This prevents the sending of sensitive information and filtering out known phishers and spammers.
Modern email gateways are also getting very good at spotting impersonation emails. By checking factors like sender name, email address, and how recent the domain is, they automatically flag suspicious senders even if they’re very convincing.
With impersonation attacks so common, it’s also important organizations don’t overlook the security of their domain. The registrar account should be just as secure as anything else in the ecosystem, with a strong password, a PIN where possible, and multi-factor authentication.
To further cut down on impersonation attempts, it may be worth registering the most common top-level domains and misspellings. It’s also a good idea to implement security protocols like DMARC and SPF, which we’ll cover in more detail in the future.
Disable Email Forwarding
The majority of attacks start with bots, which brute force their way into an email account and automatically set up an email forwarding rule. This allows every email to be redirected to the attacker and is often combined with a deletion rule so the intended receiver is left unaware.
Microsoft 365 lets admins globally disable automatic forwarding to cut out this type of behavior. Though it doesn’t prevent an attacker from gaining access in the first place, it does limit their ability to act.
Secure your Email Accounts
To prevent an initial compromise, email accounts must be properly secured. As mentioned previously, brute force, automated attempts are prevalent. Usually, attackers use a so-called “dictionary attack” – they try thousands of known words, numbers, and phrases until they get a match.
As a result, a robust password policy is essential. Passwords that include the names of children, pets, or dates should be discounted immediately. Ideally, they will be at least 8-12 characters in length, contain special characters, capital letters, and numbers, and expire every 80 to 120 days. Using a different password to other internet-facing services is also advised.
If a password is guessed or extracted via other means, multi-form factor authentication provides another barrier to entry. Microsoft offers authentication via text, phone call, hardware token, FIDO2 keys, Windows Hello, and its Microsoft Authenticator app. Using one or several of these means all authentication methods must be compromised for an attacker to gain access.
Adopt a “Caution Over Comfort” Culture
A shocking amount of enterprise employees still open and click links in phishing emails. As a result, security can be greatly increased by proper training and internal culture. One attitude a lot of companies have been adopting recently is a “caution over comfort” mentality.
Employees should consider this motto before they interact with any email that makes them feel uneasy. If there’s even a slither of doubt, reach out to the company or employee directly via a different communication channel, even if it’s inconvenient.
To foster a gut feeling when it comes to suspicious emails, employees still need traditional training. Regular courses on the latest attack techniques will increase the strength of the “human firewall” a hacker needs to get past to breach successfully.
Develop a Strict Transaction Policy
Organizations may also want to create stricter policies when it comes to internal and external transactions. A common attack technique involves a hacker spying on an email inbox until they see a transaction, then providing their fraudulent bank details instead of the recipient’s.
This type of approach can be difficult to defend against with software alone. After all, in many cases, it is the recipient who has been compromised rather than you.
It’s a good idea, then, to validate each transaction by asking specific questions via a secondary communication method. Picking up the phone and verifying the amount, account details, and value of a previous transaction is often a good start.
Phishing Emails Will Continue
You won’t stop every phishing email attempt. In fact, thinking that way is quite dangerous – it implies the lack of a robust breach policy and a misunderstanding of the risks. That said, a multi-pronged approach that includes the right software, internal culture, and email security tweaks can drastically reduce the success rate and save money in the long run.
While managing all these aspects can be complex, partnering with an MSP like VirtuWorks shifts the load from you to our experts. Get in touch today to see how we can help you.