Phishing, in which an attacker sends a deceptive email tricks the recipient into giving up information or downloading a file, is a decades-old practice that still is responsible for innumerable IT headaches. Phishing is the first step for all kinds of attacks, from stealing passwords to downloading malware that can provide a backdoor into a corporate network.
The fight against phishing is a frustrating one, and it falls squarely onto IT's shoulders.
We spoke to a wide range of pros to find out what tools, policies, and best practices can help organizations and individuals stop phishing attacks, or at least mitigate their effects. Following are their recommendations for preventing phishing attacks.
1. Don’t respond to emotional triggers
Armond Caglar, a principal consultant with a cyber data science firm Cybeta, says that users must understand the psychology behind phishing emails in order to resist them. "The most common and successful phishing emails are usually designed with bait containing psychological triggers that encourage the user to act quickly, usually out of a perceived fear of missing out," he explains. "This can include emails purporting to be from parcel companies indicating a missed delivery attempt, unclaimed prizes, or important changes to various corporate policies from an HR department. Other lures can include triggers designed to encourage a user to act out of a sense of moral obligation, greed, and ignorance, including those capitalizing on current events and tragedies."
He adds that "in terms of how to recognize and avoid being scammed from phishing, it is important for the user to ask themselves, 'am I being pushed to act quickly?' or 'Am I being manipulated?'"
The antidote to this sort of induced anxiety is to remember that you can always step back and take a breath. "If an e-mail already looks weird, and it’s pushing you to do something (or increasing your blood pressure), chances are, it’s a phishing e-mail," says Dave Courbanou, an IT technician at Intelligent Product Solutions. "It’s fast and easy for an IT colleague or professional to check an e-mail for you. Cleaning up after a successful phish could take days, weeks, or months, depending on what was at stake, so do not hesitate to ask your IT contacts to check any e-mail for you for any reason."
2. Establish policies and procedures for emergency requests
Often, phishers will be playing on your emotions by presenting their request as an emergency withing your company, with the hope that you'll transfer funds to them or give up credentials. Paul Haverstock, VP of Engineering at Cloudways, says that to combat this, your company should set clear emergency procedures. "When employees believe they’ve received urgent demands from their employers, they can feel intensely pressured to act immediately," he explains. "Corporations need to make it absolutely clear why and when they might reach out to workers with emergency requests, explaining how they can verify legitimacy. And they need to stress which requests they’ll never make, such as demanding immediate bank transfers without using standard payment processes."
In fact, your internal processes should all be aligned around making sure a phishing attempt can't cause too much trouble. "Any request for sensitive information, including passwords, must be confirmed via a different medium," says Scott Lieberman, who served as an IT instructor focusing on network security at Sinclair Community College in Dayton, OH. "If you get an email from your supervisor asking for the password to the backend of the company website, go on Slack or Microsoft Teams—or pick up the phone to call your supervisor—to ask about it."
"A major step in prevention that enterprises can take is to put basic policies in place around sharing sensitive data," adds Larry Chinski, One Identity's VP of Global IAM Strategy. "This can be as simple as ensuring that only a small group of employees are informed of financial information and login credentials, which can minimize the chance of human error. You can ensure even more security by creating an analytic hierarchy process for when highly sensitive data is requested. This will allow a longer approval time and provide a deeper review of suspicious requests."
Going one step further, Jacob Ansari, Security Advocate and Emerging Cyber Trends Analyst for Schellman, a global independent security and privacy compliance assessor, says companies can work to make their internal communications unphishable. "The most important thing you can do is to make legitimate business processes not look like phishing attempts," he explains. "Instead of sending a link in an email for employees to click, give directions to log in to a corporate intranet. Company leadership should stop attaching Office documents via email and instead place documents in appropriate file repositories and communicate those to employees. Links and attachments are the primary vehicles for phishing attacks; minimizing their legitimate use cuts down the thicket in which phishing attacks can hide."
3. Train and test staff to spot phishing emails
Many if not most of your employees probably believe they can spot a phishing email already—though they may be overconfident. "We have all heard the basic things to look for, like not addressing you by name or poor grammar in the body of an email," says Michael Schenck, senior cybersecurity consultant at CyZen. "Unfortunately, we’ve seen hackers Excellerate the use of language with some powered by natural language AI bots.
Keeping staff on the cutting edge means continually educating them—and testing the extent of their knowledge. "Engage a third party testing firm to work with you to customize phishing attacks," suggests Mieng Lim, VP of Product Management at Digital Defense by HelpSystems. "Customized attacks will typically utilize a variety of tools and can be carried out in a 'low and slow' manner so as to be as covert in nature as possible in order to truly determine your team’s ability to thwart a sophisticated attack."
If you'd rather keep things in-house, Andreas Grant, Network Security Engineer and Founder of Networks Hardware, recommends open-source phishing frameworks like Gophish that can help organize tests. "I introduced a reward system for people who can flag these scams," he explains. "By gamifying the system, it keeps everyone on their toes while making things fun at the same time. It also keeps the conversation running so it's a win-win from both the perspective of the user and the IT department. You also get an idea of how far people fell for these scams when you run these tests, so you can use that data to pinpoint the weak spots and focus on those specific parts in trainings."
Training should also be tailored for particular audiences. "Security teams can educate specific business units on the phishing campaigns that might target them," says Jonathan Hencinski, VP of Security Operations at Expel. "For example, developers may see AWS-themed campaigns, while recruiters may see resume-themed phishing lures."
4. Encourage users to report phishing emails
A reward system for spotting phishing can carry over beyond testing and into real-world scenarios, says David Joao Vieira Carvalho, CEO and Chief Scientist at cybersecurity mesh network maker Naoris Protocol. Carvalho suggests creating an internal reporting system for potential phishing scams. If the IT security team positively IDs the email as a phishing attempt, they circulate information about it and put the reporter in a pool for a $1,000 monthly raffle. "You now have a workforce that is going out of their way to protect your business," he says. "Millions of dollars in risk have been mitigated for $12,000 a year—a fraction of your cyber risk mitigation budget—by changing the process from fear-based to bounty-based, something that works very well for risk aware corporate spaces already."
In terms of motivations, carrots work much better than sticks. "Never ostracize or punish a user who has fallen prey," says Josh Smith, Cyber Threat Analyst at Nuspire. "They are a victim in the situation, as these malicious emails are designed to prey on human emotions."
And if you expect people to report emails, you should make that simple, says Cyril Noel-Tagoe, Principal Security Researcher at Netacea. "Cumbersome reporting processes—for example, attaching a copy of the suspicious email to a new email and sending it to IT—should be replaced with user friendly alternatives, such as a reporting button integrated into the email client," he says. "This will help to promote a culture that normalizes reporting suspicious emails."
5. Monitor the dark web for company credentials
"Monitoring the dark web should be a core part of any organization's strategy to prevent phishing attacks before they hit employees' inboxes, as many phishing operations begin with company credentials that have been leaked or sold on dark web marketplaces or forums," explains Dr Gareth Owenson, CTO of Searchlight Security. "Continuous monitoring for the company's name and corporate email addresses could alert companies to the fact they are being discussed and are about to be targeted by a phishing campaign, while the criminals are in the reconnaissance phase."
The dark web may hold more than just chatter, as this shadowy realm often serves as a marketplace for stolen credentials. "Leaked passwords along with email addresses could also alert them to the risk of business email compromise attacks, a particularly tricky type of phishing where criminals exploit employees by sending them emails from legitimate, hacked accounts," Owenson explains. "The knowledge that passwords have been compromised allows organizations to enforce password updates for the affected individuals."
6. Know what types of information make you a target
Everyone should be aware of potential phishing dangers, of course, but new employees in particular need to be on guard, says Schellman's Ansari. "Phishers look for updates on LinkedIn or the like and then target those people, thinking them the most vulnerable," he explains. "Warn them about these potential attacks, and that attempts may target their personal email addresses or come as SMS messages instead."
Another group within the company that needs to be on constant guard: the inhabitants of the C suite. "There’s an emergence of whaling attacks lately, which target high-value individuals," says Ricardo Villadiego, Founder and CEO of security testing firm Lumu. "Senior leaders need to create new protocols on data privacy. Executives and senior-level employees should be encouraged to use privacy restrictions on social media. They should make sure to scrub or minimize personal information from public profiles as best they can, avoiding easy informational cues like birthdays and regular locations that can be leveraged in attacks."
Overall, transparency can be a virtue, but companies should be aware that any information they put online can be used by these sorts of scammers masquerading as employees or knowledgeable insiders. "Review the publicly-available information that may be leveraged in an attack against your business," urges Adam King, Director at Sentrium, a company that offers cyber security assessment and penetration testing. "Check your website, social media, and even employee profiles. Do your job adverts contain specifics about the technologies used by your organization?"
On another note, we've talked a lot about email, but it's worth keeping in mind business-related communications channels are proliferating rapidly—and phishers can use them all, and both users and IT need to be aware of that. "Business communication environments are increasingly complex as they now include chat, collaboration, email, and social," says Chris Lehman, CEO of SafeGuard Cyber. "Threat actors know this complexity is a challenge to security teams and they are taking advantage of it. Today’s phishing attacks are just as likely to originate in social media or a messaging app as they are in email. You should evaluate the business use for all communication channels, by department. Understand how the channel is used, what data passes through it, and how it’s provisioned. For example, does Marketing use a Slack workspace to connect to partners and vendors?"
7. Use the right tools and technologies to prevent phishing
Of course, the ideal would be that your users never receive phishing emails at all. While that's an impossible goal, you can cut down on the numbers, says Dave Hatter, director of business growth at managed IT services provider Intrust IT. "Use a good email pre-filtering solution—one that works before spam hits the mail server," he suggests, recommending the list from Gartner as a starting point. For those who use Microsoft 365, he recommends Microsoft 365 Advanced Threat Protection to provide additional filtering.
Implementing multi-factor authentication (MFA) should be a given, as it stymies a phisher who manages to trick someone into giving up their username and password from logging into corporate networks. Ray Canzanese, Threat Research Director at Netskope, suggests other tools that extend this protection. "Single sign-on (SSO) means that you only have to enable MFA in one place and enforce it for all of your services," he says. "A Secure Web Gateway (SWG) can block phishing pages, using a combination of threat intelligence, signatures, heuristics, and even machine learning to identify and block phishing pages in real-time. You can configure your SWG to prevent users from submitting credentials to unknown places. If you are using SSO, that SSO portal is likely the only place your users should be entering their credentials, so you should configure a policy that prevents credentials from being entered elsewhere."
A password manager can also be useful here. Not only will it prevent your employees from reusing passwords, but they'll also recognize when they've landed on a fake phishing page and won't autofill the credentials as they would on a real page.
Tools also exist to thoroughly sanitize emails before they arrive in user inboxes and should be used, says Benny Czarny, Founder and CEO of cybersecurity firm OPSWAT. "Use multiscanning technology to scan and analyze all files downloaded to the organization network," he advises. "No single antivirus engine can detect 100% of threats at all times. By using multiple antivirus engines to scan emails, organizations can increase their chances that a new threat is quickly detected and mitigated. For unknown files, sandbox dynamic scanning can detect malicious behavior. And a Content Disarm and Reconstruction solution, also known as data sanitization, will break down and completely rebuilds potentially dangerous files, stripping unsecure objects in the process while preserving usability."
If you want to get really serious about neutering phishing emails, Jon DiMaggio, Chief Security Strategist at Analyst1, has a potentially unpopular suggestion: only allow plain text email, and restrict attachment types to block non-business essential extensions. "There is rarely a need to email an executable or a RAR file," he explains. "And plain text email removes the ability for a user to click on a malicious link, or for a script to run when the email is opened and mediates many other tactics used in phishing attacks."
8. Make legitimate emails easier to identify
If you have policies and tools in place that make it easier for employees to recognizing phishing messages, you're ahead of the game. "Mark emails not sent from the company domain as 'External,'" says Tony Anscombe, chief security evangelist for ESET. "This is a visual warning for the user to be more vigilant, and is an easy win for the corporate IT team." This is particularly helpful when the emails come from lookalike typosquatting domains and may look at first glance like internal messages.
Of course, it's much harder for employees to sniff out fake emails if a real address of someone they know shows up in the "From:" field, which a clever hacker can pull off via email spoofing, says Sentrium's King. "Ensure that your Domain Name Systems (DNS) records are set up correctly to prevent spoofing," he urges.
Kfir Azoulay, Head of Cyber Threat Response at managed security service provider CYREBRO, suggests other DNS-related tools. "Corporate IT departments should implement DNS authentication services such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols to determine whether an email sent from a specific domain is legitimate or fraudulent. Implementation can be done anytime, simply and at low cost per domain—from no charge and up to a few dozen dollars per month for the average organization."
Another solution for sniffing out threatening emails is to "integrate the organization's mailing system with an intelligence feed to create a blacklist and prevent receiving emails from a malicious source," says Azoulay. "An email message can then be traced back to see the hops between servers. When the malicious IP matches those on the blacklist, the email should be considered invalid."
9. Have a plan for responding to a successful phish
While IT may justifiably gripe about clueless employees falling prey to phishing scams, Sean D. Goodwin, Manager of the IT assurance and advisory team at Wolf & Company, P.C., emphasizes that IT must ultimately bear the burden of protecting the company. "End users are not security experts, and you should stop expecting them to be," he says. "The security team is not expected to help the accounting team close the books every month. You're expected to follow the expected processes for submitting business expenses, such as correct notations/comments and getting them submitted on time. The rest is up to accounting. Similarly, IT should expect employees to be familiar with policies and procedures—specifically, how they should contact security. Everything beyond that is the responsibility of the security team."
And even if you follow all the advice in this article, you're likely to be breached eventually—and you need to be prepared for what comes next. "Unfortunately, there are always some employees who will fall for phishing emails, even if IT teams have implemented the best training and prevention money can buy," says Sally Vincent, Senior Threat Research Engineer at LogRhythm. "It is imperative that these teams have a plan in place to respond to users who get phished. Responding to a successful phish is a realistic tabletop exercise that security teams can work through."