How do you protect against phishing attacks?

How do you protect against phishing attacks?

Phishing attempts are so common now that you’d be hard pressed to find an internet user who hasn’t seen one. According to the government’s cyber breaches survey, 86% of businesses experienced a phishing attack in 2020, a rise of 14% since 2017.

This growth has only sped up since the start of the pandemic. HMRC detected a 73% rise in email phishing attacks in the six months since the pandemic began. As far as security researchers can tell, this sudden increase can be linked to the rise of home working and the vulnerable emotional state many targets find themselves in. Criminals have seized the rapid change Covid-19 has brought and will continue to do so until the global cases recede.

Despite this increase, when most of us think of phishing attacks it’s the ones that are easy to spot. Such emails poorly imitate a company in a bid to get you to divulge account or payment information. As you may have noticed, though, phishing attempts are getting more sophisticated.

“Spearphishing” attacks take a step back from the broad net attackers usually cast and highly tailor emails or phone calls to target specific employees. Often, once they have access to a network via a low-level employee, they impersonate them, targeting those with more valuable information.

These types of emails can be difficult for experts to spot, let alone your average user. As a result, preventing successful attacks can be a real challenge for many IT departments. Though some basic training will prevent the bulk of phishing attacks, it does little to prevent high-level imitations.

How to reduce the success rate of phishing attacks

If basic training isn’t enough, what can you do to protect your business against this new wave of attacks? Here are some of our top suggestions:

  1. Strengthen domain security:

With impersonation attacks so common, it’s vital that enterprises have strong domain security. If an attacker manages to get a hold of your registrar account, it becomes infinitely easier for them to pretend to be someone in your organisation. With the right access, they can send an email from a company address and mastermind attacks that are far more successful.

As well as securing your registrar account, you may want to register the most common misspellings of your domain and implement security protocols like DMARC and SPF and DKIM.

  1. Reduce available information:

Holding detailed information about your company on its website may provide reassuring transparency, but it’s also a treasure trove for attackers. Think about what information your consumers or clients need to know and what is just unnecessary fuel for attackers. Is it really important that your customers know who every team member in your company is? Does each of them require a publicly accessible email address, or can inquiries be directed elsewhere?

This extends to the information your employees share on social media. Attackers can use information about recently closed deals, new partners, and more. Ensure you have a clear and strict policy about what information should be made public.

  1. Adopt a culture of caution:

Though many companies perform training sessions, staggering numbers of employees click on phishing links every day. For the biggest impact, resilience shouldn’t just be boiled down to a quarterly seminar – it needs to be built into the culture of the company.

Adopting a “caution over comfort” mindset will help employees to think critically whenever they see an email that makes them uneasy. Make it known that they’re encouraged to double-check with their superiors or the IT department if they have any doubt.

This should extend to transactions. Often, phishers who have access to credentials will strike by jumping into an existing email chain about a deal and providing their own payment details instead of the intended recipient. A strict transaction policy that requires validation through security questions on a different communications channel can combat this.

Stop phishing emails in their track with Mimecast

Implementing the above tips will significantly reduce the chance that a phishing attack is successful without a significant financial investment. However, the unfortunate truth is that so long as phishing emails are still hitting employees’ inboxes, mistakes will be made.

That’s where an email gateway like Mimecast comes in. By scanning email in real-time, it’s able to identify suspicious emails and block, flag, or categorize them before they reach an employee’s inbox. It will scan every URL, sandbox and scan all attachments, and look for anomalies in the sender and email text.

With an intuitive dashboard and regular updates, Mimecast acts as a one-stop-shop for phishing protection, taking human error out of the equation while reducing the burden on the IT department. If you think Mimecast is right for you or just want to discuss how the better protect your organization, get in touch with us today.