According to Verizon’s annual DBIR (Data Breach Investigations Report), phishing is the second most popular attack vector next to compromised credentials, accounting for 18% of all successful breaches.
However, the threat of phishing often doesn’t get the attention it deserves and can be underestimated as a threat by many small businesses. Many fail to realise that it is an easy way for attackers to get a foothold in your company systems in a way that enables them to launch more damaging attacks. Like remote takeovers of systems, ransomware, or data and IP theft.
So, what can you do about it in your business?
Below, we’ll review everything you need to know to make phishing email security within your business more robust.
Common types of phishing methods attackers use
Phishing is an umbrella term for a type of cyberattack where the perpetrator tries to trick a victim by impersonating something else – either a company, service, or person. The goal is typically to get a phishing victim to hand over personal or sensitive information – or download dangerous malware, like ransomware.
Attackers do this by disguising unique identifiers, like domains, email addresses, or phone numbers to make them look like legitimate organisations. For example, they might ‘spoof’ or fake the email address of Bank_1, which is support@bank_1.com, to support@bank_I.com in the hope of fooling victims who don’t see the difference and begin to interact with the hackers unaware.
All phishing techniques still rely on ‘spoofing’ a legitimate business or entity to trick victims into interacting with the perpetrator. However, they can have subtle differences in the technologies, communication systems and social engineering strategies that are employed to deliver them.
- Email phishing: This is still the most common type of phishing used today. Attackers often design banking or IT support phishing emails to trick victims into giving away vital details
- Spear phishing: Spear phishing is simply a phishing attack that targets a specific individual or person. By addressing the victim personally, the phishing attempt can often seem more convincing
- Whaling: Similar to spear phishing, whaling specifically targets senior employees in a business. The idea is that high-level personnel have access to the most sensitive or valuable data which means a bigger potential payout for cybercriminals
- Smishing: Short for “SMS phishing,” this refers to any phishing attack via SMS
- Angler phishing: Unscrupulous attackers create fake social accounts or posts designed to get unsuspecting users to click malicious links, engage with attackers or give up valuable information
If these were the only types of phishing attacks carried out, the problem of how to protect from phishing emails would still be significant. However, hackers have developed many other methods, including pop-up phishing, social phishing, search engine phishing, etc. Domain and website spoofing are also social engineering tactics that have much in common with phishing.
Mistakes SMEs make when it comes to phishing attacks
The statistics clearly show that many SMEs aren’t equipped to deal with the threat of phishing. Some of the main reasons why small and medium-sized businesses and their employees keep falling victim to cyberattacks are:
- Employees are not provided adequate CyberSecurity training and education to enable them to identify and respond to phishing attempts.
- The lack of a structured response and mitigation plan being in place to deal with cyberattacks should the worst happen.
- Not regularly reviewing cybersecurity maturity or security protocols and updating them over time.
- A lack of IT security monitoring tools that monitor email and internet activity.
- Not implementing an email or domain filtering solution that blacklists suspicious domains.
- Not using big, quick wins like multi-factor authentication (MFA) to secure accounts and system access.
5 steps to help your business detect and thwart phishing attacks
Thankfully, there’s a lot that small and medium-sized businesses can do to combat phishing.
By taking the steps below, SMEs will nullify most of the mistakes that make them vulnerable to phishing attacks. And build the maturity and protocols to handle them more seamlessly.
1. Raise awareness of the issue through training and education
Your employees are the first line of defence in the battle against phishing threats and the number 1 thing SMEs can do is to educate all relevant stakeholders about the issue. Luckily, frameworks for effective phishing training and assessment already exist – such as The Phish Scale developed by the NIST. It helps to assess the ability of employees to detect phishing attacks while teaching them the tell-tale signs to look for.
2. Deploy an Email Security Solution
Top email security solutions today are highly adept at detecting and thwarting the vast majority of phishing or spam emails. As email is the most common form of phishing attack, a highly effective email filtering solution is key.
3. Raise Your Cybersecurity Maturity
In general, higher cybersecurity maturity will help prevent phishing attacks, minimise the damage of them and protect your most valuable assets. This involves putting measures in place as part of broader IT security solution, like:
- Deploying endpoint, network, and cloud security software as needed
- Having backup solutions in place
- Implementing role-based access
- Isolating and securing vulnerable systems or data
- Enforcing the use of multi-factor authentication
4. Practice Security Hygiene
82% of successful attacks involve human error. Even if you have the best, most advanced security solutions, it may not mean much if your employees don’t do their part. Employees need to understand basic security etiquette, like using strong passwords, protecting their credentials, only using secure devices, running anti-malware scans, updating software, etc.
5. Develop an Incident Response Plan
Today, falling victim to an attempted cyberattack is not a matter of if but when.
Should all prevention measures fail and an attack actually penetrate your systems and your business, having a plan will help you deal with it effectively. With minimal panic, and while minimising the damage.
Why education plays a key role in preventing phishing
The best defence against phishing is simply awareness. Everyone thinks they are too savvy to get caught in phishing attempts because they are relatively well-known and unsophisticated. Others rely too heavily on IT solutions for phishing emails while overlooking the human element of a broader solution. However, the statistics show why neither of those assumptions is wise.
So, first of all, training and education will give employees an accurate perspective of how big a threat phishing is and how it can impact their life, career and company. Secondly, while they are becoming increasingly tricky, phishing attacks still usually leave some tell-tale clues.
Through training and education, employees can learn what to look out for and develop the habit of always looking for these signals.
Even then, individuals are often taken unawares by attackers continually changing their modus operandi. For example, spear phishing or whaling can be an intensive exercise that involves significant prep time to gather information on the target. With better AI translation tools, attackers no longer need to be English-speaking, for example, to write legitimate-looking email copy. On the other hand, automation tools allow them to launch highly-targeted attacks at scale.
More advanced attacks also allow attackers to not only approximate legitimate domains and email addresses. For example, some Business Email Compromise (BEC) attacks enable attackers to take full control of a company’s email servers. Which then sends emails to customers, clients and partners using the victim company’s real email address.
For this reason, training and education against phishing attacks is not a once-off process but a long-term commitment. And training needs to be continually updated so that employees always have a cutting-edge understanding of the newest techniques employed by cybercriminals.
Need to review your IT security?
Getting to grips with your IT security is complex and can be a challenge.
Engaging the help of an expert IT provider can help you accelerate the process and you can tap into their experience to help keep your business safe.
If we can help your business, get in touch.