One of the most persistent security challenges is phishing. This is true for both organizations and individuals. Whether gaining access to credit card information, passwords, or any other sensitive information, hackers can use different techniques, such as social engineering, emails, phone calls, and other forms of communication, to steal data. This opens up businesses as worthwhile targets since they have valuable data on hand.

In order to help businesses avoid losing data from phishing attacks, here are some frequently asked questions I get and best practices I recommend towards protecting companies from such attacks:

Question: What is the single biggest mistake a company can do that makes them vulnerable to phishing attacks?

Answer from security experts:

  • When the company does not invest in the right tools and they do not provide proper training to their people about their role in information security.
  • Browsing the internet carelessly.
  • Not having proper policies that outline how to react to suspicious emails.
  • When organizations are run in an authoritarian style where employees are trained to simply follow instructions, which leads them to easily giving up information.
  • The same can be said for organizations that have a culture where asking for help is frowned upon.
  • Not using a multi-layered approach to detect, analyze, and stop phishing attacks.
  • Spear phishing is becoming more and more popular to target specific employees, so there is a bigger need to train employees about protecting their data.

 

Question: What are the common ways that hackers attack?

Answer from security experts:

  • Sending a link through email that opens a malicious website.
  • Placing a trojan in the target’s computer through an email attachment.
  • Creating a spoofed email to look as reputable as possible and tricking the receiver.
  • Impersonating a vendor or IT department and calling via phone.
  • A technique where content with malicious intent is injected into the company’s website to obtain passwords.
  • Hackers positioning themselves in the middle of the company and their customers to capture any and all information transmitted between them.
  • DNS-based phishing attack that forces people into a malicious website when they try to visit the target website.

 

Question: How can we defend against phishing attacks?

Answer from security experts:

  • Use an SSL certificate on your website to protect all information transmitted between the web server and the visitor’s browser.
  • Provide proper and regular training to employees about phishing, how to identify it, and what to do when they suspect an attack.
  • Ensure that all security tools, protocols, and controls are up to date. Also, take note of new developments in the IT industry about tools and new types of attacks, to be able to adapt the company’s defenses.
  • When a payment page is needed for your website, make sure to use a securely hosted page. This is the best practice in order to secure credit card information being transmitted over the internet.
  • Create a filter that can detect the most common types of spam and phishing attacks. This should be also able to identify attachments and filter malicious ones.
  • Use an antivirus solution for each endpoint device, as well as the entire network.
  • Encrypt the sensitive data of the company so they are difficult to open even when stolen.
  • Use a web filter in order to block malicious websites from even opening on your network.
  • Disable HTML email feature within the organization, which will reduce the risks of phishing attacks
  • Make sure to require proper encryption for all employees who telecommute or work remotely.

 

While there are several tips shared by the security experts, we need to understand that most attacks are geared towards the users. Hackers use social engineering in order to get the information they need from the company’s employees. This strengthens the fact that training employees on phishing defense are crucial to stopping these attacks. Furthermore, the importance of crafting proper policies and protocols to thwarts these attacks should not be taken lightly.

Remember, all it takes is for one employee to take the bait, and the organization can fall into chaos. The IT department can set up several layers of defense against such attacks as mentioned earlier, but each employee needs to participate in ensuring that all data is protected.

Author: Ameen Abdulrazaq

 

Sources: https://digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams