The Art of Catching Phish: How to Defend Your Business Against Phishing

Why Does Phishing Fly Under the Radar for So Many Businesses?

Phishing is a type of attack that primarily tries to steal sensitive information by masquerading as a trustworthy entity in an electronic communication. In this type of online fraud the cyber threat actor is clothed in an established trust relationship to obtain information—such as passwords and credit card numbers—that the target wouldn’t normally give to a stranger.

Phishing attacks are ever-present in the modern world, often presenting in the form of an email, text message or social media post. At first glance the message might look legitimate, but something about the wording or content isn’t quite right. For example, you get an email saying it's from the tax department and they need your personal banking details so they can send your tax refund. On closer inspection you may notice that the sender isn’t a legitimate ATO email address, and determine the email to be fraudulent. Or perhaps you get an instant message from a friend saying they’re stuck in a place where they can’t call and need you to wire money to an unfamiliar account. The next logical step might be to call that friend, only to discover your starring role in another phishing attempt.

You may have become so accustomed to poorly-conceived phishing scams that you tune them out as background noise in most cases. That badly-worded email from a bank with grammatical red flags everywhere asking you to sign in, the robocaller phoning with monotone parcel collection and tax scams, or your run-of-the-mill spam invoices for services never rendered. We laugh off foreign royalty asking us to invest or move money around, but these conspicuous ham-fisted phishing attempts belie a dangerous undercurrent of far more sophisticated operators that you or your colleagues might be unaware of.

Let’s talk about the three broad pillars of your organisation’s phishing defence capacity, and where you can make small adjustments based on current industry thinking and best practices.

How to prevent phishing

1. Secure the Gateway to Your Business: Refresh Cyber Awareness

Every day there are thousands of phishing scams sent out by criminals who rely on the law of large numbers to scoop up a few distracted victims with every effort. It can be difficult for inexperienced or unaware users to distinguish legitimate personalities, branding and sites from those created by cybercriminals, since they can leverage spoofed signatures, email addresses, domain names and familiar visual design.

Even when staff are trained comprehensively, awareness can evaporate quickly if not fortified by repetition and integration. According to a research paper presented at August’s USENIX SOUPS security conference, security and phishing awareness training can wear off after a few months. Researchers determined that while training employees in detecting phishing emails will help organisations defend against most attacks, this training needs to be cyclical. Training sessions should be refreshed periodically—ideally every six months—along with regular internal discussions and threat awareness sessions. Keeping cyber awareness front of mind helps organisations successfully combat evolving threats by maintaining a consistent and informed posture of awareness.

Because any type of employee with access inside an organisation can be targeted, it remains critical for users in all areas of a business to learn about phishing attacks and how they work. Less technical members of staff need to be introduced to these concepts too so that they’re able to recognise red flags when they appear, and know who to alert.

Even your most technically-sound and cyber aware staff can have phishing attempts fall into their blind spot when over-confident, distracted, or simply not across the trending spread of popular scams. Because awareness fades, and the attack landscape is ever-evolving, the approach here should be to assume no prior knowledge and always refreshing core concepts. For cyber awareness to become an effective phishing radar across your business, it must be holistic, continuous, and finely tuned.

2. Secure Your Business Infrastructure: Set Baseline Technology Standards

The second pillar of your capacity to prevent phishing attacks is woven into the infrastructure of your organisation. Firewalls, antivirus, security patches, and password management are the tools that the bulk of your people and systems rely on to do things in the most secure way possible.

Maintaining these systems so they’re functional and available to staff who need them at all times ensures that the bare minimum requirements for securely doing business are met by default. With the right systems in place, and the processes and training to use them effectively, staff spend less mental overhead thinking about the safest way to do things, and can simply work optimally within a standard operating environment.

Maintain up-to-date antivirus software: Make sure you have up-to-date antivirus software installed on all of your devices including desktops computers, laptops, tablets and mobile phones. Antivirus software will protect against malware and other malicious files that may evade your primary phishing defenses at the email level.

Your antivirus software is your first line of defence against malware and computer viruses. To use it effectively though, you need to make sure there aren’t gaps—a holistic defensive posture means updating every machine with current security patches, antivirus software and daily updates of new threats for the AV client. Computers and devices equipped with antivirus software won’t be bulletproof, but will be better protected from all types of cyber threat.

Use Secure Password Management: Passwords are a major security risk. The best way to combat sloppy or ineffective password management by individuals is to use a password manager as standard across the business.

Some of the most popular free password manager tools include KeePass, LastPass, and Dashlane. These programs allow you to create strong passwords for each account and store them in an encrypted database accessible by staff from everywhere. These programs can also generate a new random password, help you change old passwords when necessary, and save your account information when logging into an account on a new device.

Only allow strong passwords: Passwords should be at least 8 characters long and include numbers, lowercase letters, uppercase letters and symbols. A password should not contain any of your own personal information such as your name, your phone number or your address.

Use Two-Factor Authentication by default:Two-factor authentication is a security protocol that can shore up the resilience of your business accounts. This provides an extra layer of shielding on top of your normal password. Two-factor authentication isn’t the final answer for password security, but it does add extra protection to your “security stack”. There are still some vulnerabilities with 2FA that may leave you open to attack—for instance, if someone has access to your phone, they can potentially use this to bypass two-factor authentication altogether.

Only allow HTTPS: Insecure HTTP sites provide another commonly used avenue of attack. Hypertext Transfer Protocol Secure (HTTPS) is the secure version of the HTTP protocol that is used to send data over the Internet. The data sent over a HTTPS connection is encrypted, which means that it can’t be read by someone who intercepts it. Again, this isn’t airtight, and is vulnerable to many fringe types of attack, but for everyday use of the people in your business, it’s the safest way.

3. Secure the Processes of Your Business: Adopt a More Preventative Security Posture

In order to succeed, all cyberattacks need a series of failures to occur within security processes. Preventing just one failure in the sequence can be the circuit breaker that defuses the entire attack. It’s important to deeply understand the pathways real world phishing attacks take to identify targets, deploy payloads, and achieve their aims successfully. Then turn your eye inward to apply this understanding to your own attack surfaces. The third pillar of phishing prevention is about building in additional margins of error by creating logical processes.

Understand your attack surfaces and threat vectors: In this context the vectors you might explore are email, text message, internal or external instant messaging, web-based chat or help services, and any other avenue in which electronic communications can reach the people in your business.

Map and explore the channels that cyber threat actors might leverage to deliver malware, malicious links, or requests for confidential information. Train your staff to be alert to these channels as high risk entry points for malicious content, and trigger their innate human pattern recognition going forward by taking them through exhaustive examples of phishing attacks.

Regularly testing phishing alertness with harmless phishing emails sent internally from your IT team is one way to tell if staff are taking the threat seriously, and provides the opportunity to educate on preventative and reporting processes.

Take a more proactive approach to email: Traditional email security products largely operate around preventing spam and malware. They can be useful against malware that has been around for a while, but are less effective against zero-day attacks and websites that seem safe but may have been weaponised with malicious features.

A second layer of security specifically designed to detect unusual emails, common scam wording like requests for actions, detection of hidden pixels, and prevention of embedded content or outgoing links can be dialed in to best suit how your business operates.

Isolate personal communications from business: Letting employees browse Facebook on their work computer may be the mark of a chilled-out entertainer for a boss, but it’s also a step in the wrong direction for ensuring that all business communications remain in a secure silo.

Oauth (Open Authorisation) and account-swapping features can be leveraged technically or via social engineering by knowledgeable attackers who carefully research their targets, both at work and in their personal social spheres online. Because personal accounts are usually held to a lower standard of security policy, they can be easier to exploit for attackers to gain access to company systems.

Simply keeping personal communications restricted to personal devices, and business communications on business systems creates a partition between systems as process. It reduces risk of data loss or reputational issues around accidental misuse of accounts, and lightens the cognitive burden around making sure which is which.

Similarly, a policy should be in place preventing company data being emailed to personal accounts, and vice-versa. This is another feature that may require a more robust email security suite to enable, but invaluable as a preventative policy.

By keeping company communications and data in a zero trust silo you ensure its integrity from internal corruption, and further buffer it from risk of outside attack.

Create an audit trail of comprehensive logging: No system in your network is unimportant. Identifying and logging every action taking within your secure environment lets you see patterns and identify threats before they take hold. Maintaining a holistic view of what the people and systems on your network do is important historical data for backtesting and determining when something isn’t functioning as normal.

Protect your brand: After you get the email security basics configured, begin implementing authentication protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC is a standard that provides business with additional ways to assure customers are really dealing with your brand.
 

Know Your Enemy to Anticipate Their Next Move

Most heuristics and algorithm based approaches to security still fall short of common sense. Here an ounce of prevention is worth a pound of cure. Even with the latest security suite, updated with every patch and malware signature, the human element can come into play.

Phishing-related security breaches don’t just pop up out of the blue. They progress along proven vectors of technology and behaviour in predictable ways that should begin to raise a series of red flags for anyone paying attention. Breaking the circuit at any stage of the sequence can stop an attack in progress before it succeeds, preventing financial and reputational damage, or data loss. Knowing what to look for is half the battle, and socialising that mindset will ensure a functionally alert security posture across your business.