Phishing Attack Prevention: How to Identify & Avoid Phishing Scams



23 security experts share the most common phishing methods and how your organization can prevent them.

Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it's getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.

To help businesses better understand how they can work to avoid falling victim to phishing attacks, we asked a number of security experts to share their view of the most common ways that companies are subjected to phishing attacks and how businesses can prevent them. Below you'll find responses to the question we posed:

"How do companies fall victim to phishing attacks and how can they prevent them?"

Meet Our Panel of Data Security Experts:



Tiffany Tucker

@ChelseaTech

Tiffany Tucker is a Systems Engineer at Chelsea Technologies. She's worked in the IT field for about 10 years. She has a Bachelor's degree in Computer Science and a Master's degree in IT Administration & Security.

The one mistake companies make that leaves them vulnerable to phishing attacks is...

Not having the right tools in place and failing to train employees on their role in information security.

Employees possess credentials and overall knowledge that is critical to the success of a breach of the company's security. One of the ways in which an intruder obtains this protected information is via phishing. The purpose of phishing is to collect sensitive information with the intention of using that information to gain access to otherwise protected data, networks, etc. A phisher's success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.

There are various phishing techniques used by attackers:

  • Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
  • Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
  • Spoofing the sender address in an email to appear as a reputable source and request sensitive information
  • Attempting to obtain company information over the phone by impersonating a known company vendor or IT department

Here are a few steps a company can take to protect itself against phishing:

  • Educate your employees and conduct training sessions with mock phishing scenarios.
  • Deploy a SPAM filter that detects viruses, blank senders, etc.
  • Keep all systems current with the latest security patches and updates.
  • Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
  • Develop a security policy that includes but isn't limited to password expiration and complexity.
  • Deploy a web filter to block malicious websites.
  • Encrypt all sensitive company information.
  • Convert HTML email into text only email messages or disable HTML email messages.
  • Require encryption for employees that are telecommuting.

There are multiple steps a company can take to protect against phishing. They must keep a pulse on the current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Informed employees and properly secured systems are key when protecting your company from phishing attacks.


Arthur Zilberman

@laptopmd

Arthur Zilberman emigrated from Minsk, Belarus and grew up in Sheepshead Bay, Brooklyn. He obtained his B.S. in Computer Science from the New York Institute of Technology, propelling him into his career as a corporate IT manager and later a computer services provider. Arthur Zilberman is CEO of LaptopMD, a staple of the New York technology community since 1999.

The one mistake companies make that leads them to fall victim to phishing attacks is...

Careless internet browsing.

Companies fall prey to phishing attacks because of careless and naive internet browsing. Instituting a policy that prevents certain sites from being accessed greatly reduces a business' chance of having their security compromised.

It's also important to educate your employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation. Inform them to be wary of e-mails with attachments from people they don't know. Let them know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don't employ https are fraudulent, as are sites that begin with IP addresses.


Mike Meikle

@mike_meikle

Mike Meikle is Partner at SecureHIM, a security consulting and education company that provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. He has worked within the information technology and security fields for over fifteen years and speak nationally on risk management, governance and security topics. He has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times and Chicago Tribune. He holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.

There are several human and technological factors that companies should consider to avoid falling victim to phishing attacks:

On the subject of security breaches and social engineering, some of the most high profile breaches (Target, Sony) were instigated with phishing campaigns. In the case of Target, a 3rd party was compromised via email which allowed the malicious actors to eventually access the Target network.

Phishing/whaling is one of the key components of social engineering. The emails are crafted to resemble correspondence from a trustworthy source (government, legal, HR, bank, etc.) and often dupe individuals to click on a malicious embedded link. More sophisticated phishing emails execute hidden code if the mail is simply opened on the target’s computer.

Employees need to make sure that they understand the risks when opening email attachments or clicking on links from unfamiliar sources, for these can lead to malware or virus infection. This is best covered in an effective security education program.

A big component of protecting against phishing is employee training that actually works. Most security training delivered in the enterprise today is either a yearly event or held at employee orientation. If the training is given online the employees rapidly click through the content, ignoring most of the information. This is usually done at lunch while surfing other content. If actually given in person, the training is usually a deck of PowerPoint slides in small font narrated by an uninterested speaker for an hour. The enterprise really needs an effective Training, Education and Awareness (TEA) program for security.

There are several different technological approaches to combating phishing attacks. Certain products send test phishing emails to corporate staff which then provide metrics to security leadership about the efficacy of their anti-phishing training programs. The quality of these can vary but Wombat is a popular product in this space.

Another technological approach is to use a heuristics product to determine if an email is fraudulent. The success rate of these solutions is mixed. They filter out many of the obvious scams, but leave the more cleverly designed emails intact. IronPort is a leader in this niche. Outside of attempting to control social engineering exploits, businesses can also manage risk by investing in cyber security liability insurance. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach.


Steve Spearman

@HipaaSolutions

Steve Spearman is the Founder and Chief Security Consultant for Health Security Solutions. He has been employed in the healthcare industry since 1991, when he began working with Patient Care Technologies, an electronic medical record solutions provider. As Chief Security Consultant, Steve stays busy providing HIPAA risk analysis for clients and business partners. In addition to his duties at Health Security Solutions, Steve also serves as a member of the Health Care Advisory Council of Ingram Micro, as a speaker for Comp-TIA, and a consultant for state Regional Extension Centers such as CITIA and GA-HITREC, among others. Steve resides in Clemson, SC with his wife Jean, their three kids, and Gypsy, the InfoSec Media Wonder Dog.

The one thing companies need to keep in mind for phishing attack protection is...

Defending against these attacks requires a coordinated and layered approach to security:

  • Train employees to recognize phishing attacks to avoid clicking on malicious links. For example, if the domain of the link to which you are being directed doesn't match the purported company domain, then the link is a fake.
  • Many spam filters can be enabled to recognize and prevent emails from suspicious sources from ever reaching the inbox of employees.
  • Two factor authentication should be deployed to prevent hackers who have compromised a user's credentials from ever gaining access.
  • Browser add-ons and extensions can be enabled on browsers that prevent users from clicking on malicious links.

Phishing is a method used to compromise the computers of and steal sensitive information from individuals by pretending to be an email from or the website of a trusted organization. For example, a person receives an email that appears to be from the recipient's bank requesting that recipient verify certain information on a web form that mimics the bank's website. When captured by the hackers, the data allows them access to the recipient's banking information. Alternatively, the web-link may contain malicious code to compromise the target's computer. One of the things that makes phishing attacks tricky is that they can be distributed by compromising the email address books of compromised computers. So the email may appear to have been sent by a known and trusted source.

A subset and highly effective form of phishing attack is a spear-phishing attack in which a hacker will research an intended target and include details in an email that makes the email seem more credible. The details may, for example, reference a corporate social event from the previous month that was published on a public website. It can be exceedingly difficult to protect against these kinds of attacks as demonstrated by the notable and extremely costly breaches of sensitive information by Target, Home Depot, and Baylor Regional Medical Center.


Frank Bradshaw

@fmb_3

Frank Bradshaw is the President of Ho'ike Technologies.

The one mistake companies make that leads them to fall victim to phishing attacks is...

Not following this two step approach:

1. Sound security policies

You set the rules as to how you should respond to strange or out of place emails and requests. Your policies should also show people what to do in case they see something out of place. Now you ask, what is a strange or out of place email or request?

2. Security awareness training.

Teach your associates what good emails look like. Try to teach and show people what bad emails tend to look like.

To coincide with that teaching is testing. Perform phishing attempts against your own staff to gauge their level of sophistication handling phishing attempts. This will help you know if your staff is ready to handle such intrusion. Also test your management to see if they are adequately enforcing the policies.

Really at the end of the day, educating users is what's going to reduce the success of attacks and testing will make sure security and/or management know how to respond to them.


Dave Jevans

@davejevans

Dave Jevans is Marble Security's CEO, chairman and CTO. He also serves as chairman of the Anti-Phishing Working Group, a consortium of 1,500+ financial services companies, ISPs, law enforcement agencies and technology vendors dedicated to fighting crimeware, email fraud and online identity theft. The APWG hosts eCrime, an annual symposium on electronic crime research that takes place in Barcelona, Spain.

Securing BYOD and educating end users is critical for phishing attack protection.

A new threat vector that has been introduced by the BYOD trend is that apps on employees' mobile devices can access their address books and export them to sites on the Internet, exposing the contacts to attackers who use them for targeted spear phishing. One important step for businesses to take is preventing prospective attackers from accessing the corporate directory, which includes names, email addresses and other personal employee information. Installing mobile security software on user devices that scans apps and prevents users from accessing the corporate networks if they have privacy leaking apps is recommended.

Another step is to protect mobile users from visiting phishing sites, even when they are on a Wi-Fi network that the company does not control. These protections must be done at the network level because email filtering is not sufficient. Phishing and spear phishing attacks can be delivered through corporate email, through a user's personal email that may be connected to their mobile device or through SMS messages to the user. Mobile users should be connected over Virtual Private Networks (VPNs) to services that provide secure Domain Name System (DNS) and blacklisting to prevent access to phishing sites.

Also, it turns out that the users themselves are often the best channel through which to detect, report and defend against phishing attacks. An important practice enterprises should implement is to put in systems where users can quickly and easily report a phishing attack, have it routed to IT, have it filtered and have it put in a system so that IT can quickly and easily add it to blacklists that will protect both internal employees and those that are remote or on mobile devices.


Greg Scott

@DGregScott

Greg Scott works for Infrasupport Corporation. He's recently published a fiction book, Bullseye Breach, about a large retailer that loses 40 million credit card numbers to some Russian criminals.

One key fact to remember when it comes to protecting against phishing attacks is...

All it takes is one employee to take the bait.

In a company with, say, 1000 employees, that's 1000 possible attack vectors. The IT department can set up inbound spam filtering and outbound web filtering. They can run security drills, education campaigns, and spend enormous amounts of money to monitor traffic in detail. These are all helpful, but all it takes is one person, one time, to become careless and fall prey to an online con job - which should be the real name for a phishing attack.

So how to prevent them is the wrong question to ask. A better question is, how to limit the damage any successful phishing attack can cause. Here, a few low cost tactics will offer a high reward. In retail - isolate those POS terminals from the rest of the network. Sharing should be baked into security practices everywhere. This is counter-intuitive, but the best way to defend against attack is to share how all the defenses work. In detail.

In cryptography, the algorithms are public. Everyone knows them. That's why we have strong cryptography today - the surviving algorithms have all been peer and public reviewed, attacked, and strengthened. CIOs should operate similarly. Openly discuss security measures, expose them to public and peer review, conduct public post mortem incident reviews, publish the results, and adjust the methods where necessary.

Bad guys are already reviewing, discussing, and probing security in the shadows. Bad guys have a whole supply chain dedicated to improving their ability to plunder, complete with discussion forums and specialists in all sorts of dark endeavors. The bad guys have unlimited time and creativity and the good guys are out gunned and out manned. Against such an adversary, what CIO in their right mind would want to stand alone? Smart good guys should join forces out in the open for the common good.


Jared Schemanski

@nuspirenetworks

Security Analytics Team leader, Jared Schemanski works at Nuspire Networks.

The technique of phishing is probably one of the easiest and hardest things to stop because...

This type of attack is predicated on sending out a bunch of random emails and thereby forcing people to click on a link that opens up a whole franchise to vulnerabilities. Then there is spear phishing which is highly personalized emails that go to a person higher up in an organization who has greater access than typical phishing email targets.

Tips on how to avoid phishing consist of non-technical safeguards since the user must click on an untrusted source that enters through an outward-facing environment. The best and sometimes only way to address this is to show employees how to read emails, thereby reducing the knee-jerk reaction.

Here are a few other tips to share with email users:

If the email comes directly from an acquaintance or source that you would typically trust, forward the message to that same person directly to ensure that they indeed were the correct sender. This means, do not simply just hit reply to the email with whatever information was requested in the email.

Similarly, when you receive an email from a trusted source and it seems phishy (pun intended), give that person a call directly and confirm that the email was from them.

You’ll be able to check to see what is or what is not legitimate by dragging your cursor over the email sender as well as any links in the email. If the links are malicious, they will likely not match up with the email or link description.


Luis Chapetti

@CudaSecurity

Luis A. Chapetti is a Software Engineer and Data Scientist at Barracuda. Luis is part of the Barracuda Central Intelligence Team where he wears various hats handling IP reputation systems, Spydef databases and other top security stuff on the Barracuda Real-time protection system.

The one mistake companies make that leads them to fall victim to phishing attacks is...

Phishing today has become about as mainstream as a typical spam was back in 2004, basically meaning no one is immune to a possible phishing attack. One new way we've seen are campaigns that use embedded Excel spreadsheets. The spammers break the words into individual cells to bypass anti-spam tools. When viewed in an email it looks like a typical HTML attachment but it's much more difficult to analyze.

Here are a few tips to avoid being hit by such attacks for everybody:

  • Always treat your email password like the keys to the kingdom, because that's what it is for spammers.
  • Use a short phrase for a password (longer is better, and can be simpler) rather than just a few characters, and change it regularly.
  • Never share your email passwords unless you are logging in to your email provider's website.
  • Never click on links in an email - always type the address directly into the address bar.
  • Keep your desktop AV, anti-spam, etc. up to date.

Felix Odigie

@InspiredeLearn

Felix Odigie is CEO of Inspired eLearning.

The most important thing to remember to avoid falling victim to phishing attacks is...

Education is the key.

No matter what people read or see in the news, when that phishing email lands in the inbox, they honestly don't know what separates that email from a real communication. In order to improve phishing awareness, companies should regularly test employees with fake phishing emails. This method enables employees to recognize what is real and what is a phishing attack.

No matter how secure a company's IT security platform is, the company is only as secure as its user base. Unfortunately, compromised credentials represent the vast majority of hacks (over 90%) and phishing and spear phishing attacks are responsible for the majority of those breaches. So, with all the investment capital devoted to securing IT infrastructure, how can companies prevent employees from opening phishing emails? The best answer is continuous, hands-on employee education.


Abhish Saha

Abhish Saha is a payment specialist at MerchantSuite. Throughout his twenty year career, he has been involved in consultations with some of the largest Australian and global businesses in Online Retail, Government Agencies and Billers. He has in-depth experience in leading developments across eCommerce, Technology, Business Banking, Risk Management, Security and Payment Gateways.

Securing against phishing attacks requires businesses to keep up with the ever evolving threat of phishing.

Phishing has become far more sophisticated than a suspicious email tempting a random individual to click on a link or provide their personal details. Usually phishing focuses on targeting an individual.

Here are three key phishing techniques that compromise companies to obtain several individuals' details:

  1. DNS-based phishing compromises your host files or domain names and directs your customers to a false webpage to enter their personal or payment details.
  2. Content-injection phishing is associated with criminal content, such as code or images, being added to your or your partners' websites to capture personal information from your staff and customers such as login details. This type of phishing often targets individuals that use the same password across different websites.
  3. Man-in-the-middle phishing involves criminals placing themselves between your company's website and your customer. This allows them to capture all the information your customer enters, such as personal information and credit card details.

Four ways that companies can defend against phishing attacks include:

  • Use an SSL Certificate to secure all traffic to and from your website. This protects the information being sent between your web server and your customers' browser from eavesdropping.
  • Keep up to date to ensure you are protected at all times. You and your providers should install all the latest patches and updates to protect against vulnerabilities and security issues. This includes website hosting, shopping cart software, blogs and content management software.
  • Provide regular security training to your staff so that they are aware of and can identify phishing scams, malware and social engineering threats.
  • Use a Securely Hosted Payment Page. This is the best practice for reducing risk to your customers' card data. Use a payment gateway provider that has up-to-date PCI DSS and ISO 27001 certifications from independent auditors. This ensures that your customers' payment details are protected at all times.

Jayson Street

@PwnieExpress

Jayson is a well known conference speaker, and author of the book “Dissecting the hack: The F0rb1dd3n Network.” He has spoken at DEFCON, DerbyCon, UCON & at several other ‘CONs & colleges on a variety of Information Security subjects. He is an Infosec Ranger at Pwnie Express.

Companies are falling victim to phishing attacks from both educational and technical standpoints.

From the educational standpoint, enterprises are not preparing end users correctly, and need to educate employees on evolving attacker methods. Companies have traditionally done a good job educating employees on standard phishing emails that are often poorly worded, and not well executed - making them easy to spot. However, advances in spear phishing have made attacks targeted, highly relevant and personalized with the help of social media.

It's no longer enough to watch out for crudely worded emails - recipients must also consider context, content and sender, particularly if monetary transactions are involved. Concerted coaching to teach employees to be vigilant by not clicking suspicious links or downloading attachments is critical. To verify authenticity, employees should cross check by sending a separate followup email, texting the alleged sender or even calling to validate that the email is from the correct source.

From the technical standpoint, too many companies allow full egress out of the network, rendering loopholes to external security measures. A well structured security system should have strong policies dictating the uses for inbound and outbound gateways through the firewall. But enterprises can’t only monitor what's coming into the network, they need to better monitor and curtail traffic going out of the network with DLP and outbound email scanning tools.


Patrick Peterson

@AgariInc

Patrick is Agari's visionary leader and a pioneer in the email business. He joined IronPort Systems in 2000 and defined IronPort's email security appliances. He invented IronPort's SenderBase, the industry's first reputation service. In 2008, after Cisco's acquisition of IronPort, Patrick became one of 13 Cisco Fellows, where he led breakthrough cybercrime research focused on follow-the-money investigations into spam, scare ware spyware, web exploits, and data theft.

One thing to remember to avoid being susceptible to phishing attacks is...

Phishing attacks constantly happen. If someone came up to you on the street and said they had a package for you, you would say no thank you and walk away. When people get emails that say, FedEx has a package for you, they think that because it's on a computer screen they should click the link or open the attachment. A good rule of thumb is to take the same precautions you take online as you would in the real world.

Similarly, when it comes to passwords, if you happen to forget yours you can have it reset by answering personal questions. Those questions were once secure, but now many of the answers can be found on your social media accounts: birthdate, hometown, high school, etc. Think about what you share on social media in terms of being useful to cyber criminals.

Any company can take recent security breaches as more cautionary tales about the need for succinct security practices to protect company and consumer data. A very important aspect in email security is making sure your email provider uses technology like DMARC. It's the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, Microsoft and AOL all use it to stop phishing.


Daniel DiGriz

@MadPipe

Daniel DiGriz is a digital strategist and CEO of MadPipe, which helps companies solve human problems with processes and technology. He has a master's degree in Instructional Technology, and several decades of background in technical fields with Fortune 500 companies.

The one mistake companies make that leaves them susceptible to phishing attacks is...

Companies with an authoritarian hierarchy run more risk for phishing attacks, because employees tend to be cooperative with schemes that sound authoritative. This is also true in some organizational cultures where it's frowned upon to ask for help, there's some degree of mutual distrust, or a less collaborative work model. When university staff get an e-mail that says someone may be trying to take over your e-mail account; please update your information, there's a perfect brew of an authoritative instruction, warning, and panic over who is looking at your work. In short, there's a high motivation to click.

Asking for IT help might create a backlash, so someone clicks, and it only takes one vulnerable recipient to give a phishing expedition what it needs to succeed. The odds go up when there are pockets of personnel who lack a basic level of technical literacy. Announcements about phishing may only cover one or two examples of exploits, but phishing is endlessly adaptable. The two options for mitigating risk, which are not mutually exclusive, are cultural change in the organization and a mandated standard of technical literacy for all employees and contractors with access to organizational resources.


Greg Kelley

@VestigeLtd

Greg Kelley is CTO for Vestige, Ltd, a company that performs computer forensic services and data breach response for organizations.

The one mistake companies make that leads them to fall victim to phishing attacks is...

First, their employees are not cautious enough to question whether they should open an attachment or click on a link to a site without verifying that the attachment is legitimate and the website is valid. Employees likely have a false sense of security that their anti-virus would catch any attachment if it is bad. Employees also do not look to see where the URL they are about to click on will send them, and when they get to the site, they do not review the address for validity or if their browser is reporting a properly authenticated SSL certificate.

Second, the bad guys are getting good at social engineering. They are doing their research on companies, reading blogs, news articles and other information to determine who works at a company, what their email address is, what their position is and with whom they might be communicating. The result is a well-crafted spear-phishing email catered to the recipient.

These attacks cannot be prevented but they can be mitigated. Companies should train their employees in regards to email use and detecting phishing attacks. This training should be done at onboarding for new employees and everyone should get a periodic refresher course. Companies should also review what information of theirs they make public and carefully consider what information should be made public and what should not.


David Ting

@imprivata

David Ting is the CTO at Imprivata.

The one mistake companies make that leads them to fall victim to phishing attacks is...

Most organizations have reinforced their perimeter defenses, but attackers have turned to exploiting the inherent vulnerability of employees. Spear phishing attacks, for example, use cleverly disguised requests for login credentials (i.e., to install a security patch or upgrade their Microsoft Office software) to dupe unsuspecting employees into entering their usernames and passwords. Spear phishing and similar attacks hinge on users being responsible for discerning the difference between a legitimate screen and malware requesting login information. Even for well-informed users, this task is increasingly more difficult as attackers get more sophisticated. When employees are left with the responsibility of determining the legitimacy of a request, the results can be disastrous - it only takes one or two users to compromise the entire system.

To address this, organizations can leverage a multi-layered approach to security. Single sign-on (SSO) and strong authentication, for example, eliminate the need for employees to ever manually enter passwords to access systems, applications or information. If an organization has SSO and an employee is asked for credentials, there is a strong likelihood it is a phishing attack. What's more, these systems can be configured such that your employees would not even by able to manually enter passwords, even if they wanted to, because their password strings would be unknown to them.


Tom Clare

@AWNetworks

Tom Clare leads corporate and product marketing at Arctic Wolf and brings over 20 years of security marketing management to the team. Prior to joining Arctic Wolf, he led product marketing at Websense for their TRITON security solutions and Blue Coat for their Secure Web Gateways.

The one mistake companies make that leads them to fall victim to phishing attacks is...

People will open and click on email links, even more so when they are expecting an email for a delivery, an IT alert or a seasonal tax status notification. Phishing and spear phishing rank high in security analysis reports because the tactic works. The age old premise of a secure perimeter with preventive defenses has passed. A balance between preventative and detective defenses is required. Simply put, the preventative guards detect known bad and then the detectives need to find the unknown, such as hidden infections, open exploitable vulnerabilities, misconfigurations and security risks.

Start with the assumption that phishing email links will be clicked, providing cyber attackers the opportunity to move past your preventative defenses. The question is then - are you running continuous monitoring detective defenses? A solid baseline of monitoring will provide a normal range to then determine abnormal activity. Statistical and behavioral baselines are one form of machine analysis, plus pattern recognition, signatures and white listing. More advanced analysis uses data correlation models often provided within Security Information and Event Management (SIEM) solutions.

Detective defenses are also finding value in visualizations, providing the human eye the opportunity to pick out anomalies much faster than machine analysis. In narrow cases like fraud, machine analysis is effective, however for advanced persistent threats (APTs) often introduced through phishing emails, wider visibility and depth is required. Security analysts need the ability to search, pivot and trace with an analytical mindset.

Given people will click on phishing email links, you have to collect and look at the data to see infections and nefarious activity in your network. Ask yourself a simple question, what is the ratio of your preventative to detective defenses? This simple ratio is likely to answer the question about preventing and detecting phishing attacks.


Bill Ho

@Biscom

Bill is the the CEO of Biscom, the leading provider of secure file transfer, fax, and enterprise file synchronization and sharing solutions for the enterprise. He has over 20 years of experience in the technology industry heading security initiatives and most recently participated in the Harvard Business School's panel on cyber security.

Phishing attacks are very effective tools – because they target people.

While most of us know that Nigerian princes don’t really need someone to help them transfer money, many of today’s phishing emails are sophisticated – they look legitimate. But many people don’t even know what phishing is – so like so many other schemes, hackers send out massive numbers of phishing emails hoping there are a few people who will respond and provide their confidential information.

Anti-spam software can help – they either look at known bad actors, or have some kind of heuristic that helps them make a determination that an email is a phishing attack or spam. But you can’t dial these up too much or else they’ll create a lot of false positives, and you’ll miss some legitimate emails.

Educating the workforce (that includes everyone) is probably the most effective way to combat these attacks – make sure people know that most companies will not ask for any confidential information over email, or won’t have you log into an account. Also, hovering over a link will often show the web site – and if it shows some strange URL, then it’s most likely fake. If in doubt, you can call the supposed sender of the email and see if it’s legitimate. I’ve definitely done this a few times and the emails were not spam.


Luke Zheng

@luke_zheng

Luke is the engineering lead at Stanza and a former engineer at Microsoft and Tesla. He's a graduate of Carnegie Mellon CS.

In my opinion, the one mistake companies make leading to phishing attacks is...

Mid to large companies often re-forward emails that are originally sent to one or two people. However, the recipients can be many, which increases the chances of multiple individuals clicking on a single email. Given the event of a phishing email, the chances of open rates/outbound clicks greatly increases in a model like such. A good way to prevent this scenario is to not only have phishing filters for any emails inbounding, but also prevent re-forwarding of emails to multiple people or distribution lists.

Smaller companies (startups) often have their founders as main points of contact via email. They also often use the same founder emails as logins for a wide-range of websites. The chances of phishing increases with more inbound emails. Once a particular email gets sent using the identity of a founder, the legitimacy increases once forwarded to others in the company. This will result in more chances of outbound clicks even on a smaller group of individuals. A good way to prevent this is to not associate one email as the login for many websites, and not have founders be associated with such addresses.


Derek Dwilson

Derek Dwilson is a security expert and attorney. Derek has been passionate about technology and security his entire life. He has a law degree from the University of Texas and he has led the security, IT and legal ventures of Texzon Utilities. He currently consults with businesses on security solutions.

In order to prevent phishing attacks from succeeding, companies must remember...

Phishing is a problem on two fronts. First, a hacker may gain valuable access to a single account through a successful phishing attempt. Second, if an employee is using the same password for multiple company accounts, then the hacker has now gained access to a great deal of confidential company data.

On the first front, there are several warnings signs to look for. Often, Gmail will give you a warning near the subject line if the email sender looks phishy. A second line of defense is your browser. If you're visiting, for example, a fake PayPal site, then you may see a popup or icon indicating that something is suspicious. Employees should be trained to look for these warning signs. But they should also be trained to never give out sensitive information over the phone or by just clicking on a link in an email. Instead, if a credit card company calls, call them back using the number on the back of your credit card. If you get an email from PayPal, don't click on the link. Instead, go to PayPal directly.

On the second front, one can secure the company by using SSO tools such as LastPass and Yubikey. LastPass Enterprise allows employees to only have to worry about remembering one password, while creating a unique password for each log in. If you only use one password per account, then a hacker’s password bank will only be useful for that one hacked account. And because companies are often aware of break-ins and notify the public, LastPass can easily let you know which account passwords need to be changed.

But in addition to making sure each employee uses his or her LastPass password ONLY for LastPass, there is another layer of protection that you should set in place: YubiKey. YubiKey acts as a second factor in “two-factor authentication.” This ensures that no one can hack into your LastPass account. If all your passwords are created through LastPass and YubiKey adds a layer of protection to LastPass, then your accounts will be very difficult to break into.


Amit Ashbel

@Checkmarx

Amit Ashbel is a Product Marketing Manager at Checkmarxin Israel.

In my opinion, the one mistake companies make leading to phishing attacks is...

Phishing attacks are not what they used to be. Back in the old days, spammers and scammers used to send mass email campaigns leading people to a false web-site. The techniques have adapted since. Nowadays targeted attack tactics are more popular.

It works like this:

  1. Mark your goal - What do you want to gain? Money, Information, PII, CC numbers.
  2. Choose your target - Locate the correct VP, Director or C-Levels. Selecting your target depends on what you want to achieve.
  3. Perform a Background check - Plays golf, Married, 2 kids, Favorite car, anniversary coming up soon and liked Flower.com on FB.
  4. Launch your attack - Send a congratulation email from flowers.com including a link for a free anniversary gift.

The idea is to gain the victim's trust by using information they feel secure with. Take that and add a free gift with a malicious link and you have yourself a successful spear phishing attack. The link could download a piece of malware for financial or espionage purposes, or could trick the victim into giving out their CC number or other sensitive information.

Spear phishing attacks require more preparation however have a better success rate.

How to protect the organization:

  1. Employ clear guidelines - If you know the sender, be hesitant. If you don't know the sender, either check with your IT department or delete the email.
  2. Educate employees to use the web securely.
  3. Invest in security controls for cases where your employees make a mistake... they will.
  4. Analyze your internal development processes to make sure your internal applications are not easily exploitable whether containing employee data or financial statements.

Ashley Schwartau

@SecAwareCo

Ashley Schwartau has been with the Security Awareness Company for over a decade, with experience in every part of the creative process, from conceptualizing and design to implementation and delivery. She works on every single client project that comes in the door, helping companies make awareness training effective, whether it’s short awareness videos and custom e-learning modules or a large global-scale awareness campaign. Her specialties include video editing, graphic design and creative problem solving. When she’s not making up new ways to present old ideas, she writes fiction, watches a lot of Netflix and walks her cats in the yard.

In my opinion, the most important step companies should take to protect against phishing attacks is...

EDUCATE your users.

Remind them about it on a regular basis. It's not a one-and-done situation. We all need reminders on a regular basis to drink our water, eat our vegetables, stand up when we've been sitting too long, to recycle… we also need reminders about changing our passwords and what to look for in phishing emails. Especially since phishing emails are getting more sophisticated.

TEST your users.

You can do this in a number of ways. Quizzes (after training), games, or periodic phishing campaigns against them. Companies like PhishMe and PhishLine offer these kinds of services that allow you to create phishing campaigns that tell you how many people clicked on the links so you can offer them more remediation and training.

Companies fall for phishing attacks due to not training their employees and assuming that people know more than they do. A lot of people leave their common sense at home or just have too much on their minds when working and click too fast. They see something and click instead of thinking hey that doesn't look quite right... People need to slow down and think before clicking, and companies need to educate their users about the risks of phishing emails. If the employees don't understand the risks associated with clicking on phishing links, why are they going to stop? If you educate them about the risks (to both the company and to the employee on a personal level), and teach them what to look for in phishing emails, then the number of clicks will go down.


Peter Moeller

@S_H_Law

Peter Moeller is the Director of Marketing for Scarinci Hollenbeck, LLC a 5 office, 55 business attorney law firm that has an extensive Cyber Security & Data Protection practice in NY/NJ/DC. He is the key driver of firm marketing initiatives including the implementation of a full scale web 2.0 lead generation platform. He leads a marketing team, vendors, and technology to drive business growth and increase brand awareness.

In my opinion, the one mistake companies make leading to phishing attacks is...

Phishing attacks are very sophisticated and tactful and come in many different forms of communication. Most phishing attacks will come in the form of an email, although they can also come by websites, physical mail or by phone calls. Companies tend to fall victim to attacks if they: 1. Do not educate their employees and 2. Don't have a system in place that can flag communication that might be malicious.

Preventing phishing attacks can be easy but it takes education and having plans in place to protect your company if something does slip up. First and foremost, it is vitally important to educate ALL of your staff on best internet/email practices. Educating your staff will allow them to question communications that don't seem right and will also allow them to follow best practices in order to investigate the communication they received. Have someone knowledgeable about phishing activities in place to help employees screen questionable communications. Make sure you teach all employees to never click on links, or open emails with specific file types, such as .exe files. Always open separate web tabs and research the email, sender, or links that are coming in. More often than not, you will receive immediate search results that flag the information as Spam and or being malicious. Educating your staff once is not enough. Constant reminders and updates should be conducted. When a phishing attempt is caught, share it with your staff, so they can familiarize themselves with how they look and feel. Having your staff on board and on the lookout for these type of scams will increase your chances at protecting your firm overall.


Nick Santora

@Curricula

Nick Santora is the chief executive officer at Curricula, a cybersecurity training and awareness company headquartered in Atlanta, GA. Prior to Curricula, Nick worked as a cybersecurity expert at the North American Electric Reliability Corporation (NERC), an agency that ensures the security and reliability of the bulk electric system in North America.

In my opinion, the one thing companies must do to stay protected against phishing attacks is...

Continuous cybersecurity training and awareness. We are reinforced on a daily basis to not talk to strangers, be careful with what we eat, save our money for retirement, say please and thank you, etc. How often are we reinforcing current cybersecurity threats and educating our staff on a routine basis? Until organizations take initiative to educate their people, we will continue to see alarmingly high engagement with phishing emails.

Nate Lord

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Nate Lord

Nate Lord is editor of Data Insider.

Free Trial 2017 Gartner DLP MQ Contact Us