You receive an email appearing to be from your web hosting company that warns your account exceeded a storage limit and you need to follow a link to fix the problem.
The “From” email matches their email domain, so you figure it must be legitimate and click the link. The page you land on looks like the login form you’re used to, so you login. You’re taken to a page that has no information related to the email.
You call your hosting company and they say the email is a scam, you rush to change your password, but it’s too late.
The moment you entered your login details, an automated software used that login to access your server, steal your files, scramble your database, and use your server to send more phishing.
This is unfortunately an all too common scenario. Phishing has been one of the most dangerous cybersecuritythreats for years.
Phishing attacks are at their highest level in three years.
From scams that steal cloud login credentials to those that inject computers with ransomware, phishing is nearly impossible to escape. But you can protect your Dallas-Fort Worth business by using proven anti-phishing tactics.
Best Practices to Combat the Rise in Phishing
Keep yourself and your business protected and avoid putting sensitive data at risk by using the following anti-phishing best practices.
Teach Employees How to Spot Phishing
Human beings are the main target when it comes to phishing. The reason it has been so successful for cyber attackers is that people can be fooled and often will take the action the email is designed to elicit.
Train employees regularly on the ways to spot phishing so they can avoid falling for it. These include:
- Hovering over links without clicking to reveal the true URL of a link
- Viewing the email source code to see if the “From” email is legitimate
- Looking for any misspellings or grammar mistakes
- Asking, “Is this email expected? Does it make sense?”
- Being very suspicious of messages using fear, urgency, or other emotional tactics
Create an Action Plan for Suspicious Emails
If employees don’t know what to do if they receive a questionable email, they may end up taking a chance on it and clicking a dangerous link because they don’t know what else to do.
Give employees a place to send questionable emails, such as to an IT team or provider, where they can get a professional second opinion.
Use Anti-Phishing/Anti-Spam Software
User email inboxes are the battleground when it comes to viruses, ransomware, spyware, passwords droppers, and many other types of malware. 94% of all malware is delivered via email.
By reducing the amount of phishing using an application designed for email inbox security, you reduce your organization’s risk that someone will fall for a phishing attack.
Set Up Email Authentication to Prevent Email Spoofing
In the example at the beginning of the article (which was taken from a real-life incident), the user thought the email was legitimate because the email address matched the domain of their hosting company.
This is called email spoofing and it’s used often by phishing attackers to fool email recipients. Email spoofing is when a hacker uses the email domain of a legitimate company in the “From” of an email, but that’s not really where the email came from.
You can block this type of phishing tactic by setting up email authentication on your mail server using the SPF/DKIM/DMARC protocols. What these do is bounce or send to quarantine any message received where the domain in the “From” line doesn’t match the approved IP addresses for sending that mail.
Conduct Simulated Phishing Drills
There’s a reason that schools do fire drills regularly instead of just telling students what to do if a fire happens. Drills help ingrain behavior that can save lives in the event of a real fire.
When it comes to identifying phishing, simulated phishing drills can be a great help to your employees and hone their phishing identification skills.
Drills involve sending “fake” phishing emails unbeknownst to your staff and gauging how many users correctly identified them and how many didn’t.
Use DNS Filtering to Block Dangerous Websites
URLS to fake login pages or dangerous “drive by download” websites are used much more often in phishing attacks than file attachments.
An important protection for users who may accidentally fall for a phishing email and click one of those links is using a DNS filtering software.
What this does is put a filter between your users and the internet. When they try to visit a site, the DNS filter checks it to see if it’s malicious or has any security issues. If an issue if found, the user will be redirected to a warning page instead of taken to the site.
Are You Properly Protected from the Next Phishing Attack?
When it comes to phishing, it’s not a case of IF you’ll be attacked, but WHEN. Make sure your network is protected!
Contact Cloudavize today for a free consultation to get started.