Protecting Your Business Against Phishing Attacks

Cybersecurity is a “cat-and-mouse” game in which attackers are wise to many of the security measures used by organisations, and are quick to develop strategies to work around them.

Cybersecurity is a “cat-and-mouse” game in which attackers are wise to many of the security measures used by organisations, and are quick to develop strategies to work around them.

As part of this, knowing how to identify a phishing email presents a vital step toward safeguarding your organisation against cyberthreats.

A phishing attack is a type of cybercrime, in which attackers target individuals via email, telephone or text messages, pretending to be a reputable or known person to trick individuals into sharing sensitive information. This presents an increasing problem for businesses of all sizes, across all sectors, and Microsoft themselves state that Outlook blocks nearly 15 billion suspicious emails every day.

It’s important to understand the impact of phishing attacks, different types and tactics for attack, how to identify a phishing email and the measures to consider for safeguarding your organisation against these cyber threats. Penned by a team of experts who offer data protection as a service, this article covers all bases so that you can stay one step ahead of cyber criminals.

The impact of phishing attacks

A large number of phishing attacks are motivated by financial gain, but this isn’t always the case. Obtaining unauthorised access to an organisation’s systems can serve a variety of malicious purposes, such as the acquisition of sensitive information for espionage or disruption of operations with malware for revenge or activism.

A phishing attack can cause a host of problems for organisations, including data breaches, reputational damage, operational disruption and even regulatory penalties.

Reducing risk starts with understanding the various types of phishing attacks your organisation might encounter, and the different tactics used.

Types and tactics

Main types of email phishing attacks you might encounter:

PHISHING TYPE

DETAILS

Spear phishing

Attackers tailor emails to specific people. Unlike traditional phishing, that aims to deceive as many people as possible, spear phishing is focused and personalised

Whaling

Attackers target senior executives who have significant power, access and influence within a company

Clone phishing

Attackers clone a legitimate email and replace an attachment/link with a malicious version

Email bombing

Attackers flood an email inbox with numerous spam emails to distract the victim from important emails

Business email compromise (BEC)

Attackers target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments

Man-in-the-middle (MITM)

Attackers secretly intercept and alter a communication thread between two people who believe they are communicating with one another

Common phishing tactics used:

PHISHING TACTIC

DETAILS

Email spoofing

Attackers create email messages with a forged sender address

Link manipulation

Attackers use misspelt URLs or subdomains to trick people into thinking they are visiting a legitimate website

Pop-up windows

Attackers collect personal information or trick people into downloading malicious hardware through a pop-up window

Image phishing

Attackers embed malicious code into image files, which link to phishing websites

Website spoofing

Attackers create a fake domain that looks like a legitimate one

Key signs of a phishing email

Thankfully, there are a number of tell-tale signs that can help you to identify a phishing email.

The sender information, subject lines, content and any attachments included can all betray a cyber criminal’s phishing attempt. It’s important, then, to check the name and address for inaccuracies or alterations, make sure the content of the email matches the subject line, check for misspellings, poor grammar, unusual language or urgent requests, and check for suspicious file extensions such as .exe, .scr, .zip, .docm, .js.

You also need to trust your instincts. If something feels wrong, proceed with caution and always report suspected phishing attempts to your organisation’s IT or security team.

Safeguarding against attacks

Phishing is a form of social engineering designed to exploit trust, curiosity and fear. An email that appears to be from a trusted colleague or a reputable organisation can sometimes trip up even the most careful of employees.

Therefore, awareness training should be the first line of defence for any cyber security strategy. In addition to this, you should consider strong technical defences and well-prepared cyber security policies. Overall, a multi-faceted approach is the best way to safeguard against phishing threats and reduce the risk of a data breach.

Awareness training

Any training offered to staff should cover a wide range of topics, including password security, email filtering and how to report a suspected phishing email. Use real examples of targeted phishing attacks to ensure employees understand what to look for and how to spot the signs of foul play.

Once the training session has been delivered, you shouldn’t consider the job “done”, however. Training should be conducted regularly, providing employees with the latest updates on methods, practical tips and best practices.

Well-prepared cyber security policies

Your cyber security policies should outline the responsibilities of all employees and the steps they need to take when they receive a suspected phishing email. The policies should also cover all aspects of cyber security, including password management, use of company devices, use of personal devices for company work, and how to handle sensitive data.

Again, doing this once is not enough. Regularly review and update policies to reflect any organisational or operational changes and make sure they are up to date with current threats and best practices.

Strong technical defences

It is important to ensure your systems are regularly updated and protected against known threats, using specific anti-phishing and URL defence software.

The technical defences that should be set up by organisations include:

DMARC – an anti-spoofing control that makes it difficult for phishers to send fake emails from your organisation’s email address

SPF – sender policy framework is an email-authentication technique that prevents spammers from sending messages on behalf of your domain

DKIM – DomainKeys Identified Mail is an email authentication method designed to detect forged sender addresses (email spoofing)

Other technical considerations

You should also consider these important steps:

  • Limit the privileges of users to reduce the impact of any potential breaches

  • Use multi-factor authentication

  • Consider implementing phishing filters for links and attachments, Protective Domain Name Service (PDNS), application allow lists, remote browser isolation, Endpoint Detection and Response (EDR)

Keep in mind that a comprehensive cyber security strategy is one that includes multiple preventative measures. You shouldn’t solely rely on technical security, or staff training and policies. The most effective strategy is one that includes all these elements, as well as having a well-planned response protocol to ensure swift action and minimal impact if any incidents occur.

Don’t Panic

 In the event of a phishing attack taking place, it is important that you maintain a level head across your staff – if you have taken the appropriate measures to protect yourselves, there should be no reason to panic. There are a number of useful, free cyber security resources that are worth looking into, detailed below.

The UK’s National Cyber Security Centre offers a free check your cyber security service to help UK organisations check for cyber vulnerabilities.

The European Union Agency for Cybersecurity (ENISA) provides various resources and key services, including certification schemes, events and guidance. Find out more about ENISA’s services

Canada’s Communications Security Establishment (CSE) launched a national cyber security awareness campaign on 1 October 2022. Get Cyber Safe provides public information about cyber security and how to secure accounts, devices and network connections.