Email Phishing Is on the Rise. 5 Ways to Protect Your Business From the Threat
Phishing remains a constant threat to business IT security. It’s the main delivery method for malware, credential theft scams, and other malicious threats.
2020 was a particularly dangerous year for businesses, with sharp rises in the volume of phishing attacks. By late march, there had already been an increase in phishing of 667%.
This trend doesn’t seem to be slowing anytime soon. With the pandemic still an issue and businesses in flux transitioning between remote teams, phishing scammers are continuing their assaults on email inboxes in Massachusetts and throughout the country.
Phishing can deliver just about any type of threat, which makes it a high priority to contain. For example, one wrong interaction with a phishing email can cause:
- Ransomware infection
- Breach of a cloud account
- Injection of malware throughout a network
- Takeover of a web server
- Access of bank account or other login credentials
- And much more
94% of malware is delivered via phishing email.
To protect your business from the types of attacks that can be caused by phishing, you need to take a multi-layered approach. Here are five important ways to keep phishing at bay.
Email Spam Filtering
You can significantly reduce the number of phishing emails that make it through to your employees by using a good email spam filter. Spam filtering doesn’t only keep junk emails from being delivered to inboxes, it also is designed to detect and block phishing emails.
Filtering will typically be set up to either quarantine suspect email or send it to a junk folder. From there it can be reviewed by an administrator and then permanently deleted.
Employee Phishing Awareness Training
Employee training is another effective method to combat phishing attacks, so users are not clicking on links or sharing information without verifying an email is from who it really says it is.
If users are taught what to watch for and tactics that they can use to identify phishing, they are much less likely to be fooled.
It’s important that training be conducted on a regular basis, otherwise employees can forget and get rusty when it comes to detection skills. They also won’t be aware of the newest types of scams to watch out for.
27% of companies only conduct security awareness training once a year and 30% only conduct it quarterly.
Some of the standard tips that employees should become proficient in are:
- Hover over links without clicking to reveal the true URL
- Look for any slight misspellings or grammar errors
- Don’t trust the “From” address, as it can be spoofed
- Don’t go to login forms from email links (Amazon, UPS, Web Host, etc.), instead type the address in a browser
- Always be suspicious of any unexpected emails
Email Authentication Policies
Email spoofing is becoming a common tactic that phishing scammers use to trick users into taking the desired action on a phishing email. Spoofing is when the phishing email uses a legitimate domain as the “From” address.
The user will see the familiar email address (it might even be their own company’s domain) and assume the email must be legitimate without looking farther.
You can help prevent email spoofing by using email authentication policies on your email server. These policies are SPF, DKIM, & DMARC. What they do is check the IP address of the server that sent and email message and match that to the IP addresses you’ve designated as approved to send your domain’s email.
If they don’t match, the message is flagged and can be send to a quarantine folder instead of being delivered.
Phishing Simulations
An effective way to test your user awareness training and give your employees the chance to hone their detection skills is to have an IT provider conduct simulated phishing drills from time to time.
In a phishing simulation, employees are sent fake phishing emails. Employees aren’t told ahead of time, so their real-time response can be honestly evaluated.
These simulated attacks look like the real thing, only the links don’t go to malicious sites, instead they’re used to gauge how well employees are detecting phishing in their inboxes during the course of a normal day.
Deploy Anti-Phishing & Anti-Malware Policies
You can increase your automated defenses against phishing by using security policies that can be deployed in platforms such as Microsoft 365. These policies are designed to automate threat detection and response.
Here are a couple of policy examples from Microsoft 365 security capabilities:
- Safe links, designed to detect phishing links in emails and remove them from messages
- Malware attachment policies that automatically block attachments using file types typically used for malware
Improve Your Company’s Defenses Against Dangerous Phishing Attacks
Cleartech Group can help your Central Massachusetts business put layered protections in place to keep you from becoming a victim of a phishing attack.
Contact us today to discuss your options! Call us to chat at 978-466-1938 or reach out online.