In the 2020 Verizon Data Breach Investigations Report, phishing contributes to more than 20% of data breach attacks, with emails being the primary vectors.
The same report also highlights that phishing accounts for nearly 90% of social engineering cybercrimes. Clearly, the instances of phishing attacks are on the rise.
While phishing by itself is a cause of concern, its consequences have also captured global attention. As of date, the most concerning trend surrounds the fact that phishing has gone beyond stealing confidential data and have morphed into ransomware attacks, advanced persistent cybersecurity threats to corporate/government networks, and siphoning of funds.
And COVID-19 has only added fuel to this fire. Cybercriminals are leveraging the sense of urgency arising out of the crisis, which makes their phishing campaigns successful. Individuals eagerly seeking information from the government, their employers, and other sources would be less guarded while clicking on links.
All in all, there is a growing need to combat and counter phishing attacks. And how can one achieve that? Here are some tips that might help:
You cannot address phishing without acknowledging the “human angle” that plays into it. According to a survey, a staggering 98% of employees agreed with the statement that humans are the weakest link when it comes to security. Hence, the first line of action would be to educate and empower your employees or customers on the types of phishing, its associated dangers, how to detect phishing, and protective measures.
After undergoing such training, users would be in a better position to make an informed decision on the content that they receive over email, SMS, social media, etc. That being said, it is also worth mentioning that a one-off training program would not be enough to create a human firewall.
RELATED: BSI forecasts 2021 cybersecurity trends
In order to reinforce your first line of defense, organizations must conduct frequent training sessions followed by tests. Based on the output of these tests, businesses can measure the efficacy of such awareness campaigns and take appropriate action.
Users may use a common password across multiple platforms or rely on a weak password to secure their accounts. As such, passwords are not enough to mitigate the dangers of account compromises. Rather, it is crucial to implement two-factor or multi-factor authentication, especially for critical assets or email services from external and untrusted devices.
In such cases, the authenticator will verify the legitimacy of the user by sending a passcode over SMS or an app or through biometric inputs, such as your face, fingerprint, or retina. This way, only authorized personnel can gain access to the account or any sensitive information. Additionally, authorized users should also be entrusted to report any fraudulent 2FA/MFA requests to the cybersecurity experts.
As seen in the previous point, passwords are not impenetrable. However, one can offset their pitfalls by implementing a strong password policy. For starters, companies can involve the configuration of technical controls that prevents the setting of weak passwords by clearly defining the complexity requirements. Such an intervention is critical in externally facing services.
RELATED: Allstate NI: Stay cyber savvy with these top tips
Additionally, a password history must be in place to prevent the user from reusing the passwords. Sending out periodic notifications (preferably every 180 days) to users to audit and change passwords could be the final way to ensure that every person follows the best password setting and maintaining practices.
The use of firewalls and email filters may not sound like a new concept, but it is also one that is grossly overlooked. Configuring basic email filters and firewalls can screen out a big chunk of spoofed senders, phishing attacks, and malicious downloads.
Spoofing control tools such as SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM (DomainKeys Identified Mail) come with default reject and hard fail settings, which protect your account and networks.
Additionally, one can use malware sandboxes and containment wrappers for intercepting and scanning any unknown files. Finally, you can also set up an intrusion detection system that flags all the emails that have extensions similar to any company email but varies by a character or so.
For corporate networks, the administration can configure mail flow rules that automatically flag all the external emails and embed them with disclaimers. These disclaimers should alert the receiver that these emails are untrustworthy and should advise them against clicking on any embedded links.
RELATED: Phishing revealed as number one organisation cyber attack, says BSI
Users must also be warned against downloading any attachments. As such, even if the individual were to forget the training or corporate policies, the constant reminder would protect their account from phishing.
Even if you take every preventive action possible, you need to draft a formal phishing response. By defining a comprehensive reporting process, you can curtail the impact of any breach or security incident. Ideally, your phishing response strategy should cover the following issues:
How can users review a potential phishing threat?
How can users analyze embedded URLs and attachments without clicking or downloading them?
How to identify all the recipients who have been targeted by the phishing attack?
How to validate the response of the recipients, including the users who fell victim to the attack?
How to contain the threat and quarantine associated systems, networks, and user accounts that could potentially be compromised?
What should be done with the infected account/device?
Additionally, creating multiple data back up is another way to mitigate the risk of phishing and ransomware. You can save copies of the data on the cloud, mobile phone, and computer. Use an external hard disk to create a copy on an offline device so that it is safe from an infected network.
Phishing, which was once an incongruous mail riddled with spelling mistakes, has now evolved into a smarter technique for carrying out cyber attacks. It has now taken on more dangerous and sophisticated forms, such as vishing (voice + phishing) and smishing (SMS + phishing).
As a result, some modern-day phishing attacks can seamlessly pass through security software without raising any alarms. Hence, the onus lies on the users to protect themselves from such threats.
RELATED: How much should I be spending on IT security?
About the author
Adrienne Campbell is a security consultant and holds a BS degree in Cyber/Computer Forensics and counterterrorism from the University of Illinois, Chicago.
Hacking is one of the most misunderstood areas of modern life and she helps audiences that are interested in tech, coding, and other fields to understand that hacking is something that can be looked into.
